Greetings. This week, a possible hack of point-of-sale (POS) systems at Forever 21 stores, plus some disturbing findings about weak user passwords and online account hijacking. If any or all of this raises opinions, reactions, and/or suggestions, please share. Thanks in advance.

Forever 21: Some POS Systems Possibly Compromised – Maybe

Retailer Forever 21 has notified customers worldwide that “there may have been unauthorized access to data from payment cards that were used at certain [of its] stores.

  • Forever 21 operates “more than 815 stores in 57 countries.” In a Nov. 14 statement, the retail chain said “it recently received a report from a third party that suggested” payment card information may have been compromised at some stores. The company added that while it is “too early to provide further details,” its investigation is focused on transactions conducted between March and October of this year.
  • Forever 21 implemented “encryption and tokenization solutions” in 2015 in an effort to improve the security of its POS operations. However, “it appears that only certain point of sale devices in some…stores were affected when the encryption on those devices was not in operation.”

What We Say: Where cybersecurity is concerned, enterprises must ensure that no systems are left behind as new measures are implemented. This is particularly challenging in environments that include multiple legacy systems. Comprehensive, accurate discovery and inventory of IT resources is essential, as is the ability to roll out new protections consistently across all potentially vulnerable systems. (See “The Equifax Breach, Patch Management, and Your Cybersecurity” and “Three Components Required for a Complete IT Asset Management Solution (Part 2 of 4): Discovery.”)

Survey: Poor Passwords Pervasive

A recent survey of more than 600 IT decision makers compared their perceptions with realities at their organizations regarding password standards and practices. The results of those comparisons were not promising.

  • As reported by Information Age, identity management solution provider OneLogin surveyed “more than 600 UK-based IT decision-makers with influence over their business’s IT security.” Among them, “85%...feel they have adequate password protection measures in place.”
  • However, these same respondents are lax in enforcing even basic password hygiene. “In fact, less than a third (31%) require employees to rotate passwords monthly, and a further half (52%) admitted to only requesting password rotation once every three months.”
  • “Only 37% of those surveyed ask employees to check their passwords against common password lists and 39% don’t even require employees to use special characters.” Further, only 30% of respondents supplant passwords with multifactor authentication for access to internal applications, and only 26% do so for external applications.

Google Searches for Causes of Hijacked Accounts

A recent blog post from Google describes how the company collaborated with the University of California, Berkeley, “to better understand how hijackers attempt to take over accounts in the wild.” While the focus was on Google accounts and their holders, the threats examined – phishing, keylogging, and third-party data breaches – “pose a risk to all account-based online services.”

  • From March 2016 through March 2017, researchers “tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging. In total, these sources helped us identify 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.”
  • Some 12% of records exposed by third-party breaches included an email address as user name, and a password. Of those passwords, “7% were valid due to reuse.” Google added that attacks between 12 and 25% of attacks on its accounts via phishing and keylogging tools yield valid passwords. “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.”
  • Those tools go after more than just passwords. “We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.”

What We Say: Weak, repetitively used passwords, overly informative out-of-office and away messages, and susceptibility to phishing emails and links to malware such as keyloggers share two key characteristics. Each represents an avenue of attack on your network, and for each, technology can only provide partial protection. Your organization must combine multi-layered technological defenses with rigorous, well-enforced policies and consistent, continuous user education. This approach can determine whether your users are your environment’s most vulnerable elements or its first line of effective defense. (See “Endpoint Security Evolves: The Rise of the Personal Perimeter,” “User Education for Cybersecurity: Yes, It’s Worth It,” and “Your Threats Are Evolving. Are Your Defenses?”)

Ivanti: Protections That Work for Your Users and Your Business

You need to protect and enable and protect your users, and to secure the applications, data, and resources they use to do their jobs and drive your business. Ivanti can help. We have solutions for granular, non-disruptive control over your users’ applications, devices, and admin rights. We can also help you get and keep your client and server system patches up to date, and to combat and remediate malware and other attacks. We have Professional Services, partners, and other ways to help as well. Check us out online. Then, let’s talk. (Meanwhile, please keep reading, sharing, and commenting on our security blog posts, especially our Patch Tuesday and Threat Thursday updates!)