Immediate Vault Immediate Access

Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago. And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult. For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

How Retailers Can Better Mitigate Black Friday Risks

Black Friday Shopping Risks

With the biggest shopping events of the season, retailers face tremendous amounts of both risk and reward as sales and door-busters draw in eager consumers all week. In 2013, Thanksgiving deals brought in 92.1 million shoppers to spend over $50 billion in a single weekend, the National Retail Federation reports.

The National Retail Federation issued crowd management guidelines for retailers and mall management officials to use when planning special events, including Black Friday, product launches, celebrity appearances and promotional sales. General considerations to plan for and curtail any crowd control issues include:

  • Remind and retrain all employees about your store’s emergency protocols to address potential risks facing employees and customers.
  • Dedicate knowledgeable employees to communicate and manage crowds, from arrival to departure, and resolve any potential conflicts that may arise.
  • Strategically place sale items throughout the store to help disperse crowds and manage traffic flow.
  • Request the assistance of local law enforcement if large crowds are expected and arrange for additional security services.
  • Educate employees about relevant policies and procedures and advise them who to contact in the event of a situation.

Last week, the U.S. Department of Labor’s Occupational Safety and Health Administration also issued a public letter to retailers urging companies to plan ahead for better in-store safety for both employees and customers. According to OSHA’s “Crowd Management Safety Guidelines for Retailers,” crowd management plans should, at least, include:

  • On-site trained security personnel or police officers
  • Barricades or rope lines for pedestrians that do not start right in front of the store’s entrance
  • The implementation of crowd control measures well in advance of customers arriving at the store
  • Emergency procedures in place to address potential dangers
  • Methods for explaining approach and entrance procedures to the arriving public
  • Not allowing additional customers to enter the store when it reaches its maximum occupancy level
  • Not blocking or locking exit doors

Brick-and-mortar retailers are not the only ones at greater risk. Companies that operate call centers must also be prepared for a drastic increase in customer inquiries and purchases. According to communications intelligence firm Cognia, 69% of U.S. contact centers carry out credit card payments over the phone and 84% record calls, making their archives particularly vulnerable to potential breaches.

“The first thing to highlight with respect to call center compliance at peak times is that this pressure is unlikely to create new issues, but will amplify existing ones. Attackers / threat actors (the bad guys) will also be aware that this is the time at which procedures are most likely to slip, and social engineering vulnerabilities that have previously been identified can be exploited,” said Tom Evans, Cognia’s chief security officer.

“There are challenges but, from a risk perspective, there is also an opportunity to fine-tune the risk management system under pressure. At these peak times, issues will be visible that would go undetected during business as usual operation,” Evans noted. “There is an opportunity to be proactive and to use the pressure around these peak sales times to identify bad practice that, during less pressured periods, is probably limited to one or two individuals or occasional occurrences, and therefore very hard to spot. Even the most dependable employee under the pressure on big queues may resort to a shortcut to get the job done. Identifying these means that controls can be put in place to prevent them being used again, and therefore the overall risk management position improved.”

To improve security and PCI compliance, Evans recommends that companies focus on areas that have lower security controls overall. For example, seasonal employees, over-spill call centers, and work at home agents may all be components of a contingency plan for peak periods that introduce vulnerability that can be mitigated.