Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/14/2018
10:30 AM
Fred Kneip
Fred Kneip
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Retailers: Avoid the Hackable Holidaze

The most wonderful time of the year? Sure, but not if your business and customers are getting robbed.

Andy Williams had it right when he sang about the holidays being the most wonderful time of the year. With all the gift-giving, festivities, parties, feasting, and family events, the holiday season is the perfect way to end the year. For retailers, this is doubly true, as many will earn more profit over the holidays than at any other time. However, retailers also need to be wary, because hackers will be looking to turn a profit, too, at the expense of legitimate businesses and their customers.

These hacking Grinches will certainly try to steal Christmas, but a good defense can ensure that they get nothing but lumps of well-deserved coal in their stockings. Most attackers will follow the same tired-but-tested attack patterns that have been so successful in the past. Here are the most popular vulnerabilities that attackers will try to exploit this holiday season.

Point-of-Sale Machines
Almost every retail store in existence has at least one point-of-sale (POS) machine to quickly process credit cards and allow their customers to make transactions. Some of the largest retailers may have hundreds of machines in a single location, or thousands of them deployed worldwide.

There are a few ways that attackers can exploit this. One of the easiest scams is to install skimmers on unguarded machines, which capture credit card data from customers who use them. Another more advanced form of attack is inserting malware into a POS device, which could compromise an entire organization. That is what recently happened to Saks Fifth Avenue and Lord & Taylor stores, which ultimately lost over 5 million customer records.

With more people wandering around stores during the holidays, be sure that POS machines are never left unattended or unguarded. Ideally, they should be secured, powered down, or locked when not in use or whenever they aren't being actively monitored. Access points such as USB ports should also be disabled or physically sealed because even an employee innocently charging his phone might inadvertently allow malware to slip into the POS system that way.

Applications and Social Media
Stores can ramp up the engagement of their customers by charming them on social media platforms or by creating specific apps to deliver news and coupons. This can be successful if done right but can also extend vulnerabilities.

Retailers should be wary about collecting personal information from users via social media or through applications because they may not have direct control over that information or where it's stored. Best Buy, Sears, and Kmart found this out the hard way after outsourcing their chat and customer service applications to a company that was hacked using malware.

Attackers gained information such as credit card numbers, home addresses, phone numbers, and other personal information on customers from those stores. And, although this was a third-party breach, customers laid blame on the retailers.

Other Vendors
The nature of retail today, especially for large or expanding organizations, is such that some of the most insidious attackers don't even need to enter a store in order to perform a successful attack that can do a lot of damage. Even if a retailer has good cybersecurity and has secured all of its POS machines, it still might be vulnerable because of its interactions with third-party vendors or companies with which they interface as part of their supply chain.

Far too many retailers have learned this hard lesson. Perhaps the most famous third-party breach was at Target, which had millions of its customer records compromised. The attackers in that case didn't attack Target computers directly, but instead compromised an HVAC provider and used its credentials to access database systems.

To protect themselves, retailers must constantly assess the levels of access given to third-party vendors that provide goods and services or that work within the retail supply chain. As many corporations now do with their internal users, third-party retail vendors should be given the least amount of privilege necessary in order to perform their jobs. A vendor that distributes goods — candy, dog food, or anything else — might need limited access to some systems in order to help track orders or report on deliveries. But it doesn't need admin access to your entire network.

The ongoing assessment should involve looking at all third-party vendors and enforcing least privilege across the board. Some vendors —outsourced accountants, for example — may require a high level of access to critical systems. For them, additional security checks and monitoring should be required. Third-party vendors should know that they will be monitored as part of their contract and can be fired if they don't maintain adequate cybersecurity. That may seem harsh, but it must be done in order to protect your retail organization and your customers.

Happy Holidays
Attack attempts against retailers will certainly ramp up during the holidays. But knowing some of the most dangerous vulnerabilities can help retailers stop them in their tracks. The holidays are the most wonderful time of the year — and with a little work and a lot of vigilance, it can also be one of the safest for retailers and their customers.

Related Content:

As Chief Executive Officer, Fred Kneip is responsible for the overall company direction of CyberGRX. Prior to joining the company, Fred served in several senior management roles at Bridgewater Associates, including Head of Compliance and Head of Security. Before that, Fred ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.