Monday, December 1, 2014

Perceived Security & The Home Depot

An NCR POS terminal at The Home Depot.
Lots of posts and tweets and chats about perception lately. Frank Denneman asked if people still perceived a single chassis as a risk and sparked a Twitter discussion that I was ill-prepared for at 5:00am my time. I wrote about seeming vs. being in my post about Hamlet and Coffee Cup Sleeves. And just last night, while I was making a last-minute dash to The Home Depot to get some more Christmas lights, I was left with the perception that Home Depot just doesn't get security. Just look at this photo --->

Yes, that's a self check-out POS terminal running Windows XP. And yes, The Home Depot frequently runs into trouble with the security of its POS terminals.

Of course I took a picture. What kind of blogger would I be if I let this one slide? Here we have one of the biggest companies in the country, fresh off one of the most well-documented and journalized credit card thefts to date, running a version of Windows that is older than Twitter and is no longer supported by the vendor. It screams irony, right?

P E R C E P T I O N

This is where perceived security comes into play. I was quick to criticize HD for learning nothing from the last ~twelve months of headlines regarding credit card thefts due to infected POS terminals. Have you learned nothing? How can HD continue to use a known-vulnerable operating system to process payments? But @stvkpln reminded me that, for large corporations with tens of thousands of terminals across the country, upgrading and / or migrating to a new system is a non-trivial task. It's not just a patch you push out over the weekend. And he's right; not matter how urgent the need may be, there's nothing worse than rushing a solution into production before it's properly thought out. I call that duress-driven design, and I've had a post in Drafts for a month now on that topic.

We agreed, however, that HD and its business partners (NCR in this particular case) need to address the issue before they suffer another attack.

But this post is about perception, and in this case, it's the perception I'm left with from this experience that is arguably more important than the reality. Metaphysically, we'll never know reality; we live in a world of shadows cast on a cave wall. The reality may be that HD is actively working towards resolving their security issues. They may be blazing a new trail in information security and innovating standards for credit card protection. But all it took was a single terminal with the iconic bliss desktop image, and my perception was set: The Home Depot still doesn't get security.