Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/14/2018
10:30 AM
Fred Kneip
Fred Kneip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Retailers: Avoid the Hackable Holidaze

The most wonderful time of the year? Sure, but not if your business and customers are getting robbed.

Andy Williams had it right when he sang about the holidays being the most wonderful time of the year. With all the gift-giving, festivities, parties, feasting, and family events, the holiday season is the perfect way to end the year. For retailers, this is doubly true, as many will earn more profit over the holidays than at any other time. However, retailers also need to be wary, because hackers will be looking to turn a profit, too, at the expense of legitimate businesses and their customers.

These hacking Grinches will certainly try to steal Christmas, but a good defense can ensure that they get nothing but lumps of well-deserved coal in their stockings. Most attackers will follow the same tired-but-tested attack patterns that have been so successful in the past. Here are the most popular vulnerabilities that attackers will try to exploit this holiday season.

Point-of-Sale Machines
Almost every retail store in existence has at least one point-of-sale (POS) machine to quickly process credit cards and allow their customers to make transactions. Some of the largest retailers may have hundreds of machines in a single location, or thousands of them deployed worldwide.

There are a few ways that attackers can exploit this. One of the easiest scams is to install skimmers on unguarded machines, which capture credit card data from customers who use them. Another more advanced form of attack is inserting malware into a POS device, which could compromise an entire organization. That is what recently happened to Saks Fifth Avenue and Lord & Taylor stores, which ultimately lost over 5 million customer records.

With more people wandering around stores during the holidays, be sure that POS machines are never left unattended or unguarded. Ideally, they should be secured, powered down, or locked when not in use or whenever they aren't being actively monitored. Access points such as USB ports should also be disabled or physically sealed because even an employee innocently charging his phone might inadvertently allow malware to slip into the POS system that way.

Applications and Social Media
Stores can ramp up the engagement of their customers by charming them on social media platforms or by creating specific apps to deliver news and coupons. This can be successful if done right but can also extend vulnerabilities.

Retailers should be wary about collecting personal information from users via social media or through applications because they may not have direct control over that information or where it's stored. Best Buy, Sears, and Kmart found this out the hard way after outsourcing their chat and customer service applications to a company that was hacked using malware.

Attackers gained information such as credit card numbers, home addresses, phone numbers, and other personal information on customers from those stores. And, although this was a third-party breach, customers laid blame on the retailers.

Other Vendors
The nature of retail today, especially for large or expanding organizations, is such that some of the most insidious attackers don't even need to enter a store in order to perform a successful attack that can do a lot of damage. Even if a retailer has good cybersecurity and has secured all of its POS machines, it still might be vulnerable because of its interactions with third-party vendors or companies with which they interface as part of their supply chain.

Far too many retailers have learned this hard lesson. Perhaps the most famous third-party breach was at Target, which had millions of its customer records compromised. The attackers in that case didn't attack Target computers directly, but instead compromised an HVAC provider and used its credentials to access database systems.

To protect themselves, retailers must constantly assess the levels of access given to third-party vendors that provide goods and services or that work within the retail supply chain. As many corporations now do with their internal users, third-party retail vendors should be given the least amount of privilege necessary in order to perform their jobs. A vendor that distributes goods — candy, dog food, or anything else — might need limited access to some systems in order to help track orders or report on deliveries. But it doesn't need admin access to your entire network.

The ongoing assessment should involve looking at all third-party vendors and enforcing least privilege across the board. Some vendors —outsourced accountants, for example — may require a high level of access to critical systems. For them, additional security checks and monitoring should be required. Third-party vendors should know that they will be monitored as part of their contract and can be fired if they don't maintain adequate cybersecurity. That may seem harsh, but it must be done in order to protect your retail organization and your customers.

Happy Holidays
Attack attempts against retailers will certainly ramp up during the holidays. But knowing some of the most dangerous vulnerabilities can help retailers stop them in their tracks. The holidays are the most wonderful time of the year — and with a little work and a lot of vigilance, it can also be one of the safest for retailers and their customers.

Related Content:

As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue