It is an arguable point, but the retail sector has probably changed more than any other industry area in the last 20 years. This is mostly down to the globalization of retail through online sales, but it also because of innovation in the area of marketing and consumer loyalty. For example, in 2106 so far, $300 million has been invested into retail technology start-ups. And we love to shop. In 2016, the expected online spend in retail will be $1.67 trillion and this figure just going to grow and grow through 2020 at least.
The issue that retail has as it expands its business by embracing the Internet as a sales platform, is the same as other industry sectors, it is opening itself to cyber criminals as well as shoppers.
Retail, like many other sectors, is feeling the pinch in terms of costs of cyber attacks.
Some of the largest breaches to date have occurred in the retail sector including 145 million customer passwords stolen from eBay, 40 million payment cards and 70 million personal account details stolen from Target Corp, and a breach at Home Depot affecting 56 million customer payment cards.
According to the Verizon Data Breach Investigations Report 2016, retail saw the greatest cyber threats in the following three main areas:
● Web app attacks: This is where a web application is targeted. Usually the vectors used are phishing of administration credentials, or exploiting software vulnerabilities then installing backdoor malware to slowly exfiltrate data. DDOS is also included in web app attacks.
● Point of Sale (POS) attacks: These are remote attacks of POS services. Key logging malware seems to be the main vector of this attack. This type of cyber threat is being targeted against all size retailers because of the Internet enablement of POS assets.
● Payment card skimmers: In this type of attack, the POS device has to be physically compromised. Often, organized gangs carry out this type of crime. It mainly affects bank ATM’s, but merchants are still at risk from this.
A particularly interesting finding by Verizon was that “97% of breaches featuring stolen credentials leveraged legitimate partner access”. This implies that retail has a major issue with securing the supply chain and managing the risk of third parties.
The Retail Cyber Intelligence Sharing Center (R-CISC) has identified a number of areas that makes retail stand out in the cyber security risk mitigation stakes. These areas make retail a particular type of target for cybercriminals and include:
● High turnover of staff. This means that insider threats are more likely.
● Holding of payment card data which needs to be PCI compliant. This presents issues in dealing with third parties in the supply chain, who have also to be PCI compliant if they in any way manage financial data.
● Customers are also potential threats. This may be unique in the retail industry where the customer has the potential to commit fraud.
● Having a widely dispersed attack surface. Many retail outlets have a wide geographic reach in terms of outlets as well as having an online presence.
Retailers have other pressures too, that although not unique to this sector, are a focus of attention. For example, retailers have a number of peak seasons, such as Black Friday, Cyber Monday and Christmas which are known to be extremely busy times and so a target for fraud and sabotage. Cyber Monday 2105 saw the highest ever sales with $3.19 billion being spent in a single day. Cybercriminals have been targeting websites specifically to cause chaos on very busy days like Cyber Monday, using Distributed Denial of Service attacks (DDoS) which make websites and apps fall over. In 2014 the WordPress shopping cart, Cart66, used by large numbers of retailers to add shopping cart functionality to their site, had a massive DDOS attack. Akamai, have found that DDOS attacks have increased by around 22.5% between 2014-2015, with retail being the most popular attack focus for DDOS.
Retail analysts, eMarketer, have predicted that by 2017, over 51% of Americans will make at least one online purchase using a smartphone, accounting for over $75 billion in sales. As retail embraces online purchases, and mobile buying starts to become the normal purchase medium, we can expect to see more mobile-based threats emerge. But mobile threats are now becoming a well-known vector, and e-commerce has an opportunity to nip this one in the bud. One of the key areas that need to be dealt with to mitigate web based and ultimately app based security threats, is to harden the software behind the scenes. This means ensuring that mobile and web app development has to be done as a secure coding exercise, following the advice of the Open Web Application Security Project (OWASP). Many smaller retailers use third party apps such as WordPress and associated plug-ins to build their retail sites. Using third parties to build your retail site means that you have to be ultra vigilant, choosing security aware plugins and apps, and maintaining updates. One of the weak points of web and mobile app security is authentication. As mentioned earlier, 97% of breaches are from stolen passwords. It’s important that retail put the hardening of authentication as a priority, especially for administrator and privileged access via supply chain vendors. Putting security measures in place for known threats, using security intelligence from the likes of the National Institute of Standards and Technology (NIST), and R-CISC, will change the future retail threat landscape from one of major breaches, to a much more controlled environment, making it safe for all of us to shop online.