Secret Service probes possible data-leak hack attack at Sears – report The US Secret Service is helping to hunt for evidence of a possible computer security breach at retail giant Sears, it was claimed today. Bloomberg cited sources familiar with the matter in reporting that the company was working with Uncle Sam's g-men and digital forensics experts at Verizon to probe a possible network …
They should be but are not. Security in most corporations is crap at best. I retired from the DOD to the corporate world and was shocked a bit at first at the lack of security, remediation, and enforcement. Now I just keep all the emails from the management that tell me to ignore X and go about being an BOFH.
In the early days (years ago) a single identity was worth about $300. Now it's about $60. (see latest El Reg articles)
But when you steal a few a million, you still make a few a million.
As for how it's done, that's a good question. With few exceptions, most cash registers are in constant connection with the mothership with maybe a quick stop to the in-store back room servers first.
Often that in-building communication line is wide open or lightly encrypted wifi or easily accessed CAT 5/6. Then there are the VERY underpaid/overworked disgruntled ex employees, who see their store making profit every year, but also see no one getting raises. Then there is the constant external attacks that now saturate the Internet every second. Or the IT guy who is also overworked and underpaid. (wages are falling for the average tech worker and have been for years)
Retail is a notoriously poorly paid industry. Many companies have yet to learn there are consequences for underpaying your employees. Thanks to the modern wonders of the Internetz, they are learning the lesson faster than before from either bad publicity or big hacks. (well, I wouldn't say they are learning, but they are experiencing the consequences)
That's a really good high level description of the average retail store!
The only things I could add would be that modern mega-retail stores (in the US anyway) are just vast, endless spaces that would have been considered high end warehousing facilities until the late 1980's. I firmly believe that you could hide a substantial military force inside some of the stores and the only clue would be when candy bar and beer inventory velocity at that store spiked to 9000% above average.
My point, is that US retail has almost no actual security measures in place. Doubly so for the giant stores. As you say, you can't exactly expect top notch security, or even general awareness/wariness, from people you're treating like disposable products. Even if measures were put in place, how do you secure a Target or Wal-Mart SuperStore when up to 45 vendors can come through in a single 24 hour period and all have stockroom access as part of their contracts and who can't be forced to carry anything but an ID card and about 132% of the people who work on vendor 'set teams' never even saw an ID card with their name or picture on it.
It's just a really, really big, loose environment with nobody in control and no way to even institute those measures. US retail runs completely on the shoulders of vendor set teams and the details were set in stone years ago. Nobody is going to accept change, because they don't have to. Nobody in that space has any latitude for adjusting things. Normally, it's a perfect situation for consumers because all the actual money making in retail is done in the warehouse and logistics. Vendors, logistics companies and retailers are just beating the shit out of each other. All the customer sees are lower prices.
It'll be interesting to see how far the consumer will go with the current situation. They're the only ones who can change any of it, but they'll have to pay for it.
Thanks Don.
I also forgot one very important thing and you just reminded me: vendors.
Or more specifically, the PoS repair guy who is paid by the job, not the hour or salary, has to travel across town all day in his own vehicle and is NOT on the retail payroll and doesn't make squat from his weakly paycheck. (yes, I spelled that right) And paperwork out the wazzoo.
That's probably how it's done these days.
When I first looked into this as a job about 8 years ago, the going rate for on site repair was about $40 per job. No pay for going to the UPS/FedEX and shipping the bad parts back or picking up new parts. No guaranteed min number of jobs per day or week. But I signed on anyway but I really needed jobs.
I received not ONE single dispatch in 2 weeks. That was the end of that.
"The chain has since been forced to offer free fraud monitoring services to its customers, "
It has? Because my bank announced it was giving me a new card as I had been identified as one of those affected and I've not had anyone from Target or a credit monitoring service try and contact me.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
