Now that another holiday shopping season has come to an end, it is time to evaluate the most common cyber threats facing the retail industry in the upcoming year. Common threats to retailers include POS attacks, web application attacks, insider threats, and attacks against a retailer’s databases or other internal systems.
POS Cyber Attacks Against Retail Companies
POS or “point-of-sale” attacks are especially popular with cyber criminals, because the POS system contains some of the most sensitive data possible – the card numbers and PINs of the company’s customers.
In one example case, a major retailer suffered a malware attack on its POS systems. Not only did the malware steal the credit card information and PINs for all cards used on an infected machine, it also spread to other machines in the same company. Over time it successfully infected millions of the company’s POS systems and stole a huge quantity of credit card information for resale to other criminals.
The holiday shopping season is a common time for criminals to try to use stolen credit card numbers, because customers are spending a lot of money and tend to have a lot on their minds. Overwhelmed with holiday shopping and other preparations, they may simply not notice immediately when their card is misused.
Web Application Attacks Against Retail Companies
According to the Verizon 2019 Data Breach Investigations Report, POS intrusions are no longer the most common type of attack for retail companies to suffer. That position has been taken by attacks against web applications.
Attackers will attempt to breach a company’s online payment application, then install malicious code designed to steal the customer’s credit card information as they enter it. Companies that fail to give enough attention to cyber security are the most likely to be targeted for this type of attack, because criminals actively search for vulnerable systems. After scanning the internet for known vulnerabilities in web applications, the attacker will zero in on any company found to be vulnerable, then use the vulnerability to get access to the company’s system and install the code. The stolen credit card information will then be sold to other criminals.
There are entire groups of cyber criminals devoted to just this one type of crime, including the well-known syndicate Magecart. Magecart is known for not only infecting payment systems directly, but for infecting multiple sites at once by staging a supply chain attack. A supply chain attack targets the companies that provide code to other websites. Once Magecart succeeds in corrupting this code, it can get access to every website that uses the infected code.
Customer credit card information isn’t the only type of data worth stealing. The points or the personal information from customer reward programs should also be seen as potential criminal targets according to Verizon’s DBI Report.
Insider Threats Against Retail Companies
Insider threats, as always, are a common threat to retail companies – especially considering high employee turnover and multiple points of vulnerability. To get a sense of the scale of the threat, imagine all the stores and distribution facilities in a particular retail company, then imagine all the people who work at all those locations. Now add seasonal employees and third parties who handle some aspect of the company’s business processes.
An insider attack is often ridiculously simple to carry out. For example, an employee might copy sensitive customer data to a flash drive and simply walk out the door with the data in his pocket. In an insider threat case described by Deloitte, a major retailer lost 8 million pieces of data over a period of several years to a single employee who was simply copying it to a portable device, taking it home, and selling it to criminals online.
Attacks On Retail Companies’ Websites
It’s always a major concern for a retail business to suffer a cyber attack, especially if the attack causes the company’s website to go offline. Lost sales and frustrated customers are obviously a nightmare scenario for any company. However, this concern becomes much more serious for a retail business during the holidays.
One common strategy for attackers is the distributed denial-of service attack. In a retail context, this is an attempt to overwhelm an e-commerce platform with traffic of all kinds – including fake online orders and customer service inquiries.
Another common attack is to install ransomware on a retailer’s system in order to encrypt the company’s data. The attacker can then demand a ransom in exchange for decrypting the data.
Some cyber criminals will use email to pose as a supplier or business associate of the company in order to submit fraudulent invoices for non-existent products or services.
Companies with strong cyber security defenses can still be vulnerable to attacks against their vendors, who may have weaker defenses or unpatched vulnerabilities.
Cyber criminals also like to attack corporate databases containing potentially valuable customer data. In some cases, corporate spies may seek to obtain intellectual property that could give a competitor a valuable advantage over the targeted company, such as the location plans for new stores.
Consequences of a Data Breach
The consequences of a successful attack can be high indeed. The EU’s General Data Protection Regulation allows EU authorities to impose fines of up to 4% of a company’s annual global turnover or €20 million, whichever is higher. The severity of this regulation is matched by the scale of the problem. When a company loses customer’s personal data in a cyber attack, that data is often sold online to criminals who obviously intend to use it for their own profit.
In one case examined by Deloitte, attackers took advantage of poor wireless network security at a retailer to both intercept credit card information and breach the company’s unencrypted customer database. In this case, the cyber criminals used a variety of attack techniques until they found one that worked, then waited inside the network until they were able to intercept the data they needed to get into the company’s database. The affected company suffered a major loss of reputation and also had to deal with sales losses, fines, and a settlement.
Frequency of Cyber Attacks Against Retail Companies
According to research conducted by F-Secure, over two thirds of retail companies (69.1%) have detected cyber attacks against their systems. This figure should be enough to convince any retail company to take the threat of cyber attack seriously, yet the breach rate among United States retail businesses went up by more than 100% between 2017 and 2018 according to a report by Thales. A report by Retail CIO Outlook found that almost one third of all retail businesses had experienced losses as a result of cyber attacks in just the past few years.
The Verizon 2019 DBI Report notes 234 incidents of breaches against retail companies in 2019, with 139 confirmed cases of data disclosure. Web application attacks and misuse of privileges were the two leading attack categories. 81% of the threat actors were external to the affected companies, and the motivation was financial in 97% of all cases. 64% of all compromised data was payment information.
Thinking About Cyber Security
Companies seeking to protect themselves from cyber attacks should implement at least the following strategies:
- Monitoring POS systems to check for breaches
- Educating employees about cyber security
- Testing company email systems for malware
- Encrypting any essential data
- Creating a back-up of essential data
- Monitoring for attacks and unusual network activity
- Creating a response plan in case a breach does occur
Retail companies need to be much more careful about who is given access to company systems. Access should be restricted based on the employee or contractor’s job function, and should always be monitored.
Cyber criminals are no longer just targeting data stored in a company’s system, but are capturing it as it is entered into an online payment form. It’s recommended for retailers to consider using file integrity monitoring software on their payment sites to help defend against this type of attack, while also keeping up with all patches.
F-Secure’s own research shows that over 90% of retail companies say their cyber security budgets will increase going forward. However, under 30% of retail companies are currently using Network Intrusion Detection or Advanced Threat Protection solutions.
Still, “preventing data breaches” and “detecting attacks that might have bypassed other security measures” are identified as the top priorities by the vast majority of retail companies.
This suggests that one of the most effective steps a retail company could take to protect itself from cyber attack would be to implement an EDR solution or service, such as F-Secure Rapid Detection & Response.