Andy Williams had it right when he sang about the holidays being the most wonderful time of the year. With all the gift-giving, festivities, parties, feasting, and family events, the holiday season is the perfect way to end the year. For retailers, this is doubly true, as many will earn more profit over the holidays than at any other time. However, retailers also need to be wary, because hackers will be looking to turn a profit, too, at the expense of legitimate businesses and their customers.
These hacking Grinches will certainly try to steal Christmas, but a good defense can ensure that they get nothing but lumps of well-deserved coal in their stockings. Most attackers will follow the same tired-but-tested attack patterns that have been so successful in the past. Here are the most popular vulnerabilities that attackers will try to exploit this holiday season.
Almost every retail store in existence has at least one point-of-sale (POS) machine to quickly process credit cards and allow their customers to make transactions. Some of the largest retailers may have hundreds of machines in a single location, or thousands of them deployed worldwide.
There are a few ways that attackers can exploit this. One of the easiest scams is to install skimmers on unguarded machines, which capture credit card data from customers who use them. Another more advanced form of attack is inserting malware into a POS device, which could compromise an entire organization. That is what recently happened to Saks Fifth Avenue and Lord & Taylor stores, which ultimately lost over 5 million customer records.
With more people wandering around stores during the holidays, be sure that POS machines are never left unattended or unguarded. Ideally, they should be secured, powered down, or locked when not in use or whenever they aren't being actively monitored. Access points such as USB ports should also be disabled or physically sealed because even an employee innocently charging his phone might inadvertently allow malware to slip into the POS system that way.
Applications and Social Media
Stores can ramp up the engagement of their customers by charming them on social media platforms or by creating specific apps to deliver news and coupons. This can be successful if done right but can also extend vulnerabilities.
Retailers should be wary about collecting personal information from users via social media or through applications because they may not have direct control over that information or where it's stored. Best Buy, Sears, and Kmart found this out the hard way after outsourcing their chat and customer service applications to a company that was hacked using malware.
Attackers gained information such as credit card numbers, home addresses, phone numbers, and other personal information on customers from those stores. And, although this was a third-party breach, customers laid blame on the retailers.
The nature of retail today, especially for large or expanding organizations, is such that some of the most insidious attackers don't even need to enter a store in order to perform a successful attack that can do a lot of damage. Even if a retailer has good cybersecurity and has secured all of its POS machines, it still might be vulnerable because of its interactions with third-party vendors or companies with which they interface as part of their supply chain.
Far too many retailers have learned this hard lesson. Perhaps the most famous third-party breach was at Target, which had millions of its customer records compromised. The attackers in that case didn't attack Target computers directly, but instead compromised an HVAC provider and used its credentials to access database systems.
To protect themselves, retailers must constantly assess the levels of access given to third-party vendors that provide goods and services or that work within the retail supply chain. As many corporations now do with their internal users, third-party retail vendors should be given the least amount of privilege necessary in order to perform their jobs. A vendor that distributes goods — candy, dog food, or anything else — might need limited access to some systems in order to help track orders or report on deliveries. But it doesn't need admin access to your entire network.
The ongoing assessment should involve looking at all third-party vendors and enforcing least privilege across the board. Some vendors —outsourced accountants, for example — may require a high level of access to critical systems. For them, additional security checks and monitoring should be required. Third-party vendors should know that they will be monitored as part of their contract and can be fired if they don't maintain adequate cybersecurity. That may seem harsh, but it must be done in order to protect your retail organization and your customers.
Attack attempts against retailers will certainly ramp up during the holidays. But knowing some of the most dangerous vulnerabilities can help retailers stop them in their tracks. The holidays are the most wonderful time of the year — and with a little work and a lot of vigilance, it can also be one of the safest for retailers and their customers.