Backoff, Dairy Queen, UPS & Retails Growing PoS Security Problem

Retail brands are trying to pass the buck for data security to banks and franchisees, say some experts.

Retail security is under the microscope this week, thanks to
data breaches at United Parcel Service
franchises (and
possibly Dairy Queen franchises
), government warnings about the Backoff point-of-sale malware, and new research that shows persistent vulnerabilities in retail applications.
Retails data security problem is attributed to (among other things) lack of investment in secure application development, disputes with the financial services industry over whos to blame, disputes between brands and franchise stores, and lack of oversight by those who develop and deploy retail applications.
The National Retail Federation
advocates better data security
for retailers, but it puts most of the blame on the financial services industry. In
Four Big Lies About Data Security
, the NRF points out that banks continue to use outdated magnetic strip technology and require retailers to retain too much data.
Today,
US-CERT again updated its advisory
about Backoff, the point-of-sale malware responsible for the breaches at UPS franchise stores. The Secret Service estimates that 1,000 businesses have been affected by Backoff, and seven PoS providers/vendors confirmed that their clients have been affected.
There are also rumors that Dairy Queen has been breached, as reported by Brian Krebs of KrebsOnSecurity. He said he had not been able to find evidence of such an event, but he has since been contacted by a credit unions fraud detection department that had been receiving reports of fraud deriving from cards recently used at Dairy Queen locations in multiple states. A representative of the brand did not confirm such an incident. According to Krebs:
Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
This is reminicscent of the recent breach at UPS, which
said in a press release
, Each franchised center location is individually owned and runs independent private networks that are not connected to other franchised center locations.
Independent networks could arguably contain the problem, and the blame could be laid on individual stores, not the brand itself. Yet that might not matter to customers.
The franchisors brand could be destroyed easily without better controls in place for franchisees, says Mike Davis, CTO of CounterTack. The fact that franchisees are not required to tell the franchisor about security breaches illustrates how breach notification processes are weak not just in retail but in most industries... Franchisors should start requiring security controls of their franchisees above those required by PCI and third parties the franchisee may work with.
Courts might not distinguish between brands and their franchise stores, either. Trey Ford, global security strategist at Rapid 7, says the Federal Trade Commission wont let the brand pass the buck so easily.
Although reports have indicated that DQ-branded franchises may not be required to report breaches to Dairy Queen headquarters, says Ford. This still may create liability for Dairy Queen. The
FTC filed a complaint
in a similar situation with Wyndham. The consumer relationship is with the brand, not the franchise.
The FTC filed the complaint against the Wyndham Worldwide Corporation hotel chain -- which had 90 independently owned hotels licensed under the Wyndham name -- in June 2012 after three data breaches. The FTC alleged that Wyndhams privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers personal information, and that its failure to safeguard personal information caused substantial consumer injury.
There are reasons for brands to care about their franchise stores security, and they may also be in a better position to manage or lead security efforts.
Franchise owners and operators will have a harder time [than brands] locating malicious software, says Ford. Those franchise stores equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule.... If your business is contacted as a common point of purchase for credit card fraud, that is generally a high confidence indication you have a problem.
Yet with retailers blaming financial services, blaming franchisees, and blaming third-party service providers (and vice versa and vice versa and vice versa), there is perhaps an overriding problem of nobody taking enough responsibility for data security.
That also extends to the developers of retail and PoS software -- both custom-built and off-the-shelf.
According to
research released today by CAST Software
(registration required), 70% of retail applications are still vulnerable to data input validation attacks like SQL injection (yes, still) and Heartbleed compromises. Retail fared worse than any other industry. Financial services (69%) was a very close second. This is particularly concerning, since input validation attacks were used in 80% of the application attacks in retail, including the one at eBay, according to Verizons latest Data Breach Investigations Report.
When explaining the problem, CAST executive vice president Lev Lesokhin repeated the Code of Hammurabi passage that
Dan Geer referenced
in his keynote at Black Hat USA. The code, written 3,700 years ago, stated, If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death.
Ownership of construction and the oversight of construction are still very poor, says Lesokhin. It is a management issue within IT.
CAST works mainly with enterprise IT departments writing custom software, but Lesokhin expects that this is also a problem in bigger application development houses, which suffer from a certain hubris that could perpetuate the problem.
He says he hasnt seen secure coding frameworks catch on much, but basic hygiene would solve many of the issues found in these applications. Further, they found that, even though there is certainly a difference between software quality and software security, there is a strong correlation between the two. Cleaner code tends to lead to more secure code.
Why are the software vulnerabilities worse in retail and financial services? The pressure to get applications to market quickly is especially difficult in financial services, Lesokhin says, but in retail, companies may tend to spend less on software development oversight.
Will this improve? Lesokhin wonders whether the perpetual announcement of breaches and software holes has brought companies to the conclusion that it will never get better, and perhaps it isnt even worth trying to make it better. I think the question is to what extent is it becoming a learned helplessness?

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Backoff, Dairy Queen, UPS & Retails Growing PoS Security Problem