Breach Investigation Focuses on PNIExperts Offer Insights on Thwarting Fraudsters
The risks of e-commerce breaches are top-of-mind again with the news of a possible breach of PNI Digital Media Inc., a Vancouver-based firm that manages and hosts online photo services for numerous big-name retailers, including CVS and Walmart (see More Retailers Hit by New Third-Party Breach?).
Once hackers gain access to an e-commerce site, they often can easily access payments data and other personal information, warns Al Pascual, director of fraud and security at Javelin Strategy & Research. That's because data on these sites is not typically segregated, based on sensitivity, he adds.
"Compromising the websites themselves is functionally equivalent to breaching a POS terminal," he says. "Criminals gain access to all of the payment data they need as soon as it is entered, potentially exposing every customer who has interacted with the merchant through that channel to subsequent fraud."
Troy Leach, CTO of the PCI Security Standards Council, says online retailers need to start investing in technologies, such as tokenization, that remove card data from their systems to prevent potential exposure.
"We can expect to see more attacks in the online space and where transactions are made without a physical card present," Leach says. "As EMV chip technology cuts down on fraud for in-store transactions, criminals will focus their attacks on emerging channels. That's why removing the incentive for criminals by using dynamic data, other forms of authentication and technologies like tokenization that make the data useless for committing fraud will be key to protecting payments."
PNI's investigation of a possible breach is continuing, Kirk Saville, a spokesman at office supply company Staples, which acquired PNI in 2014, tells Information Security Media Group. "Outside security experts are assisting in the investigation," he says.
News of a potential breach linked to PNI broke last week, when Walmart Canada and CVS Pharmacy announced that they had temporarily disabled their online and mobile photo services because of a potential breach linked to PNI.
Then, more retailers, including Rite Aid Pharmacy, Costco, Tesco and Sam's Club announced that they, too, had disabled their online and mobile photo services because of a suspected third-party breach. Only Rite Aid, however, mentioned PNI as the company to which it outsources online photo services.
So far, none of the these PNI retail customers say they have seen any evidence to indicate that card data was compromised on their sites.
Vulnerabilities in the software and even HTML code used on e-commerce sites can make them susceptible to breaches. For example, Pascual points to the 2013 Adobe breach, which exposed source code for ColdFusion, a Web application development platform used by many e-commerce sites.
"Merchants with an online presence need to be prepared for different types of threats than they are used to at the POS," he says. "That being said, to gain an understanding of where they are at risk, they should consider the corollaries between different points in the respective payment channels."
While no one has linked PNI's potential breach to ColdFusion, some experts say a similar type of software vulnerability could be to blame for the potential breach at PNI. This is why stronger online authentication is so critical to help prevent unauthorized financial transactions based on payment information stolen in an e-commerce attack.
Dave Jevans, chief technology officer of online security firm Marble Security Inc., said that, in the wake of the ColdFusion vulnerability, many online retailers have been reluctant to enhance authentication.
"Gas stations implemented the 'enter your ZIP code' secondary authentication for mag-stripe cards, and it has proven highly effective," he said. "Online CNP transactions need something similar."