Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Data breaches start at the gas station, analyst says

And you thought the Internet was a sketchy venue for commerce

June 26, 2007 12:00 PM ET

Using a credit card at a gas station could pose more of a risk for data theft than shopping online. Point-of-sale terminals have emerged as a weak link in the security chain, according to a Gartner Inc. analyst.

When a card is swiped, point-of-sale (POS) terminals often collect and store the data held in the magnetic stripe on the back of a credit card, said Avivah Litan, a Gartner vice president and distinguished analyst. Retailers are often unaware that their POS applications collect so much information.

In the hands of sophisticated hackers and counterfeiters, the data collected from the magnetic stripe is enough to create a replica card. "It's almost more dangerous to go to the gas station than it is online," Litan said at Gartner's Identity and Access Management Summit in London on Monday. "The data is just sitting there. No one even thought about what data is on a POS controller."

Retailers' network configurations are partly to blame. Many are using the Internet to transmit data in place of dial-up networks, and many have incorporated wireless access points into their networks using WEP (Wired Equivalent Privacy), Litan said, which is not considered a strong form of encryption.

Hackers lurk in parking lots looking for weak networks to penetrate. Since the POS terminals are linked via IP, once a hacker has accessed a network they can try out neighboring IP addresses until they locate a store of data, Litan said.

Data breaches that occur offline are common. Of 160 breaches investigated for one major credit card brand, 128 took place in the brick-and-mortar world where the card was physically present for the transaction, rather than being used online or over the telephone, according to Gartner.

To strengthen security, card brands such as Visa and MasterCard are pressuring retailers to comply with the Payment Card Industry (PCI) Data Security Standard, a code of best practices created by the card industry. The standard forbids the storing of magnetic stripe data on POS terminals, and Visa plans to start fining retailers in the coming months if they don't comply, according to Gartner.

Implementing security is cheaper in the long run than having a data breach, which can be expensive and hurt a company's reputation. Gartner calculates that a data breach costs companies around $300 per exposed account because of investigations, fines and lawsuits. On the other hand, beefing up security costs around $16 per account for the first year, and that cost falls over time, according to Litan.

The short-term forecast for POS security doesn't look great, however. Gartner predicts that by next year, most attacks against retailers will be directed at their POS terminals, and only 30% of POS software will be compliant with the prevailing security standards by 2009.

Jump to comments

credit card

Additional Resources

Xerox
By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!
Microsoft
Save time and mitigate security risk. Deploy it now.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

What People Are Saying

White Papers & Webcasts

Share our Strength
Download Now  

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...