‘Tis the season for retailers, who face their busiest time of the year in terms of online and offline sales. This week’s US Thanksgiving shopping spree kicks off a bumper season that takes in Black Friday, Cyber Monday, Green Monday (December 11) and Free Shipping Day (Dec 15), not to mention the Christmas panic buying frenzy.
As you break out the credit card for another round of seasonal buying, be careful which retailer you give it to. An investigation into this sector by SecurityScorecard, a company that regularly ranks public and private sector organizations based on their cybersecurity, found some worrying results.
Clothing stores scored particularly poorly when it came to cybersecurity, said the report, which ranked companies on a variety of criteria ranging from application security through to endpoint and network protection.
There were more insecure clothing stores in its analysis than insecure car dealerships, department stores, food stores, groceries, pharmacies, wholesale retailers, office supply stores and sporting goods stores combined.
According to the SecurityScorecard report, retail ranks fifth out of 17 US industries when it comes to cybersecurity performance, lagging behind financial services, entertainment, information services and the top performing player, food.
Card cloning is still an issue
You might think that the lack of EMV adoption in US presented the biggest cybersecurity challenges for customers. Also known as chip and PIN, this technology uses a chip embedded in a credit or debit card. The point-of-sale terminal reads the chip, which is supposed to be impractical to clone.
Comparatively, conventional magnetic stripe cards can be easily copied, leading to physical credit card fraud. Skimming devices inserted in gas pump terminals and ATMs are common, accounting for almost 60% of non-ecommerce retailer breaches, according to Verizon’s 2017 Data Breach Investigation Report (DBIR).
EMVco, a US industry association that gathers international EMV adoption figures, says that almost 85% of countries in what it calls Europe zone one had adopted the standard as of December 2016. Canada, Latin America and the Caribbean aren’t too far behind, at 75.7%.
The US languished at 52.2% adoption last December, which is admittedly better than the 26.4% it managed in 2015. Nevertheless, its adoption rate lax behind almost everywhere else in the world apart from Asia-Pacific. In short, it will be easier for someone to use a copied version of your card at US stores than elsewhere.
For political and economic reasons, card cloning will continue to be a problem in the US until more retailers step up, but there are other cybersecurity concerns facing the retail sector this holiday season.
Web application and social hacks
The most successful attack vector hitting retailers in 2017 has been web application exploits, which ties into another key finding of the Security Scorecard report: retail scored particularly low in terms of application security, ranking 15 out of 18 companies and significantly underperforming compared to the rest of the industry. Apparently, the best way to a retailer’s data is through its web site.
That is borne out by the DBIR, which points to web application hacks as the most common cause of data breaches. However, what’s interesting is the type of hack. Customer credentials, stolen in phishing attacks, are the predominant method of web application compromise, it says.
That relates to another point in the SecurityScorecard report: Retailers came dead last in DNS health. This, combined with sub-average scores in protection from social engineering, is creating a potential minefield for retailers who may find themselves more open to domain-spoofing phishing attacks.
Phishing and other social engineering attacks can increase more than threefold during the holiday season, the report claims. The DBIR says that social attacks were used in 43% of all retailer breaches in 2016, and 93% of those involved phishing.
You don’t need DNS spoofing to socially engineer a retail firm, though. Just check out this recreated call that won Veracode’s Chris Kirsch the social engineering prize at Defcon this year.
What makes both social engineering and infrastructure attacks work so well? One of the biggest problems facing retailers is decentralized ownership, says SecurityScorecard. The company argues that poor facilities management is creating weaknesses in stores. If a retailer is letting electricians install wireless access points, for example, then the chances are that they will be misconfigured, creating weaknesses in corporate networks.
So, when you’re off in search of deals this season, follow some basic security guidelines. If visiting a physical store, use your credit card rather than your debit card. Financial institutions typically have a zero liability policy for credit card fraud, and can reimburse you for fraudulent charges. Conversely, debit card scanners can pilfer the funds directly from your account, leading to a more complex process to get your money back.
If shopping online, visit sites directly rather than using search engines. Beware of social media scams and phishing emails, and use different passwords for all services. Finally, avoid using payment cards on public or unsecured Wi-Fi systems.
Hopefully you’ll scoop some good holiday season deals without falling foul of the hackers.