Keeping Retail Secure in the Digital Age

Posted on by Shimrit Tzur-David

2017 saw some of the most sensational and devastating cyber attacks in history. From the Equifax breach, widely regarded as the most damaging breach of all time, to the WannaCry epidemic that wreaked havoc on British National Health Service hospitals, hackers diversified their tactics and created new tools that ended up devastating whole industries. 

The question for the average user is: What lessons can be learned from hacking trends of the recent period? 

One of the most pertinent issues for the business world in maintaining IT security, for both customers and business owners alike, is bolstering the vulnerabilities of the retail sector. 

Cyber attacks on retail have been booming over the past year. The retail sector is one of the biggest venues for the flow of cyber cash and personally identifiable information (PII) making it a prime target for hackers. 

What are the factors contributing to this rise in hacks targeting retail? 

Common business transactions weren’t always as fraught with risk as they are now. Trends in developing technology utilized by the retail sector have been creating new vulnerabilities exploitable by cyber criminals. 

The retail sector contains two key weaknesses that are exploited by hackers. 

The secureness of Point of Sale (POS) systems are the first big issue. The targeting of POS has been on the rise for at least the past three years, with Verizon's 2015 Data Breach Investigations Report revealing that POS-related incidents accounted for 28.5 percent of all breaches that occurred in the year prior. One infamous example of POS hacking was the Target data breach of 2013. In December of that year, Target announced that more than 110 million customers had their data compromised due to a breach of the company’s point-of-sale (POS) network. Information leaked between the end of November and mid-December included cardholder names, card numbers, as well as three-digit security codes. 

Like other systems, POS is vulnerable to breach by typical hacking methods, such as phishing scams (believed to be the method used by the Target breach perpetrators). However, POS is particularly vulnerable since endpoint devices are exposed and left in the open. It has been demonstrated for instance that single board computers, small miniature computing devices, could be discreetly placed on POS tills in order to download malware to the system. This also highlights the high level of risk for insider threat attacks on POS.   

Another vulnerability of POS comes from a growing trend at the organizational level. Many firms have begun allowing third-party contractors access to their POS systems in an attempt to outsource some of the tasks and responsibilities associated with managing and cataloging retail activity. These third party firms are often the weak link that allows a breach to occur. Large companies often have the resources to prevent common cyber attacks. Smaller contractors employed by these companies are often weaker in this regard, and less competent. In response to this, more vigilance in monitoring the behavior of outside sources is needed, and perhaps integrating the goal of keeping as much logistical and support tasks in-house. 

The second major vulnerability affecting the retail industry, and in a way, a subcategory of the broader threat to POS, is the relatively new method of Near Field Communications (NFC) that has made headway in the past several years. NFC is the technology behind Apple Pay, Google Wallet, Samsung Pay and any other contactless payment apps. Essentially NFC allows the movement of data from a customer’s personal device to a store’s system by simply bringing the device into close proximity to a store endpoint. The introduction of this technology has shown to be a real potential danger to retail. 

First off, researchers have identified NFC as a vulnerable transfer point for malware. By opening NFC for customers and stores to share data, they open the possibility for sharing of malicious code. 

Eavesdropping is also a risk created by NFC. Since data in NFC is being transmitted between two devices “in the open”, an attacker in close proximity could in theory intercept these communications. This possibility was once assessed to be inconsequential. NFC is only effective in extremely short ranges. It was thought that a hacker would have to be a very small distance from the transmitting devices in order to work. Researchers however have shown that common items, such as a shopping cart could be used as antennas to increase the interception range of NFC transfers to over eleven feet.  

A risk to NFC payments is also the simple reality that smart phones and other devices get stolen. Any forms of illegitimate digital sales are easily preventable such as verifying the name of a credit card with a picture ID. Identifying a stolen cell phone isn’t as simple. A stolen device that is NFC enabled can easily be used to make fraudulent payments. 

There are some simple steps companies and users can take to bolster their NFC channels. Preventing hackers exploiting NFC can be accomplished by implementing secure channels and encryption features installed on endpoints. This ensures that even in a case where a hacker succeeds in picking up data from an NFC exchange, the information gleaned will be useless. To address the risk of a stolen phone being used to make a purchase, stores can set up their digital tills to require customers to present the devices password or other identifying information. Users choosing to enable NFC on their devices can install layers of identity verification to ensure that the loss of their device will not compromise their digital accounts. Innovations in multi factor authentication for mobile devices for instance have made a tremendous impact on the safety of users who utilize their them for financial transactions.  

As a closing thought, it is important to highlight what the user should take away from all of this: Data technology is becoming increasingly more a part of everyday normal activities, retail purchases being a prime example. This phenomenon has tremendous advantages in raising the quality and efficiency of our daily lives, but also exponentializes the exposure of our personal data to the world of cyber criminals. Keeping up with the reality of this trend means users will have to become more competent of best practices and measures, especially when it comes to integrating identity security for their PC’s and other devices. By keeping this in mind, users will be able to continue taking advantage of all that our current technological boom has to offer, while keeping their personal information and digital accounts safe and secure.

Shimrit Tzur-David

CTO and Co-Founder, Secret Double Octopus

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community