Retail Data Breach Victim Rolls Back The Tech Clock
Written by Evan SchumanBut one retail data breach victim this month took the opposite approach. The Colorado liquor store had its payment records stolen via the Internet. The breach impacted dozens of banks and an untold number of consumers (police were quoted in one local newspaper as saying the breach impacted "thousands" of customers). Once its breach was discovered on October 5, the Cheers Liquor Mart (which bills itself as the largest liquor store in southern Colorado) went back in technological time. It completely cut off its card processing system from its POS and brought out from storage its old dial-up mechanism for connecting to the processor. The delay customers experienced was not noticeable, and the security—when compared with the breached modern system—was ironclad.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Pages: 1 2
4 Comments | Read Retail Data Breach Victim Rolls Back The Tech Clock
Leave a Reply
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
October 22nd, 2009 at 2:32 am
I swear I’d do my best to initiate the comeback of the Carrier Pigeon if I knew it would do any better for network security :-)
October 22nd, 2009 at 12:00 pm
I question whether rolling back to dial up terminals is really more secure? Yes, it is a quick fix that will most likely close the current breach vector but it does bring back it own set of risks. I’m not aware of any dial up terminal that supports encrypting the data as it is sent to the modem. I’m also not aware of any processor “dial up” spec that supports encryption. While the card brands and PCI have added loopholes for unencrypted dial up traffic, there is a big grey area if the merchant uses a VoIP phone solution – in which case you might be introducing unencrypted traffic on a public network.
October 26th, 2009 at 2:28 pm
Merchant payment technologies have become very sophisticated and allow various networks or products to link seamlessly so that users can benefit from straight-through processing. But integration of various products and networks poses a unique problem: are these linkages done right and are there vulnerable points that are outside the security mechanisms of each component. PCI represents one attempt to standardize security procedures for payments but standardization cannot catch all weak points. Thus somethings rolling back in time can help merchants avoid what Cheers Liquor Mart experienced. A better solution would be to have IT security technician on staff and mandate annual security audits to look for ways to troubleshoot or improve the end to end security of an integrated system. Or said in other words: using a typewriter to avoid computer viruses on your word processing equipment is not a long term solution in the century of automation …
November 2nd, 2009 at 8:46 am
Excellent article. The Retail IT Community (my community) got ahead of itself and new safer solutions are needed. My community did a better job when we designed wholesale banking and brokerage electronic funds transfer systems (EFTS).
Michael Cherry
Cherry Biometrics Inc.