Retail Risk Reality 2016: The New Year’s New Vulnerabilities
Retail Risk in 2016
Retail companies did well in 2015. As noted by CNBC, for example, digital sales on Black Friday rose 20 percent from 2014, and in-store purchasing remained strong throughout the holiday season. But the new year brings new challenges. Here’s a retail risk reality check of the top five vulnerabilities expected in 2016.
Attacks of Scale
According to eWEEK, attacks in 2016 will be partially driven by economies of scale. Think of it like this: As retailers look for ways to more easily connect with consumers, partners and suppliers, their attack surface increases exponentially. While technologies such as cloud computing and sensor-enabled wireless devices empower the retail industry to do more, they also offer multiple entry routes for attackers.
As a result, expect attackers to rely heavily on large-scale, quick-strike exploit kits such as Angler and Rig in the new year. With so many targets and potential cracks in IT security, entry-level attackers prefer to buy their malware rather than design their own. The good news? More attacks generate more data for security professionals, allowing economies of scale to work both ways.
ITProPortal, meanwhile, tackled the opposite risk: Sniper malware designed to target specific organizations. Both smaller companies and enterprise-level retail organizations are at risk in this scenario. While the eventual targets are typically the troves of credit card data and personal information held by nationwide retailers — or government agencies — going after the big fish first often amounts to cybercriminal suicide.
In 2016, expect malware-makers to first target smaller businesses for proof of concept and then move up to attack enterprises with more sophisticated security postures. These won’t be smash-and-grab jobs or large-scale distributed denial-of-service (DDoS) attacks, but rather carefully curated bits of code designed to infiltrate, compromise and disseminate data without detection.
In recent years, companies have experienced a surge in mobile malware incidents. Infosecurity Magazine reported that more than 40 percent of respondents in a Check Point survey suffered attacks that cost at least $250,000 to mitigate and remediate, and 82 percent predicted more mobile threats in the future.
Expect retail risk to lead the charge here as consumers look for device-native apps that let them quickly make purchases or chat with customer care agents. Attackers now have a vested interest in both breaking specific apps and hacking mobile device operating systems. Retail applications represent high value and low risk for malicious actors, making them one of the most tempting targets this year.
Despite security advances, point-of-sale (POS) systems remain a real point of vulnerability for many retail companies. Why? Because both the firmware and software shipped with these devices doesn’t always meet current IT security standards. If attackers can intercept consumer data at the POS, there’s no need to hack corporate systems and run the risk of widespread detection.
Consider the recent discovery of flawed POS terminals in Germany. As reported by Payment Week, security researcher Karsten Nohl found two flaws in popular POS systems that are not mistakes but instead part of the terminals’ factory programming. These security holes could allow cybercriminals to either steal a user’s PIN or force the transfer of funds to fraudulent accounts.
How can retailers keep up? Make sure POS software is always updated and keep an ear to the ground when it comes to flaws in specific models.
Chip-and-pin rollouts are finally happening on a large scale in the U.S., and while there’s no doubt the combination of user PINs and one-time transaction codes have lowered the amount of in-store fraud, there’s a ripple effect. In Britain, where chip-and-pin cards have been commonplace for more than a decade, another type of fraud has experienced a massive surge: card-not-present.
It makes sense: With attackers stopped cold at chip-and-pin terminals, they’ve moved to online and phone transactions where there’s no protection from chips or PINs. As the U.S. completes its shift to chip-and-pin this year, expect to see a significant increase to this retail risk, necessitating the use of advanced online countermeasures — such as social account linking, two-factor authentication or other means of confirming identity — to combat this problem and engender consumer confidence.
Retailers are on track to do big business in stores and online throughout 2016, but staying in the black means prepping for emerging IT threats: Get ready for scale, watch for snipers, handle mobile and get comfortable with POS protection.