InfoSec Buzz: Forever 21 Reports Hacking Of Payment Card Information

November 20, 2017 — Forever 21 Reports Hacking Of Payment Card Information

Security expert Robert Capps comments on the news that fashion retailer, Forever 21, has announced that there had been unauthorized access to data from payment cards used at some of its stores.

“In an effort to make transactions for consumers as simple as possible, retailers like Forever 21 often subcontract third-party suppliers. Those organisations, in turn, hire other companies creating a long chain of providers that handle sensitive data. Therein lies the opportunity for situations such as this where credit card information is potentially exposed somewhere along the chain. It is this chain that is scrutinised by hackers to probe for any way in to grab personally identifiable information (PII), so they can ultimately use the credit cards and accounts for fraud.

“Back in 2015, Forever 21 made an effort to secure their clients’ personal data through encryption and token-based authentication methods. This measure has reduced the impact of this potential breach – still under investigation. However, this higher-security system was still not implemented in some point of sale (PoS) devices, putting those clients’ information at risk. We are glad to see companies enhancing their security, but they should also be diligent and implement those new technologies across all placements. Forever 21 is the example of what happens when you fail to do so: hackers are attracted to your security gaps like bees to a honeypot.

“There is also the question of why the personally identifiable information (PII) hackers steal is still enough to make fake transactions or purchases. If retailers include a layer of dynamic verification technologies such as behavioural biometrics, they will not need to rely solely on the customer’s static data to verify them, and this stolen information will become useless for hackers. Companies should use a fully integrated multi-layered security approach – so if a verification vector fails there are other layers to trust – that includes passive biometrics. Retailers need to identify customers by including their online behaviour combined with hundreds of other identifiers that hackers can’t imitate or steal. Retailers should also take the time to assess all their security systems and potential gaps before the holiday rush.”

For the complete article, go here.