The credit card data breaches at Target, Neiman Marcus and – undoubtedly – more stores to come has shaken major retailers. But the fear isn't confined to the national retailers that operate stores across the country.
Plenty of “mom and pops” are worried too, according to Milton Security Group, a network security provider that serves mostly small and medium-sized businesses.
Fear and uncertainty
"Over the past few weeks we have seen a definite increase in the amount of fear, uncertainty, and doubt among a lot of small growing businesses relating to the recent security attacks against major retailers like Target and Neiman Marcus, said Milton CEO Jim McMurry.
While these smaller companies face the same type of problem their resources are much less than the Targets of the retail world. McMurry says his firm is focusing on security systems that can meet the current threat but don't cost as much as the ones used by the big guys.
Meanwhile, over the weekend arts and crafts retailer Michaels said it is investigating whether its network suffered a breach.
"We are concerned there may have been a data security attack on Michaels that may have affected our customers' payment card information," Chief Executive Chuck Rubin said in the statement. "We are taking aggressive action to determine the nature and scope of the issue."
If Michaels has indeed been hit, it would be the second time. In 2011 the retailer notified customers that credit cards used at 80 of its stores had been compromised. Since that data breach, hackers have gotten even more sophisticated.
Deconstructing the attack
Security experts at Sophos have deconstructed the methods use in the Target breach. Sophos' Paul Ducklin reports the attackers used a malware that was loaded into point-of-sale terminals. The software was able to capture the data on each transaction.
The captured data was automatically bundled and transmitted to brokers, who sold it on the black market to criminals who used it to create thousands of phony credit cards.
According to Ducklin, the malware is called a “RAM scraper,” which exploits a flaw in the system.
“RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the POS register, albeit briefly,” Duck writes in his blog.
Sophos reports RAM scrapers go back at least to 2009 but the latest versions are more sophisticated and, for retailers and their customers, more dangerous. That means both retailers and consumers will have to be more careful.
The FBI emphasized that point last week as it warned, in a confidential report to retailers, that they should prepare themselves for more cyber attacks in the months ahead.