The Retail Market’s Biggest Threat
By: Jon Polly | Aug 30, 2022
Not long ago, we pulled out our wallet to pay cash or pulled out our checkbook to write a check to purchase an item. Money and checks were taken by hand and crunched into a large central cash register. The biggest threat to most retail establishments was shoplifting or organized crime extortion. Today most retailers, especially larger ones, accept a certain amount of loss. Even the recent smash and grabs that stores have been plagued with are less significant in damage to the threats posed to the retail industry by cyber-attacks.
Retailers offer secure transactions, right? According to Thales 2019 Data Threat Report, only 66% of global retailers’ respondents described their cybersecurity posture as “very secure.” While that is the majority, it’s not an overwhelming majority; leaving 44% of respondents to give a less than “very secure” answer or no answer at all.
According to Juniper Research, the average cyber-attack will cost a large retailer more than 150 million dollars in direct loss and indirect public mistrust of the brand. This number may put many smaller retailers out of business. Retailers have always dealt with theft and new tactics of thievery; and cyber-attacks may just be another in the long line of ways to steal. The numbers are there; according to a 2020 study by Trustwave, 24% of all cyber-attacks targeted retailers, more than any other industry. Unlike shoplifting or other methods of physical theft, according to Verizon’s 2020 Data Breach Investigations Report, financial motives drove 99% of all retail cyber-attacks in 2019.
A vast majority of physical theft loss is attributed to insider threats; employees who act alone, as part of a larger unorganized group, or are tricked by social engineering methods to steal either money or merchandise. For this, the security industry has methods to prevent theft; including access control, alarm systems, cameras with analytics built for retail use cases, and so on. The reality is, according to CyberSecurity Education Guides, with cyber-attacks, 83% of the attacks come from outside the organization.
Major retail theft is less about stealing material items and more about stealing data. Data can direct trucks carrying high-value items to be diverted. Data can unlock bank accounts. Data can steal a person’s identity. Sure, these are all things that most people know are risks that proper cyber hygiene can help reduce. The question then is what data is being sought after by thieves when they launch a cyber-attack against a retailer? According to Verizon’s 2020 Data Breach Investigations Report, 47% of data stolen is payment data, the 0’s and 1’s that make up bank accounts and credit cards. The other 49% is Personally Identifiable Information (PII); PII is a person’s digital identity, from facial recognition, to purchasing habits, pins and passcodes, and stored identification information.
How Did the Retail Industry Get Here?
We like to get things done quickly, right? When we wanted a faster user experience, brick and mortar retailers provided the best user experience possible; allowing payments to now be transferred using a card or Near Field Communication (NFC) from a cell phone to pay for merchandise. In addition, retailers with an online market created a better user experience (UX) by making the user interface (UI) easier to navigate and offering to hold payment credentials and PII securely in a cloud-hosted environment, which is easier to run artificial intelligence (AI) on to provide an increased UX by providing custom ads and coupons based on previous purchasing habits. This deliberately easy UX has become a double-edged sword that has allowed thieves to steal credentials, stored financial data, PII, or a mix. The latest numbers from the Federal Bureau of Investigation (FBI) Internet Crime Report 2021 state that global cybercrime in 2020 had potential losses of up to $6.9 billion dollars. At loose numbers, that would mean that Trustwave’s 24% of cyber-attacks cost retailers globally, and consumers by proxy, an estimated $1.6 billion in financial losses alone.
Traditional methods of hacking, through methods like Phishing, Social Engineering, and Business Email Compromise (BEC) are some of the easiest ways that attackers gain access to underlying systems where they can inject malware.
The introduction of Bluetooth skimming devices and network skimming devices on weak or insecure wireless networks opens easy doors to gain access as well. The new cash registers with touch screen Point-of-Sale (POS) capabilities can suffer attacks that can cripple businesses. Cloud-hosted systems with insecure third-party integrations and mobile apps increase the attack surface exponentially. What many victims of cyber-attacks have found is that once the attacker makes entry behind the firewall, there are no further obstacles between them and the POS devices and corporate databases, such as the case with Target in 2013.
Sometimes it’s not about taking the money as much as it’s about stopping the flow of money to that retailer.
Types of Bad Actors
Cyber-attacks do not just happen because of the hooded guy in the dimly lit basement, or the person disguising themselves with sunglasses, though Hollywood wants to glamorize that stereotype. Attacks happen every day, sometimes right in front of you.
The Lone Wolf
The Lone Wolf may commit a cyber-attack just to know that they can, gaining street credibility along the way. They may operate a million miles away or by walking around a store with a cell phone.
Organized Crime Rings
Organized Crime has moved past loansharking and illegal gambling to include, among many other schemes, cybercrime. Businesses may be targeted for the same old reasons of extorsion or simply to make a quick dollar, but on a grandiose scale. Organized crime rings have been linked to both smash and grabs and cybercrime of retailers, posing two different pathways with the same outcome and showing the different structures of an organized crime family.
Hacktivist Collectives are a collective of decentralized individuals who take part in a movement to carry out cyber-attacks in support of political or ideological causes. A well-known group is called Anonymous, but there are others. Hacktivists use the cyber-attack as their weapon to shut down companies and to be heard on a large scale, much louder than activists who handcuff themselves to an oil rig or a tree.
Retailers cannot prevent all cyber-attacks, though they can implement solutions to limit the frequency or damage when they are a victim. IT teams will work to implement strong IT protocols; National Institute of Standards and Technology (NIST) approved implementations such as micro-segmentation and zero-trust networks. On the physical side, network attached devices should also be secured at the device level so that the device does not become a vulnerability. While the security integrator rarely installs Bluetooth POS Systems and Wi-Fi networks, they do install cameras and access control that communicate over the same technologies. These technologies should be secured to ensure the retailer does not get attacked through those devices. A great resource to consider for helping customers and to protect the integrator is the Security Industry Association (SIA) Security Industry Cybersecurity Certification (SICC), providing the security industry a basic posture of cyber hygiene.