Retail Risk in 2016

Retail companies did well in 2015. As noted by CNBC, for example, digital sales on Black Friday rose 20 percent from 2014, and in-store purchasing remained strong throughout the holiday season. But the new year brings new challenges. Here’s a retail risk reality check of the top five vulnerabilities expected in 2016.

Attacks of Scale

According to eWEEK, attacks in 2016 will be partially driven by economies of scale. Think of it like this: As retailers look for ways to more easily connect with consumers, partners and suppliers, their attack surface increases exponentially. While technologies such as cloud computing and sensor-enabled wireless devices empower the retail industry to do more, they also offer multiple entry routes for attackers.

As a result, expect attackers to rely heavily on large-scale, quick-strike exploit kits such as Angler and Rig in the new year. With so many targets and potential cracks in IT security, entry-level attackers prefer to buy their malware rather than design their own. The good news? More attacks generate more data for security professionals, allowing economies of scale to work both ways.

Shots Fired

ITProPortal, meanwhile, tackled the opposite risk: Sniper malware designed to target specific organizations. Both smaller companies and enterprise-level retail organizations are at risk in this scenario. While the eventual targets are typically the troves of credit card data and personal information held by nationwide retailers — or government agencies — going after the big fish first often amounts to cybercriminal suicide.

In 2016, expect malware-makers to first target smaller businesses for proof of concept and then move up to attack enterprises with more sophisticated security postures. These won’t be smash-and-grab jobs or large-scale distributed denial-of-service (DDoS) attacks, but rather carefully curated bits of code designed to infiltrate, compromise and disseminate data without detection.

Mobile Maladies

In recent years, companies have experienced a surge in mobile malware incidents. Infosecurity Magazine reported that more than 40 percent of respondents in a Check Point survey suffered attacks that cost at least $250,000 to mitigate and remediate, and 82 percent predicted more mobile threats in the future.

Expect retail risk to lead the charge here as consumers look for device-native apps that let them quickly make purchases or chat with customer care agents. Attackers now have a vested interest in both breaking specific apps and hacking mobile device operating systems. Retail applications represent high value and low risk for malicious actors, making them one of the most tempting targets this year.

POS Problems

Despite security advances, point-of-sale (POS) systems remain a real point of vulnerability for many retail companies. Why? Because both the firmware and software shipped with these devices doesn’t always meet current IT security standards. If attackers can intercept consumer data at the POS, there’s no need to hack corporate systems and run the risk of widespread detection.

Consider the recent discovery of flawed POS terminals in Germany. As reported by Payment Week, security researcher Karsten Nohl found two flaws in popular POS systems that are not mistakes but instead part of the terminals’ factory programming. These security holes could allow cybercriminals to either steal a user’s PIN or force the transfer of funds to fraudulent accounts.

How can retailers keep up? Make sure POS software is always updated and keep an ear to the ground when it comes to flaws in specific models.

Chip-and-Pin Protection

Chip-and-pin rollouts are finally happening on a large scale in the U.S., and while there’s no doubt the combination of user PINs and one-time transaction codes have lowered the amount of in-store fraud, there’s a ripple effect. In Britain, where chip-and-pin cards have been commonplace for more than a decade, another type of fraud has experienced a massive surge: card-not-present.

It makes sense: With attackers stopped cold at chip-and-pin terminals, they’ve moved to online and phone transactions where there’s no protection from chips or PINs. As the U.S. completes its shift to chip-and-pin this year, expect to see a significant increase to this retail risk, necessitating the use of advanced online countermeasures — such as social account linking, two-factor authentication or other means of confirming identity — to combat this problem and engender consumer confidence.

Retailers are on track to do big business in stores and online throughout 2016, but staying in the black means prepping for emerging IT threats: Get ready for scale, watch for snipers, handle mobile and get comfortable with POS protection.

Read the complete IBM research report on security trends in the retail industry

More from Retail

Cost of a Data Breach: Retail Costs, Risks and Prevention Strategies

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Magecart Attacks Continue to ‘Skim’ Software Supply Chains

Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack. Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only…

Omnichannel E-commerce Growth Increases API Security Risk

Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists. Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and…