Advances in technology are changing retail in unprecedented ways, further blending the physical and digital worlds and forever evolving customer experience. As the industry changes, so do the methods cybercriminals use to steal sensitive data from companies and consumers, writes Ali Neil, Director of International Security Solutions at Verizon.
Prior to 2018, cybersecurity data suggested that the most common type of incident in the retail industry was point of sale (POS) intrusion. This included the remote compromise of POS environments, as well as the corresponding malware and payment card exfiltration. Recent data, however, shows that attackers are now targeting retailers through new and improved methods, leaving retailers scrambling to pick up the pieces after a breach has occurred.
Attack patterns
According to this year’s Verizon Data Breach Investigations Report (DBIR), web application attacks have overtaken POS intrusion as the most common cyberattack. Since 2014, POS breaches have decreased by a factor of ten, while web application breaches are 13 times more likely occur and hit unsuspecting retailers. So how do cyber threat actors pull off these web attacks?
First, they compromise a website’s payment application, and then install code into the application that will capture customers’ payment card information as they complete their purchases. These are the everyday attacks that don’t necessarily make headlines but have the same consequences. Today’s cybercriminals look for vulnerable e-commerce applications to provide an avenue for efficient and automated attacks. In fact, there are criminal groups that specialise in these types of low-hanging fruit attacks.
What to do?
To keep data safe, retailers must take appropriate measures to help combat cyberattacks. While there is no end-all solution, here are a few steps companies can take to mitigate risk. Know the importance of integrity software: Cybercriminals who target web applications aren’t targeting data at rest. Rather, they inject code to capture customer data as it’s entered into web forms. To combat this method, consider adding file integrity software to your malware defences on payments sites, in addition to patching OS, and payment application code.
Embrace what’s new: continue to embrace new technologies that make it harder for criminals to use POS terminals as low-hanging fruit. Some considerations are EMV and mobile wallets, or any other method that uses a one-time transaction code, as opposed to PAN. Remember, it’s not just the payment cards: While criminals are often after payment card information, it’s not the only data variety that they consider useful. Rewards programs that can be leveraged for ‘points’ are potential targets, as is your customers’ personal information.
For many retail organisations, especially smaller ones, implementing widespread security measures is neither affordable nor feasible. But each security step, no matter how small, can have highly beneficial impacts when it comes to detecting and deterring cybercriminals. It’s also important is to educate your staff on identifying potential threats. Ensuring that someone in your organization can detect a threat is a simple but valuable start.
In the cybersecurity world, retailers live in the unenviable position of having to consider their own data security as well as that of their many customers. In an increasingly digital age, it’s important to install as many security measures as your company can, but equally important is your awareness of what cybercriminals are after and how they’re doing it. Having an open mind to the newest technologies is an invaluable way to always be one step ahead of would-be attackers.
