Converging Physical and Cyber Security at Stop & Shop

Thirty seconds. That’s about how long it took for criminals to subvert both the information security and physical security precautions put in place by the supermarket chain Stop & Shop.

As you probably know by now, Stop & Shop is warning customers in Rhode Island and Massachusetts that it had a security breach. Not a huge one (at least by the look of it so far), but still a doozy, in which criminals went into at least six stores and tampered with Electronic Funds Transfer units. These are the point of sale devices, more commonly known as PIN pads, where credit and debit card customers swipe their cards and enter personal identification numbers.

John Kirkwood, global information security officer for Royal Ahold, Stop & Shop’s Amsterdam-based parent company, says that it took criminals, operating late at night when the store was thinly staffed, about half a minute to replace a legitimate check-out device with a phony one that, in addition to doing what the legit device was supposed to do, also captured card numbers and PINs for the criminals to retrieve later. It’s a scam similar to cash machine “skimming,” in which criminals tamper with automatic teller machines to nab bank account information from unsuspecting users.

“They would come in and replace a machine that was a perfectly good encrypted machine with a machine that was designed to be able to harvest and store the information,” Kirkwood says. “You don’t think that people are going to come in and, in a concerted, gang-like way, target PIN pad machines.”

Except that’s exactly what happened. So Stop & Shop failed, right?

Well, not exactly. The whole point of risk management is to do your best and adjust as you go. When you find a problem, you fix it. That’s exactly what Stop & Shop is doing now.

[Also read Security convergence: the basics | Enterprise Risk Management: Get started in 6 simple steps]

For one thing, Kirkwood says, the company has completed awareness training for employees about this PIN pad threat. In fact, it was employees who noticed “suspicious activity” at the front of the store in Coventry, Rhode Island, one night last week and contacted the local police. The Coventry police department then arrested four men who had, it seems, come back to reclaim the tampered-with machines and retrieve the information they held. (The men were from California, and the Secret Service is investigating; I can only speculate that the full extent of the damage extends far beyond six grocery stores in New England.)

At the same time, Stop & Shop is protecting all its PIN pads from high-tech fraudsters with a decidedly low-tech device: Bolts. Big bolts, ones that make it take a lot longer than 30 seconds to swap out a PIN pad. I’d wager a guess that a month ago, had Kirkwood proposed this solution, he would have been met with howls of laughter, and perhaps some defensiveness from the physical security department.

All of which is further proof that it simply doesn’t make sense to approach physical security and information security separately. Kirkwood says that Stop & Shop is compliant with the Payment Card Industry’s Data Security Standard, with the exception of some work it is still doing on data retention. That means that the information captured on the legitimate PIN pads was encrypted, and that certain information, including personal identification numbers, are not saved on company systems. It means, in essence, that the company was—or should have been—well protected from people looking to commit credit card fraud. (Stay tuned for CSO’s upcoming coverage of this industry attempt at self-regulation.) In all fairness, the PCI standard does include a nod or two to physical security, including a requirement that companies restrict physical access to cardholder data. However, it is primarily an information security standard. That means it has gaps where there are physical ways to circumvent high-tech protections. Like physically swapping out devices.

[Learn about Restaurant loss prevention and cash management]

“That’s why you need to do a comprehensive, uber-assessment,” says Kirkwood, now with the benefit of hindsight. “Do it from the way a hacker would think. It’s not following the rules of PCI; it’s thinking out of the box and going backward and going sideways. You don’t follow the rules when you’re trying to break into something.”

So the usual “rules” for security must adapt: Who knows, but maybe the CISO will need to add a few bolts to his toolbox.