There was a time when people differentiated between stealing from a physical store and pilfering data from a network. Throughout the years there have been articles talking about the safety/risks of shopping online vs. shopping at a retail outlet. You could either get carjacked in the parking lot and have your wallet stolen on Black Friday or your browser hijacked and your digital identity stolen on Cyber Monday. There are probably many people who exclusively shop one way or another due to their own risk assessment of each...ignoring whatever convenience, interaction, price, constraints, gratification, availability or any other perceived beneficial metric on the Franklin T-scale tied to the specific activity.
Now we've learned that the recent Target breach was due to malware being installed on the point of sale devices. Wait, what? A 'cyber' crime within a retail bricks environment? Isn't anything sacred? Well no, and this is really not anything new. ATMs and point of sale devices have been targets for a while due to the simple fact that they run on an operating system. A potentially vulnerable operating system. In 2012, thieves broke into Barnes and Noble's keypads and grabbed a bunch of credit cards. Subway also had it's PoS devices infiltrated. There will be more.
Online shopping has risen 300% since 2004 and continues to grow. comScore reports that desktop sales on Black Friday grew 21% ($1.1 Billion) and Cyber Monday grew 18% ($1.7 billion). Yet, with all the mouse orders we accomplish on any given day, according to the Dept. of Commerce, it still only amounts to 6% of all U.S. retail sales. You'd think that it would be much higher but major purchases, like automobiles for instance, are still (mostly) purchased in person. The shift, however, will certainly grow as more people rely on mobile as a primary purchase sidekick and... as always, the bad guys are going to focus on where they can get their take. In this interesting TED talk, security expert Mikko Hypponen says that we are more likely to be a victim of an online crime than a real world stick up.
That includes an increase of blended attacks.
We've seen it a thousand times - plant something on the inside and siphon from the outside; launch a network based attack as a diversion to go after the app data; do a little social engineering surveillance to become one of them; and of course the classic, knock out the guards, put on their outfits and walk in while nobody notices.
There is still much to uncover about this latest breach but I can't help feeling that more retailers, as has been reported, will be screaming, 'This PoS device is a PoS!