Posh POS was Compromised

POS compromisedA headline worthy of The Register and I’m surprised they didn’t grab it. So what POS was compromised? Well none other than Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor. These are all shops under the Hudson’s Bay Company (HBC) group and they confirmed this in a post on their site on the 1st April. But it was no April Fool joke.

Basically the evil doers implanted malicious software on the Point of Sale (POS) terminals in the upmarket stores in the USA. For nearly a year (between May 2017 to March 2018) this malware was capturing customers credit/debit card details and passing this back to the bad guys. The crooks claimed to have gathered up to 5 million cards as a result of this hack and they have been selling off batches of them on the internet.

We are quite familiar with Chip & PIN usage in Ireland as we have had it for quite some time. This does offer a great deal of protection as your card information is stored in an encrypted form on the chip. However in the US, they are only at the early stages of rolling out Chip & PIN, so most people are still swiping their cards at the terminals. The magnetic stripes that are swiped do not have the data encrypted, and so the information can be accessed and passed on quite easily.

It’s not been revealed how the malicious software got onto their POS terminals, but it seems that the POS was compromised at all of their bricks and mortar stores in the US. Their online store was not affected.

Credit Card issuers are usually fairly good at detecting fraud by knowing their customers usual buying habits. So if somebody who usually spends €20-€50 on shopping items, suddenly attempts to buy high-end phones, tablets or televisions this should trigger an alert. However for the customers of Saks or Lord & Taylor, such behaviour is much less likely to trigger an alert. So the crooks might be able to make away with a lot of goodies as a result.

The parent group, HBC, needs to put in place better segmentation and monitoring on their network, so if one store gets compromised, the malicious software cannot find it’s way easily to another store. They should also apply Commandments 1 (automatic updates), 2 (anti-virus), 3 (firewall) and 9 (control use of USB sticks) to their POS network.