Researcher: Be wary of going-out-of-business sales

When large chain stores sell everything, sometimes that also includes point-of-sale systems and related data.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Jan. 29, 2008 12:52 p.m. PT

2 min read

You might be tempted by the low, low prices, but going-out-of-business sales might come back to haunt you in the form of identity theft, says researcher Neal Krawetz of Hacker Factor. He posted a blog citing concerns over CompUSA closing all of its 103 stores. Bottom line: there currently is no regulation of or accountability for the sale of point-of-sale hardware that could contain credit card information and/or customer and corporate information.

Krawetz, who last year warned of existing vulnerabilities in how large chain stores regularly collect and store credit card information, says that customers need to be wary of businesses going out of business in general.

Mark Gertenbach, director of Sales and Operations Services at CompUSA, responded to Krawetz's blog, saying in part that "CompUSA isn't owned or run by CompUSA any more...the same company that owns dozens of other companies that are going out of business owns it now." Gertenbach also said "PCI compliance will not allow credit card information to be stored IN the POS."

Not true, says Krawetz.

"Last October a group of merchants formally requested changes to the PCI and card processing system. In particular, the credit card industry currently requires the storage of credit card information for as long as 18 months. The merchants want this requirement removed. Their argument is that thieves cannot steal what does not exist. However, the credit card industry has not yet addressed this request."

So, for the moment, most point-of-sale system hardware retains some transaction data, if not at the point of sale itself, then at branch servers that collect and store individual register sales data. It is the branch servers, Krawetz believes, that were hacked in the case of TJX and other retail stores.

Is this a real problem? Yes. In 2003, Massachusetts Institute of Technology graduate students Simson Garfinkel and Abhi Shelat bought some hard drives on the Web and at swap meets. Of the hardware they acquired, 129 of the 158 drives were still functional with 28 drives showing little or no attempt to erase the information. One drive even contained a year's worth of financial transactions.

Krawetz said on his blog site, "Although not the case of CompUSA, many bankruptcy and foreclosure auctions sell off confiscated property. The auction house rarely has the passcodes to clear PoS devices. In my experience, it is only when companies are upgrading their systems (and not going out of business), that they strive to wipe systems before an auction (and even then, they usually forget about cash registers)."

Should you patronize stores that are going out of business? I think it depends on your instinct--whether you feel the store will do the right thing. The right thing, in my opinion, would be for the store not to sell its point-of-sale hardware, or, at the very least, digitally wipe the data first. But I have no idea how many stores actually do either of these.