As retailers strive to innovate and keep their heads above the water in the modern day of disruptive technologies their cybersecurity practices can fall behind for a litany of reasons such as being the first to bring new technologies to market, improving the consumer experience, expanding the business, or challenges with budget allocation. Data breaches can be extremely costly and keeping up to date on the latest security trends is important to keep ahead of emerging threats and protect your organization. This article presents some interesting statistics about retail breaches and incidents in 2017. Statistics in this article come from Verizon’s annual Data Breach Digest.
Web attacks are a popular avenue for adversaries. There are a wide variety of web technologies, and each has their own security concerns, as such, the majority of retail security incidents involved web applications. E-commerce applications typically involve processing payment cards in one way or another, 96% of attacks against retailers were financially motivated, which is why it is no surprise that card skimming was involved in 60% of non-e-commerce cybersecurity incidents in 2017 impacting retailers.
Surprisingly there was a significant drop in POS attacks, while there was no concrete reasoning for the decline it is likely attributed to improvements in POS security from lessons learned in previous years. POS attacks were responsible for some large attacks in previous years. The lessons learned from these attacks included segmenting networks and strict access controls to prevent pivoting and lateral movement across networks, implementing two-factor authentication to prevent the use of stolen credentials, and encrypting all payment card data by POS systems so that memory-scraping malware cannot read card data if the POS systems are breached.
At this year’s 26th annual Defcon hacker conference in Las Vegas, security researchers presented technical details of barcode scanners in retail stores that can be used to compromise store networks. The attacks presented included modify price and inventory levels, and infecting POS systems which could result in stolen payment card data. If you have deployed or are considering deploying self-checkout or in-store price checking terminals you may want to consider conducting security assessments of these devices, with a focus on the barcode scanners. The presentation slides and technical details can be viewed here.
Cybersecurity is a serious matter for retailers as any retailer accepting payment cards needs to be PCI DSS. Additionally, federal Canadian law protects customer data under the PIPEDA act which details how organizations in Canada can use, collect, and disclose customer data. PCI DSS requires companies to conduct regular penetration tests. One troubling finding amongst retailers is that only 57% of vulnerabilities are patched within a 12 week time frame.
Verizon has recently released several in-depth breach case studies, we have handpicked two interesting cases involving retailers and payment card processing, here and here.