Retailers continue to be concerned about fraud and theft committed by internal employees and third-party providers who know how to by-pass processes and controls. Next to business interruption and fraud, the biggest cyber risk retailers face is data loss, which causes reputational and financial damage, including recovery and outage costs, fines and penalties from payment card companies and government regulators as well as increased card processing fees.
The biggest recent attacks on retailers, including Target and eBay, reveal six key threats:
• Customized malware on Point of Sales and consumer systems. Cyber criminals move undetected throughout a victims’ environment and install malware in order to gather personal and cardholder data. The complexity of this threat will increase with the boost to mobile payments and digital wallets.
• Vulnerable legacy system and unpatched systems. The vast majority of the incidents involve exploitation of vulnerabilities that have been known for several months or years. With the increasing interconnectivity and the opening of the ecosystem, it is likely that legacy and unpatched systems will be more and more exposed to threat agents.
• Misconfigured systems. Many incidents involve the exploitation of configuration weaknesses in systems that should have been avoided by appropriate quality assurance controls.
• Poor Identity and Access Management (IAM). Following the best practices, multi-factor authentication for Internet-facing systems is mandatory, but the majority of incidents in retail utilize weak credentials and insufficient permission controls, especially for third-party providers.
• Denial of Service (DOS) attacks. Threat agents are getting more sophisticated, learning to distract retailers’ cyber defense with DDoS attacks, while stealing personal and cardholder data. On the other hand hacktivists just want to bring down normal business operations and harm an organization’s reputation.
• Poor incident detection and remediation capabilities. Organizations require several months to discover a breach; furthermore, most of the breaches are discovered far too late by external parties such as law enforcement, banks, card providers and payment aggregator, which give cyber criminals all the time to succeed.
Two understand how new retail trends increase cyber risk, let’s look at two examples:
The fitting room: From static to intelligent
The fitting room of the future offers virtual assistants, sensors that measure the body or a virtual mirror that “tries” on alternative styles. Friends could be invited to join the selection process remotely (think Nike run cheers on Facebook). Styles and offers inside the fitting room will match a customer’s existing profile with known shopping and other behaviors of similar customers. The intelligent fitting room could even be an outpost of an online retailer, say like a photo booth at a subway station. No personnel. No storage. Not even physical products. The fulfillment will be handled in a central hub.
The chart above shows a high-level overview of the intelligent fitting room features, data sources and data flow. The retailer’s master database has a connection to suppliers, production, marketing/CRM and storage databases. It might include data retrieved from third parties via web API (e.g. trend databases, fashion blogs, etc.).
Figure two provides a more detailed view of the data flow and IT environment. The connection from fitting room to retailers database is established via Wi-Fi or cable to the store IT (which is also tied into cash registers, ERP). The fitting room is equipped with multiple sensors to enhance the customer experience. Clothes can be scanned by a fitting room device via NFC or code-scanner/camera. Alternatively an app on the smartphone or watch of the consumer can take over this task and pass it on to the fitting room via Wi-Fi or Bluetooth. To get special offers, the customer has to be identified either by app on mobile phone or by fitting room device or both. All data from and to the fitting room device is routed via Store-IT to the retailer’s databases.
The personalized shopping experience
In this scenario the customer is identified as he enters a retailer’s shop.
Consumer will be identified by sensors like cameras, NFC-Tagged Customer-Cards, NFC-enabled wearables, Bluetooth, via mobile phone app or at self-registration-terminals. The shopping basket or cart is technically enabled as well with an infotainment or automatic item check out system. Price tags in the store can be adjusted through the stores IT-system, potentially in real-time to provide special pricing to an individual based on current promotions or past shopping behaviors. Customer service personnel receive customer specific information during buying or service conversations to increase cross- or upsell potential on their terminals. Customer data is transmitted from databases to the store and the store IT.
Considering the two scenarios, the following table provides an overview of the potential threats, threat agents, countermeasures, threat impact, severity, likelihood and risk. Red means high while green means low. (Click to enlarge.)
Take for example digital price tags. If the prices are changeable according to the customer, they need to be verified at the time of check-out. Attackers would want to set the price very low, resulting in a loss of revenue. The attacker could modify the application on his mobile, fake/spoof customer promotion information or manipulate the data sent from the in-store IT to price tags. That’s why retailers have to investigate the price tags, how they get their price information and what mechanism is used to change the price. To harden them against attacks, the following countermeasures should be considered:
- Price information and system is encrypted
- Independent multifactor verification of price changes
- Additional price verification at the terminal
- No data storage inside the price tag
- Random checks of price tags against internal reference database
- Monitoring of customer check out against price anomalies (e.g. a large number of items resulting into a low price)
Note that both scenarios heavily rely on the consumer’s mobile device or wearable to change the shopping experience. This puts responsibility on retailers to work together with the producers of the end-user devices to ensure security standards and a secure end-user product lifecycle.
At the same time companies like Apple, Samsung, Huawei, HTC or Microsoft carry greater responsibility that their devices do not become a key root cause for security incidents that put both retailers and consumers at risk. Manufacturers need to establish proper patch-management, disabling and other security measures on the smart devices.
Collaboration is important elsewhere.
Nearly a third of all breaches in the retail sector begin with a compromise of a third-party vendor. Organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners will leave them exposed and vulnerable to breaches.
Furthermore, within the industry and beyond (banking comes to mind), information sharing is a key aspect of cyber defense and managing cyber risks. Several large U.S. retailers now participate in the Retail Cyber Intelligence Sharing Center (R-ISAC) to share intelligence about cybersecurity with each other and with security analysts and agencies. Among those companies participating with and supportive of the R-CISC are American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe’s Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company.
It’s clear that digital trends create huge opportunities for innovation and improvements in the retail experience. But to be successful, retailers need to carefully weigh and understand the cybersecurity concerns.