The Reality Of Retail Data Breaches
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions. For investment, legal or other professional advice specific to your situation contact a licensed professional in your jurisdiction.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility; author(s) may have positions in securities or firms mentioned and have no duty to disclose same.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2014-01-13 08:23 by Karl Denninger
in Editorial , 174 references Ignore this thread
The Reality Of Retail Data Breaches

Gee, it wasn't just Target?  

Upscale retailer Neiman Marcus isn't yet saying how many customers might be at risk, but it is confirming that a breach of credit card data took place. The company says it learned of "potentially unauthorized payment card activity" before Christmas. The company says it is working with federal investigators, and a forensics team is trying to determine the size of the breach.

It's not just Neiman Marcus either.  It's a bunch of other retailers as well.

Are you awake yet Boobus Americanus?  

Oh, they want your email -- and surface address eh?  Uh, why?  Target often asks to scan your driver license.  Why?  Why do you allow companies to have this data?  Nothing you ever give a company is discarded; it is always kept and your base assumption should be that it is never secure.

I walked out of Target the last time they asked to scan my driver license.  I don't give a damn why they think they want it, the answer is no.

That's the lesson folks.  You give this away and you will get reamed by it.  Maybe it's sold and maybe it's stolen, but the bottom line is that the more you give them the more value it has to them -- and to anyone who wants to steal it.

For that you get...... what, exactly?

Nothing.

There isn't any valid reason for them to keep credit card numbers either.  Oh sure, if you have a return they have to put the amount back on your card.  That's nice, you still have the card.  All they need to keep for that purpose is the last four numbers which has the check digit in it along with your receipt serial number, and you need to keep the receipt.  You possess the card bearing those same four numbers and you can swipe it again to get the refund.  Don't got the card with you?  Fine, come back with it or you get store credit.  Period.  Now I can't get anything if I steal their POS logfile. Oh, that's nice, some jackwad bought a case of Pampers on receipt number 20302-4565767 and used a card with the last four digits of 4567. I got no name, no email address, no physical address and no card number. That's worth zero to a thief but it's plenty for the store to handle returns.

You know, back in the 1990s I worked for an outfit that did this sort of "in your face" marketing thing. These guys.  Remember them?

I remember the entire crew -- real well, including the Haaarrrrvaaard types.  That's not to say that I didn't like and respect some of them, most-particularly Malec, the CEO.  I also remember the work. And the product. And, the behind-the-scenes and rarely-mentioned (anywhere) whispered ideas about how profitable the data would be. Advertising, schmadvertising. Yeah, that was the bread-n-butter, but the gold mine that everyone hoped was down there in the ground somewhere was the idea that the company could personally link you to every single item in your shopping cart. In the grocery store. Gee, who would want that data? The better question is who wouldn't want it.

That future came, but VideOcart didn't get any of it, as they went under first. They drowned in the overhead cost of sticking a computer display on the handle, the theft and vandalism that happens to shopping carts, the fact that minimum-wage workers were not all that interested in making sure the carts were charged (and a dead battery cart was one that carried no advertising of course) along with revenues just not coming in the door fast enough to make up for the arterial bleed-out on the P&L.

Here's the thing though -- the firm never carried around people's personal information. It wasn't that they didn't want to, you understand -- they most-certainly did.  It's that they didn't have it.  If the company had survived it was headed that way, as there were prototypes of the on-cart display containing a cardreader.  Gee, you don't say.

This sort of data breach also leads me to ask -- what are they running in these stores?  Anyone care to bet on it being a commodity operating system and not something custom-built and maintained by their IT department?  Uh, yeah.  And exactly why is that done?  Is trying to leverage that sort of system into a high-security environment wise?  It would appear not, eh?

It would have been pretty hard to load "malware" onto the old ICS Datachecker systems, mostly because it wasn't one of those commodity-based systems.  And I'm not so sure how easy it would be on the IBM 4680s either, given that the terminals (and store controller) ran a somewhat-screwball Concurrent-DOS (yes, really!) and the follow-on (4690) was not-very-open either.  However, later revs did support Java (oops) which has a rather colorful history of being, well, maybe a bit too "open."

These days store POS systems are often layered on top of commodity operating systems.  Blue screen of death anyone?  Oh, and viruses too.  Yes, viruses.

One of the key issues is of course how all of these things talk to each other and what sort of trust relationships exist between devices.  And there you have more problems, because retailers are notoriously cheap.  Dedicated leased lines to headquarters for data that should never get out of their hands with crypto on both ends and the key space loaded via a non-writeable device that is locked in a safe once the unit boots?  Not a prayer in Hell.  Even a dedicated VPN running something like IPSEC/IKEv2, on their own private CA and keying, with absolutely all traffic to and from each store going over it to and through corporate with utterly no outside connectivity otherwise, and therefore extremely secure? Yeah, right. Cryptographic checksums on every single executable and configuration file across the network and in the store, with the checksum store and crypto code on non-writeable media (can't change it!) -- and anything that fails has its key revoked for corporate network access instantly, thereby immediately isolating anything that gets contaminated and forcing investigation and resolution?  Dream on.

See, all this stuff costs money. And it's damned annoying when your store gets isolated and can't run credit cards, or worse, when corporate does and suddenly the entire network goes offline as a consequence of some Chineesium hack job. 

And after all, everyone says "we use industry-standard SSL" and that's good enough because by God, if the industry uses it then it must be good. Yes, and?

I have several hundred attempted break-ins to my systems every single day.  Most of them are no more complicated than an attempt to guess a privileged-account password, and my systems are configured to exponentially back off the time between attempts, never mind that you can't log in directly to privileged accounts around here.  And that's just little old me, running a blog.  Yeah, I have a crap-ton of data on the systems here, but there are no credit card numbers or similar things on my machines.  That doesn't stop the Chineesiums and Russkies (and the various "loosely affiliated" crooks) from trying to break in and steal everything I have.

See that big flaming middle-finger I'm erecting, China?  It's pointed at you.

Security is a process, not a product.  And if you think these guys are rocket scientists, let me remind you that our so-called "spookworks" like to claim that too, but the fact of the matter is that we now know for a fact that the majority of their so-called "wins" are in fact cheats.

Well?

Look, it begins with you folks.  Every single one of you, because the fact of the matter is that these companies are too stupid in the executive suite to know that they don't get it and don't have the expertise to get it.  They don't want to acquire it and they definitely don't want to pay for it.  Proof of this is that my phone, and those of others like me who do get it, isn't ringing off the hook except after these guys get their database stolen, that gets out in the public eye and you get fucked.

Period.

No, that retailer does not need your personal information.  No, they may not scan your driver license. Yes, they may look to see if you're 21 if you're buying beer, but no, they may not record anything off it. No, they may not have your email address -- or your physical address.

Stop being stupid, America. Stop believing that American corporations give a shit about your personal data security. They are interested in selling you things, period. They are interested in spending as little as possible themselves. They are interested in as much information as you are willing to give them and they will do whatever is most-profitable for them with it, period.  If it gets stolen, and they get caught, you can join some class-action lawsuit if you wish, but you'll get pennies while the harm done to you will be in the hundreds or thousands of dollars.  

You are the damned product, America, and you are being diced, sliced, packaged and sold along with frequently being fucked over, often behind your back, and until you put your foot down and demand it stop -- it won't.

And that, my friends, is a fact.