Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/14/2018
10:30 AM
Fred Kneip
Fred Kneip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Retailers: Avoid the Hackable Holidaze

The most wonderful time of the year? Sure, but not if your business and customers are getting robbed.

Andy Williams had it right when he sang about the holidays being the most wonderful time of the year. With all the gift-giving, festivities, parties, feasting, and family events, the holiday season is the perfect way to end the year. For retailers, this is doubly true, as many will earn more profit over the holidays than at any other time. However, retailers also need to be wary, because hackers will be looking to turn a profit, too, at the expense of legitimate businesses and their customers.

These hacking Grinches will certainly try to steal Christmas, but a good defense can ensure that they get nothing but lumps of well-deserved coal in their stockings. Most attackers will follow the same tired-but-tested attack patterns that have been so successful in the past. Here are the most popular vulnerabilities that attackers will try to exploit this holiday season.

Point-of-Sale Machines
Almost every retail store in existence has at least one point-of-sale (POS) machine to quickly process credit cards and allow their customers to make transactions. Some of the largest retailers may have hundreds of machines in a single location, or thousands of them deployed worldwide.

There are a few ways that attackers can exploit this. One of the easiest scams is to install skimmers on unguarded machines, which capture credit card data from customers who use them. Another more advanced form of attack is inserting malware into a POS device, which could compromise an entire organization. That is what recently happened to Saks Fifth Avenue and Lord & Taylor stores, which ultimately lost over 5 million customer records.

With more people wandering around stores during the holidays, be sure that POS machines are never left unattended or unguarded. Ideally, they should be secured, powered down, or locked when not in use or whenever they aren't being actively monitored. Access points such as USB ports should also be disabled or physically sealed because even an employee innocently charging his phone might inadvertently allow malware to slip into the POS system that way.

Applications and Social Media
Stores can ramp up the engagement of their customers by charming them on social media platforms or by creating specific apps to deliver news and coupons. This can be successful if done right but can also extend vulnerabilities.

Retailers should be wary about collecting personal information from users via social media or through applications because they may not have direct control over that information or where it's stored. Best Buy, Sears, and Kmart found this out the hard way after outsourcing their chat and customer service applications to a company that was hacked using malware.

Attackers gained information such as credit card numbers, home addresses, phone numbers, and other personal information on customers from those stores. And, although this was a third-party breach, customers laid blame on the retailers.

Other Vendors
The nature of retail today, especially for large or expanding organizations, is such that some of the most insidious attackers don't even need to enter a store in order to perform a successful attack that can do a lot of damage. Even if a retailer has good cybersecurity and has secured all of its POS machines, it still might be vulnerable because of its interactions with third-party vendors or companies with which they interface as part of their supply chain.

Far too many retailers have learned this hard lesson. Perhaps the most famous third-party breach was at Target, which had millions of its customer records compromised. The attackers in that case didn't attack Target computers directly, but instead compromised an HVAC provider and used its credentials to access database systems.

To protect themselves, retailers must constantly assess the levels of access given to third-party vendors that provide goods and services or that work within the retail supply chain. As many corporations now do with their internal users, third-party retail vendors should be given the least amount of privilege necessary in order to perform their jobs. A vendor that distributes goods — candy, dog food, or anything else — might need limited access to some systems in order to help track orders or report on deliveries. But it doesn't need admin access to your entire network.

The ongoing assessment should involve looking at all third-party vendors and enforcing least privilege across the board. Some vendors —outsourced accountants, for example — may require a high level of access to critical systems. For them, additional security checks and monitoring should be required. Third-party vendors should know that they will be monitored as part of their contract and can be fired if they don't maintain adequate cybersecurity. That may seem harsh, but it must be done in order to protect your retail organization and your customers.

Happy Holidays
Attack attempts against retailers will certainly ramp up during the holidays. But knowing some of the most dangerous vulnerabilities can help retailers stop them in their tracks. The holidays are the most wonderful time of the year — and with a little work and a lot of vigilance, it can also be one of the safest for retailers and their customers.

Related Content:

As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21196
PUBLISHED: 2021-04-09
Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.