Want PII with that? A look at the retail security landscape
In my last post on Access Granted, I looked at the financial services industry and took a deep dive into the different security threats that impact the companies that hold, invest and manage trillions of dollars. Today, I want to look closer at the industry that focuses on getting people to withdraw those dollars and kiss them goodbye – the retail industry.
According to Verizon’s 2015 Data Breach Investigations Report (DBIR), the combined retail, accommodations and food services industries were the victim of some of the most total security incidents. In fact, those industries combined saw more total incidents than the financial services industry.
Considering the major retail breaches that have occurred in the past few years, that probably comes as no surprise to readers.
The Target breach compromised customer data around Christmas time of last year. The high profile breach of the TJX Companies impacted popular retailers under their umbrella, such as HomeGoods and Marshalls. The breach of Michael’s stores left the craftier of us exposed to data thieves.
It seems like a day doesn’t go by without another retailer falling victim. And it seems like a week doesn’t go by when consumers don’t get a letter saying that a breach occurred and – although there’s no guarantee that their information was compromised – they can get free credit monitoring.
We’ve established that these attacks on retailers occur with great frequency. Now, let’s look at who is conducting these attacks on retailers and what they’re after.
Payment data? You’ll find that in aisle 12…and every checkout line
Much like financial services institutions, retailers are prime targets for cyber attacks because the money is there. Money is constantly changing hands in the form of credit and debit card transactions, which means that sensitive card data is constantly present both at rest and in transit at many retailers.
It’s this sensitive card data that many bad actors are after, and they’re going to most likely use that card data – or sell it to a third party – for fraudulent activities. In fact, Verizon’s DBIR claims that 73 percent of attacks are perpetrated against retailers for payment information.
Who is stealing this card data? The DBIR makes it a point to identify that most of these attacks (92 percent) were perpetrated by outsiders and not staff. That may seem like a strange stat to focus on, but it makes sense for the retail and hospitality industries since there is so much employee turnover.
With employee retention a major issue in the industries – and both industries being historically low-paying – many would think that cyber crime could originate from the employee base. It would make sense that jilted, underpaid employees could perpetrate an attack as a way to get a measure of revenge on their employers and a few extra dollars in their pockets. This high turnover would also make it seem perfectly normal for a data thief to jump between hospitality and retail companies – enabling them to steal credit card data and then move on to another location before anything is discovered.
But that’s not the case. Instead, the bulk of these attacks are perpetrated by organized hacking groups – many of which are located within the U.S. and Eastern Europe.
Rated five stars on Yelp for “weak security systems”
We’ve looked at the frequency of cyber attacks on retailers, who perpetrates them and what they’re looking to steal. Now, let’s look at how these attacks are conducted.
According to the DBIR, hackers don’t really have to work that hard to hack into many retailer systems. Most hacks are done directly to the system that they’re looking to impact, and many are relatively simple in nature – like password guessing. Here is how Verizon breaks down retail attacks by how they were perpetrated:
- Password guessing – 66 percent
- Spyware/keylogging – 49 percent
- Export data – 41 percent
- Backdoor/malware – 30 percent
- Backdoor/C2 – 29 percent
You can see that the large majority are a result of companies not changing manufacturer passwords on their hardware, or simply not utilizing proper security hygiene – utilizing strong passwords and not reusing them.
This is particularly troubling for a few reasons.
First, the business impact of a breach on a retailer is significant. If you’re a major retailer with a handful of large competitors – such as Target – you have to be concerned that customers are going to lose confidence and faith in your ability to protect their information. If brand loyalty is shaken and customers flee in droves to your larges competitors, you’ve just forfeited significant market share. Then there’s the actual cost of offering customers credit monitoring services on your dime, which cuts into the bottom line and hurts profits.
It’s also troubling because it’s avoidable. And here’s how…
MFA – better than a large security guard at the front door
The DBIR shows that simple password guessing is the most common way that bad actors are getting access to retail systems. The solution should be pretty simple – start using harder passwords, change passwords that come from the hardware manufacturer and don’t reuse passwords.
However, hackers are often looking for the path of least resistance for an attack. Guessing passwords – a rather low-tech and simple way to compromise a system – was the easiest way to compromise a retailer’s system, but not the only way. As we discussed in recent articles, POS systems at retailers are vulnerable in multiple places and to multiple attacks. Simply embracing strong cyber hygiene with passwords may not be enough to protect a retailer and its customers.
This is why out-of-band, multifactor authentication across the entire enterprise is so essential. In addition to protecting against password guessing by requiring more than one authentication factor, these solutions can also provide protection against other, more advanced attacks that solid cyber hygiene can’t prevent – such as spyware and keylogging.
By implementing a multifactor authentication system across the enterprise – from the POS to the enterprise network – retailers can rest assured that the customer’s payment data at rest and in transit is safe from unauthorized individuals access it.
Retailers and hospitality companies are some of the most targeted organizations for cyber thieves and bad actors. With a constant stream of transactions and the perpetual presence of payment data, they’re a hacker’s dream. It’s essential for these retailers to take steps to protect their customers and customer payment data, lest they lose business, brand loyalty, market share and money.
For additional insight into how some recent cyber breaches have been perpetrated and how they’ve affected retailers such as Starbucks, register for our upcoming Webinar, “Anatomy of a Breach,” by clicking HERE.