Cybersecurity looms as a serious topic for retailers. With October being “Cybersecurity Month” and the holiday shopping season starting soon, it’s a good time to look at cyber-threats facing offline retailers and ways to prevent them.
Cybersecurity looms as a serious topic for
retailers. With October being “Cybersecurity Month” and the holiday shopping season starting soon, it’s a good time to look at cyber-threats facing offline retailers and ways to prevent them.
Cybersecurity has emerged as a major challenge for retailers. Especially, they hold a wealth of customer information that’s coveted by malicious actors. Further, retailers’ increased digitization and migration of operations to the Internet has made hacking easier than ever.
A
breach may lead to serious consequences for retailers. Monetary loss aside, the retailer may also lose credibility and trust among their customers. This is not in the retailer’s best interest, considering competition in retail has become fiercer than ever.
That said, below we take a look at some of the cyber-threats facing retailers, and ways to prevent them.
Point-of-sale
One way retailers can be breached is through
point-of-sale or POS terminals. “When a customer swipes their card at a card reader, their card data is captured and transferred to the POS terminal. From there, that data is encrypted and decrypted several times as it moves from the POS terminal to the retail server, through the payment gateway, and finally to the bank for processing. Cybercriminals can utilize automated malware to find vulnerabilities in the process and access cardholder data during those instances when the data is exposed,” said Chad Leedy, VP for Managed Networks at Interface Systems.
Leedy also cited an example. “In 2019, Landry’s 60-plus restaurant chains were subjected to a data breach caused by human error. While their main POS terminals were upgraded in 2016 with encrypted technology, their bar and kitchen terminals were not, leading to card numbers, expirations dates and internal verification codes becoming compromised,” he said.
To secure POS, Interface suggests the retailer do the following:
• Encrypt all POS data end-to-end.
• Accept EMV chip cards and NFC (contactless payment) technologies.
• Whitelist applications to run on a POS system.
• Keep their POS software up to date.
• Address PCI-DSS compliance gaps proactively.
• Segment the POS network.
• Physically secure POS devices including mobile POS devices.
• Watch out for unusual transactions.
• Integrate security cameras with POS transactions.
In particular, Leedy mentions that NFC and EMV add an additional layer of security. “The utilization of NFC (near-field communication) technology and EMV (Europay, Mastercard and Visa) chips allows for further security of cardholder information thanks to data encryption on the microchip. The encryptions limit the vulnerabilities of cardholder data, keeping cybercriminals from being able to use data reading devices and technology to access that information,” he said.
Cloud
More and more, retailers rely on cloud for various operations. This also introduces certain risks, even though cloud is perceived as secure.
“Retailers are using the cloud to run their operations. Hence they end up using cloud instances either in private clouds or public cloud infrastructure to store data for all their departments – merchandising, inventory, marketing, loyalty, HR, asset protection and finance. Yes, this will include video from security cameras as well,” Leedy said. “Cloud infrastructure is designed to be secure. However, all cloud providers work on a shared responsibility model. Customers are responsible for certain security configurations and the application doesn’t automatically become secure just because it's on the cloud.”
To ensure security when using cloud, Interface suggested the user do the following:
• Adopt a zero-trust security model to help prevent unauthorized access to sensitive data.• Protect sensitive data in cloud environments using policy and encryption.
• Invest in security orchestration and automation of response (SOAR) and extended detection and response (XDR) to help improve detection and response times.
• Understand the scope of cloud service provider security responsibilities.
• Organize ongoing security awareness training for all employees.
Loyalty program
A retailer’s loyalty program can also invite malicious acts by cybercriminals.
“Loyalty program frauds come in several types. One such is account takeover (ATO), in which hackers use stolen credentials from consumers to access multiple accounts for stored financial information or to make fraudulent purchases. With many consumers having an estimated 150 online accounts to their name, and around 65 percent recycling passwords; you have the perfect recipe for ATO attacks,” Leedy said.
He added: “Another form of loyalty fraud is through T&C exploitation by customers. Tech-savvy customers gain and share knowledge about gray areas within user agreements to exceed expected rewards. Some of these are done by customers who discover a loophole in the rewards program or by employees who may have access to the backend system that they can then use to authorize transactions such as points transfer.”
To prevent such fraud, Interface said the retailer could do the following:
• Implement a robust data analytics system to flag suspicious transactions.
• Enforce password policies and encourage multifactor authentication.
• Limit the personal data needed to enroll in the rewards program.
• Regulate access to loyalty management systems and implement a zero-trust security framework.