CIOIN

Thirty seconds. That's about how long it took for criminals to subvert both the information security and physical security precautions put in place by a supermarket chain Stop & Shop, which acknowledged the breach last month. The security breach wasn't a huge one (at least by the look of it so far), but still a doozy, in which criminals went into at least six stores and tampered with Electronic Funds Transfer units. These are the point of sale devices, more commonly known as PIN pads, where credit and debit card customers swipe their cards and enter personal identification numbers.

John Kirkwood, global information security officer for Royal Ahold, Stop & Shop's Amsterdam-based parent company, says that it took criminals, operating late at night when the store was thinly staffed, about half a minute to replace a legitimate check-out device with a phony one that, in addition to doing what the legit device was supposed to do, also captured card numbers and PINs for the criminals to retrieve later. It's a scam similar to cash machine 'skimming', in which criminals tamper with automatic teller machines to nab bank account information from unsuspecting users. "They would come in and replace a machine that was a perfectly good encrypted machine with a machine that was designed to be able to harvest and store the information," Kirkwood says. "You don't think that people are going to come in and, in a concerted, gang-like way, target PIN pad machines." Except that's exactly what happened. So Stop & Shop failed, right? Well, not exactly. The whole point of risk management is to do your best and adjust as you go. When you find a problem, you fix it. That's exactly what Stop & Shop is doing now. For one thing, Kirkwood says, the company has completed awareness training for employees about this PIN pad threat. In fact, it was employees who noticed suspicious activity at the front of one of their stores recently contacted the local police. The police department then arrested four men who had, it seems, come back to reclaim the tampered-with machines and retrieve the information they held. (The men were from California, and the Secret Service is investigating; I can only speculate that the full extent of the damage extends far beyond six grocery stores.) At the same time, Stop & Shop is

protecting all its PIN pads from high-tech fraudsters with a decidedly low-tech device: bolts. Big bolts. Ones that make it take a lot longer than 30 seconds to swap out a PIN pad. I'd wager a guess that a month ago, had Kirkwood proposed this solution, he would have been met with howls of laughter, and perhaps some defensiveness from the physical security department. All of which is further proof that it simply doesn't make sense to approach physical security and information security separately.

Keep It Secured

Kirkwood says that Stop & Shop is compliant with the Payment Card Industry's Data Security Standard, with the exception of some work it is still doing on data retention. That means that the information captured on the legitimate PIN pads was encrypted, and that certain information, including personal identification numbers, are not saved on company systems. It means,  in essence, that the company was - or should have been - well protected from people looking to commit credit card fraud. In all fairness, the PCI standard does include a nod or two to physical security, including a requirement that companies restrict physical access to cardholder data. However, it is primarily an information security standard. That means it has gaps where there are physical ways to circumvent high-tech protections. Like physically swapping out devices. "That's why you need to do a comprehensive, uber-assessment," says Kirkwood now - with the benefit of hindsight. "Do it from the way a hacker would think. It's not following the rules of PCI; it's thinking out of the box and going backward and going sideways. You don't follow the rules when you're trying to break into something." So the usual 'rules' for security must adapt: who knows, but maybe the CISO will need to add a few bolts to his toolbox. CIO