Retail Data Security: Preparing for the Top Threat for Holiday Breaches

holiday shopping retail risk

Here’s the question of the season: What is the true cause of the retail breaches we read about year after year? While malware or ransomware may get most of the scary security press, they aren’t in fact the main culprit. The primary cause of most retail breaches is, by far, stolen credentials. These are the usernames and passwords of employees, contractors or partners of a retail firm. Victim firms such as Target Corp., Home Depot, eBay and others have fallen prey to similar attacks in recent years: a trusted insider’s credentials were stolen and hackers used those to access the network. In some cases, the credentialed access led to the installation of malware on card reader systems, while in others, hackers took different paths.

The point is clear, however: the access credentials of trusted insiders are in fact the biggest risk factor for a breach in the retail sector. Verizon’s annual data breach survey, released earlier this year, confirms this, with credential attacks identified as the top source of data breaches as 63% occurred via weak or stolen credentials.

This isn’t a particularly new insight. The Target and Home Depot breaches, both via stolen vendor credentials, happened more than two years ago. And yet, as the Verizon report indicates, large firms are still quite vulnerable to credential attacks. Why is a credential-based attack so hard to detect? The point of the attack is to impersonate a valid user (an employee, contractor or some other insider) going about his or her daily job. When a financial analyst logs into a financial system using her regular ID and password, for example, we do not expect an alarm to sound.

The retail environment has some unique factors that make detection more difficult. For example, retailers employ large numbers of seasonal workers, so knowing whether a particular person should be allowed near a secure server in the back room of a store may be difficult. The general buzz and chaos in retail stores may weaken security checks, and sheer volume of transactions, returns, special orders, and the like can distract employees and open up security gaps.

There are, however, concrete steps that can be taken.

The first is simple: most if not all retailers have two networks, one corporate and one retail (in-store). Human resources, research and development, accounting, and other corporate functions operate on the corporate network. Point of sale systems, cashiers, and store managers operate on the retail network. In theory, these networks are completely walled off from each other, using two-factor authentication and other security systems. A temporary sales clerk should not be able to access the payroll system at corporate headquarters and download employee social security numbers, just as an HR specialist at headquarters should not be able to access the credit card database within a store point-of-sale (POS) server. This is especially sensitive since many retailers haven’t yet rolled out chip-and-pin readers. If a card number is stolen from a POS system, it’s usable in many places.

A basic check would be to ensure that the two-factor authentication system between the corporate and retail networks is working correctly, is updated with patches, and is applied as broadly as possible. However, this is not always the case, and there have been instances where hackers have been able to steal a corporate user’s credentials (using a keylogger or other type of malware) and then bypass the authentication system to connect to hundreds of in-store POS systems. Perhaps the system configuration has “drifted” over time and needs re-certification. This is an easy check on network security risk.

Another step relates to context—in other words, understanding what is normal. As mentioned above, a retailer during the holiday season manages chaos on a daily basis. It is too easy for attacks to slip by without notice during the noise and commotion. Recall the advice given to New Yorkers after 9/11: “If you see something, say something.” While relying on employees to notice unusual behavior is fine, a better approach is to augment humans with smart technology that understands normal behavior and can raise an alarm when behavior is suddenly not normal.

For example, a specialist in IT is accessing hundreds of POS systems in multiple stores via the corporate network. Is that okay? It is hard to say. Perhaps he is doing it as part of a backup process or maybe he is helping restore systems after a failure. Without knowing what is normal for this person, as well as for his peers, it is very difficult to judge the riskiness of his actions. Behavioral analytics systems are built for this problem. They analyze past behavior and build baselines, just as VISA and MasterCard do for every credit card owner. When an employee suddenly starts logging into store POS systems but has never done so before, behavioral baselines can provide the context needed to alert that this user might in fact be a hacker.

Retailers are getting better about security every year, improving risk management processes and rolling out new security technologies. Credential attacks remain the top threat for retail breaches, however, and retail firms must both verify their processes and also look to new solutions, such as behavioral analytics, to close the risk gap.

No More Kindles for Walmart

In the March issue of Risk Management, I wrote an article that discussed, among other things, how brick-and-mortar retailers were struggling with the phenomenon of “showrooming,” where shoppers browse store shelves to examine items that they ultimately buy online from competitors like Amazon for a lower price. One strategy that Target was using to keep customers in their stores was to offer more exclusive items, such as clothing lines from famous fashion designers like Kirna Zabete, Jason Wu or Missoni. Then in May, Target upped the ante by announcing that it would no longer sell Amazon’s Kindle e-readers and tablets. Although the retailer didn’t offer much in the way of explanation, it was obvious that Target now considered Amazon to be a real competitor capable of disrupting the market and was going to treat it as such.

Yesterday the world’s largest retailer followed suit as Walmart announced that it was dropping Kindles as well. Although the Kindle has been around since 2007, it seems that the debut of the Kindle Fire tablets were the last straw. Unlike their predecessors, which were purely e-readers, the Fires are portable web browsers and media players that enable customers to more easily purchase many more items online, especially from Amazon.

“The Kindle Fire is the Trojan horse,” said Andrew Rhomberg, the chief executive of Jellybooks, an e-book recommendation site. “It’s a shopping platform that covers so many more categories than e-books. It affects Walmart in a different way than the early Kindles and e-readers did.”

Basically by stocking Kindles, Walmart and Target were providing their customers with the keys to the online retail world, which could, in effect, wind up cannibalizing their own sales figures and brand strength. It’s probably wise not to be the instrument of your own destruction.

Of course, whether or not this move will have any effect remains to be seen. After all, Walmart still sells iPads.