Would you like a side of stolen credit card data with your Blizzard? It's the flavor of the month, apparently, as Dairy Queen announces that it, too, has been compromised by Backoff point-of-sale (POS) malware. Having risen to infamy after the massive Target breach last year, Backoff continues to pop up on systems across the country — the Dairy Queen breach of nearly 400 locations includes stolen names, card information and expiration dates. What can companies learn from DQ's malware brain freeze?
Saw It Coming
According to The Wall Street Journal, there was talk of a DQ breach way back in August. The company denied any compromise but said it would investigate the issue; now, it admits that compromised account credentials from a third-party vendor were responsible for infecting its POS systems with Backoff malware. Dairy Queen claims that while credit card data was affected, "there is no evidence" that Social Security numbers, PIN numbers or email addresses were accessed. "Based on our investigation, we are confident that this malware has been contained," the company stated in a recent press release.
That confidence sounds good, but it's a bit hard to take DQ's assurance at face value. Has the company's IT security truly frozen the Backoff attack, or, like a poorly made Blizzard, is the whole thing eventually going to come sloshing down?
The Third-Party Problem
Looking at the Dairy Queen breach, one thing stands out: the link to a third-party vendor. This is a common theme in POS breaches; while company practices may be secure, third-party applications and permissions are often more difficult to pin down. Poorly coded apps can become unwitting carriers of Backoff and other malware, and third-party access points to corporate systems without strong password protection are susceptible to brute-force attacks. But putting the blame on third parties — even if they're at fault — means nothing to customers. DQ handled their data, so DQ is taking the heat.
Fortunately, it's possible to limit the risk of a third-party breach. To do so, retail companies must design security policies which both limit access and proactively test for vulnerabilities. It starts with an end-to-end examination of third-party devices, such as POS terminals, and their relationship to the network at large. If breached, what kind of access do these terminals have? Can they compromise other terminals or the entire corporate network? Ideally, each device should represent a secure end point with defenses to match: If Backoff or other malware infects a single device, it should be trapped, detected and then eliminated - or even better: allowed to operate observed for threat intelligence and modeling efforts.
Of course, this only speaks to devices — what about applications? Here, the key is a policy-based, uniform approach to every piece of third-party software a company like DQ uses each day. It should be tested, retested and then tested again on a regular basis, and with the same rigor as any internal application. Third-party vendors are not security companies: They provide what the market demands, not what's "nice to have" — and from a profit perspective, security sits firmly in the second category. Beyond device evaluation and software testing, retail companies must also communicate their expectations for privacy and security to third-party vendors. This means being clear about removing factory-issued passwords along with stating expectations of compliance, such as providing details about security practices or submitting to audits by the security provider of your choosing.
The Dairy Queen breach says it all: Third-party tools are vulnerable, but first-party users get the blame. Don't be caught unprepared for a malware blizzard — implement a policy-based, third-party approach to secure your retail systems.
Photo Source: Wikimedia Commons