Despite consumer—and even some IT executive—beliefs that e-commerce poses a much greater security risk than store-based point-of-sale systems, a new Gartner report concludes that the opposite is true.
Gartner is reporting that by 2008 most attacks will be on physical POS (point-of-sale) systems and that by 2009 only one out of three such systems will comply with current security standards.
“Device vulnerabilities are often overlooked by enterprises, who tend to focus on enterprise servers and systems when securing their environments,” wrote Gartner security analyst Avivah Litan, adding that data transmissions are also closely monitored and “typically ignored by many companies are the devices that hang off of corporate networks where data are either collected or output, particularly point-of-sale devices and printers located throughout enterprise systems.”
This disconnect has not been lost on thieves (neither the cyber nor the old-fashioned kind). “Criminals have discovered that some devices are ripe targets for committing financial fraud and other types of information theft. Particularly hard hit in the past year are point-of-sale systems exposed to the Internet which are storing magnetic stripe card data, and intelligent printer systems that store information as part of the paper print process,” the report said.
How lopsided are the figures? Overwhelming, according to Gartner’s statistics, which have 80 percent of all data breaches happening in-store. “I can’t think of one well-publicized successful e-commerce attack,” Litan said.
To be fair, many of the data breaches involve the Internet but are quite far removed from e-commerce. For example, many POS systems seek authorizations and pass information along an IP connection, which is frequently how they are accessed by the crooks.
“A lot of retailers have moved their POS from dial-up to IP, and they haven’t even thought about the security implications,” Litan said. “A lot of the passwords are still the default security passwords.”
Another confusion point is where and how the data is used to commit the fraud, as opposed to how the confidential data is stolen. It’s a lot more common—and easier—to steal the data from store systems, whether via the network, using someone in a physical storefront, or stealing a laptop from workers while they are commuting or by breaking into their homes. But after the data is captured, it’s indeed easier to commit the actual theft later on using the more anonymous Web site.
The reasons in-store systems are such attractive targets are numerous, but primarily because they typically are not as well-protected. Another reason is that there is simply a lot more data to be taken from in-store systems.
Read the full story on eWEEK.com: E-Commerce More Secure than Brick and Mortars.
