Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Understanding Retail Threats and Fraud
You must login to participate in this chat. Please login.

@DarkReadingTim: the retail security discussion often ends up focusing on chip-and-pin credit cards -- realistically, how much would chip and pin really help? Seems like it wouldn't do much to prevent the type of back-end breaches we've been seeing.

 

I'm torn on this one. I think it's definitely going to add a level of security to consumer level transactions and make it difficult for basic skimming but I don't know how it will impact attackers stealing card data from the backend. My concern is that the US companies won't be implementing it in a way that's as secure their European counterparts. Right now, there's too much uncertainty in how retailers will leverage it to really know what to expect other than the fact we know it's coming. We'll have to wait and see on this one.

Moderator

@John, the retail security discussion often ends up focusing on chip-and-pin credit cards -- realistically, how much would chip and pin really help?  Seems like it wouldn't do much to prevent the type of back-end breaches we've been seeing.

Strategist

BTW, the "competing" retail intel-sharing efforts are now working together. 

@DarkReadingTim: It doesn't help that retailers formed two separate ISAC groups instead of one.

 

Considering how everyone thinks their own industry and busines is unique, I'm a little surprised there are only two. Everyeone is a special snowflake. ;)

Moderator

@Marilyn Cohodas: Sorry I missed the beginning of the class, but John did you talk at all about what kind of new attacks you expect to see this coming holiday season?

 

We're going to keep seeing a lot of the same old attacks such as SQL injection, PoS malware, and business logic abuse, but there could be new vectors focused on electronic payment systems and other ways to commit fraud via mobile devices. We're certainly seeing a big increase in mobile devices being used for more personal financial purposes which will open up more users to attack.

Moderator

It doesn't help that retailers formed two separate ISAC groups instead of one.

 

Strategist

@Curt Franklin: do you see electronic wallets -- Apple Pay and the like -- as steps forward in retail security, or are the real issues in areas beyond the POS?

I'm oddly excited about things like Apple Pay and Google Wallet because it's adding in an abstract layer to protect cards better. The problem is that attackers are going to be quickly looking for a way to hijack the process or install malware on mobile devices to steal information and perform fraudulent transactions. Unfortunately, I don't know enough about how security is implemented on the device for those payment methods...yet. It's an area that I plan to look into more soon after I finish the mobile research I'm working on now.

Moderator

@Kelly Jackson Higgins: Do you think the retail industry will become more secure and less likely to face a wave of attacks like they've seen this past year with its new intel-sharing ISAC model?

I certainly hope so. Information sharing is extremely helpful for defenders so they can understand the attacks that their peers are experiencing and better prepare themselves for when they finally see the attacks themselves. As we know, no one is safe from being a target.

Moderator

Speaking of PCI -- do you see any major improvements in PCI-DSS 3.0 in protecting POS systems?

Strategist

@John, the retail security discussion often ends up focusing on chip-and-pin credit cards -- realistically, how much would chip and pin really help?  Seems like it wouldn't do much to prevent the type of back-end breaches we've been seeing.

Strategist

Sorry I missed the beginning of the class, but John did you talk at all about what kind of new attacks you expect to see this coming holiday season? 

Strategist

sorry i'm running late.. 

 

Strategist

@johnsawyer, do you see electronic wallets -- Apple Pay and the like -- as steps forward in retail security, or are the real issues in areas beyond the POS?

Author

@johnsawyer Do you think the retail industry will become more secure and less likely to face a wave of attacks like they've seen this past year with its new intel-sharing ISAC model?

Hi all -Audio is live! If you don't see the audio bar at the top of the screen, please refresh your browser. It may take a couple tries. When you see the audio bar, if it doesn't start automatically, hit the play button. If you experience audio interruptions and are using IE, try using FF or Chrome as your browser. Many people experience issues with IE. Also, make sure your flash player is updated with the current version. Some companies block live audio streams, so if that is the case for your company, the class will be archived on this page immediately following the class and you can listen then. People don't experience any issues with the audio for the archived version.

Apprentice

We'd love to have your voice in the class discussion here. To take part, just type your comment or question into the "Your Post" box and then click on the "Post" button below the box. Feel free to introduce yourself before the class starts -- I think you'll find that we're a very friendly learning community here! 

Author

Hey, everyone, we're glad you could join us! When the class is scheduled to start, at noon EDT, an audio player should appear above the "Your Post" window. If it doesn't appear, you might need to refresh your browser until it does. If it appears but doesn't start playing, then you may need to click on the "play" button on the far left of the player. 

Author


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20859
PUBLISHED: 2021-12-01
ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-19...
CVE-2021-20860
PUBLISHED: 2021-12-01
Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and ...
CVE-2021-20861
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC...
CVE-2021-20862
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-175...
CVE-2021-20863
PUBLISHED: 2021-12-01
OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GS...