Alarmed
Converging Physical and Cyber Security at Stop & Shop
Supermarket chain CISO John Kirkwood speaks out about the latest evidence of why physical security and information security can't be approached separately.
By Sarah D. Scalet
March 09, 2007 — CSO — Thirty seconds. That's about how long it took for criminals to subvert both the information security and physical security precautions put in place by the supermarket chain Stop & Shop.
As you probably know by now, Stop & Shop is warning customers in Rhode Island and Massachusetts that it had a security breach. Not a huge one (at least by the look of it so far), but still a doozy, in which criminals went into at least six stores and tampered with Electronic Funds Transfer units. These are the point of sale devices, more commonly known as PIN pads, where credit and debit card customers swipe their cards and enter personal identification numbers.
John Kirkwood, global information security officer for Royal Ahold, Stop & Shop's Amsterdam-based parent company, says that it took criminals, operating late at night when the store was thinly staffed, about half a minute to replace a legitimate check-out device with a phony one that, in addition to doing what the legit device was supposed to do, also captured card numbers and PINs for the criminals to retrieve later. It's a scam similar to cash machine "skimming," in which criminals tamper with automatic teller machines to nab bank account information from unsuspecting users.
"They would come in and replace a machine that was a perfectly good encrypted machine with a machine that was designed to be able to harvest and store the information," Kirkwood says. "You don't think that people are going to come in and, in a concerted, gang-like way, target PIN pad machines."
Except that's exactly what happened. So Stop & Shop failed, right? Well, not exactly. The whole point of risk management is to do your best and adjust as you go. When you find a problem, you fix it. That's exactly what Stop & Shop is doing now.
For one thing, Kirkwood says, the company has completed awareness training for employees about this PIN pad threat. In fact, it was employees who noticed "suspicious activity" at the front of the store in Coventry, Rhode Island, one night last week and contacted the local police. The Coventry police department then arrested four men who had, it seems, come back to reclaim the tampered-with machines and retrieve the information they held. (The men were from California, and the Secret Service is investigating; I can only speculate that the full extent of the damage extends far beyond six grocery stores in New England.)
physical and cyber security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
