Reducing the likelihood of retail cyberattacks


Data breaches involving credit and debit card information tend to be the costliest cybercrime incidents for retailers because of the notification requirements, regulatory scrutiny, litigation and surrounding media coverage of the events, says Kimberly Peretti, an attorney and information security expert for more than 15 years.

Kimberly Peretti

But Peretti says data breaches aren’t the only cybercrimes retailers face: Ransomware, crimeware, malvertising and phishing/spamming attacks are all also on the list.

Peretti, who will be a keynote speaker at this year’s NRF PROTECT loss prevention conference in Washington, D.C., June 26-28, has served as a litigator with the U.S. Department of Justice’s Computer Crime and Intellectual Property Section and as director of the Cyber Forensics Services Group at PricewaterhouseCoopers.

Currently, she is co-chair of the cybersecurity preparedness and response team at law firm Alston and Bird in Washington, D.C., where she helps companies respond to cyberattacks.

Learning the Language

The field of cybercrime is dynamic, with criminals working hard and fast to defeat the defenses retailers employ. In just the last few years there has been an evolution in cybercrime and the activities of its perpetrators.

“Today there is more phishing and use of stolen credentials than manipulating computer code in order to access systems,” Peretti says. “There are more threat actors who are capable of sophisticated attacks, including attacks that may be disruptive and destructive in nature.”

Even as crimes and criminals evolve, however, “we have seen criminals continue to exploit common vulnerabilities and target the same type of data for resale on the black market,” she says.

Hack attacks and data breaches occur in many industries, but incidents that involve retailers grab a disproportionate share of headlines because the brand names are instantly recognizable to reporters and the public. In fact, retail accounts for only 8 percent of data breaches, according to the 2016 Data Breach Investigations Report from Verizon; 35 percent occur at financial services companies.

Peretti says the majority of retailer breaches are limited to the theft of payment card data, rather than more sensitive personal information held by other types of businesses. She says merchants are targeted because the point of sale is “where the data can be found for a very brief moment in an unencrypted form.”

The National Retail Federation says retailers use extensive encryption, tokenization, firewalls and other technology to protect data while it is stored in their computer systems. But NRF says they are forced to unencrypt it when the transactions are transmitted for processing because the card industry has refused to set up encrypted systems for that portion of the process.

Data breaches first began to draw widespread attention after hackers allegedly led by Albert Gonzalez breached a wireless network operated by retailer TJX in 2005. Authorities said Gonzalez and his cohorts would troll shopping centers in South Florida using a powerful antenna to uncover networks, then use high-tech criminal skills to overcome security measures.

By the time Gonzalez was apprehended in May 2008, Peretti was well acquainted with him. Ironically, he had worked as an informant for the U.S. Secret Service on cases involving ATM machines and international money laundering. Peretti had learned about him while she was with the Justice Department and worked with the Secret Service’s Electronic Crimes Task Force. By late 2008, Peretti was preparing the prosecution against him.

Faced with indictments in multiple jurisdictions and charges involving hacking more than a dozen retailers and other businesses, 28-year-old Gonzalez pleaded guilty in 2009 to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud and aggravated identity theft. He was sentenced to 20 years.

Peretti said she learned a lot from Gonzalez when he was an informant.

“Albert was an educator,” Peretti told The New York Times Magazine, which ran a cover story about his criminal activities.

“We had to learn the characters, their goals, their techniques. Albert taught us all of that.”

Recognizing Vulnerabilities

After years of investigating and prosecuting cybercrimes, Peretti is in a position to help businesses deal with issues such as privacy, financial crime, fraud, regulation, economic espionage and intellectual property theft.
Along the way, she has developed a broad awareness of what typically goes wrong for retailers as they try to protect both their data and that of their customers. Peretti has also developed a hierarchy of actions retailers can take to reduce the likelihood of becoming an attack victim.

The FBI has identified several types of specialist cybercriminals: coders, programmers, vendors, techies and hackers who search for and exploit application, system and network vulnerabilities to gain administrator or payroll access.

It doesn’t take much to become a victim in an area where it isn’t just attacks that get the attention of authorities. Merely identifying vulnerabilities in information systems has generated regulatory activity and even litigation.
Peretti suggests that businesses can address the issue by conducting vulnerability assessments. She also recommends having a formal system in place — a vulnerability management system — for addressing identified vulnerabilities.

“Internal testing may also be supplemented by a ‘bug bounty’ program, or at minimum, a process for receiving, reviewing and, as necessary, remediating vulnerabilities reported by third parties,” such as customers or vendors, she says.

Businesses can also monitor and track vulnerabilities identified by security researchers in white papers or reported in the news, since not addressing these publicly known issues could lead to scrutiny from regulators, Peretti adds.

Ignoring alerts about vulnerabilities could lead to unpleasant consequences. “The current legal liability landscape increasingly demands active and even proactive engagement with vulnerability management,” she says.
Businesses sometimes develop cyber incident response plans but often fail to test the plans, Peretti notes.

“Just as there is no perfect plan, there is no one-size-fits-all testing technique,” she says. “Plan testing is largely an art, not an absolute science.”

Peretti suggests “start small, work to big,” meaning start with a training exercise, follow that up with a “walk-through” and eventually work up to a “near-live-fire” simulation.

International Challenges

When testing cyber incident response plans, Peretti emphasizes that companies must understand what they are trying to test. They should also choose the facilitator/moderator carefully, use real-world scenarios and incorporate international elements into their scenarios.

She says companies shouldn’t script the entire exercise (or share the script with participants) but also cautions against being too informal. Each participant should have a role, and the scenario must be connected to the plan.
The point about including international elements comes from real-world experience, since investigations into cybercrime networks frequently lead off-shore.

“While international cybercrime investigations present additional challenges to overcome, federal law enforcement agencies and the Department of Justice have made great strides in being able to overcome these challenges in recent years,” Peretti says.

“Sometimes victims of such crimes perceive no immediate results or no results at all, but it is often the case that international investigations can take years to yield any results.”

“At the same time,” she says, “criminals are also taking advantage of techniques such as encryption and specializations, for example, that are making it harder for law enforcement to pursue cybercriminals, whether international or domestic.”

Evaluating concerns

The FBI has identified several types of specialist cybercriminals: coders, programmers, vendors, techies and hackers who search for and exploit application, system and network vulnerabilities to gain administrator or payroll access.

There are also fraudsters who create and deploy social engineering schemes, including phishing, spamming and domain squatting; hosters who provide “safe” hosting of illicit content servers and sites; and “chasers” who control drop accounts and provide those names and accounts to other criminals for a fee.

The list also includes “money mules,” individuals who often travel to the United States on student or work visas to ply their trade, tellers who help with transferring and laundering illicit proceeds through digital currency services as well as between different world currencies, and leaders, many of whom don’t have any technical skills at all but are the “people people,” Peretti says.

With overseas operatives capable of hacking anywhere in the world, newer technologies involving such things as mobile applications, social media, cloud storage and the Internet of Things raise new challenges for businesses concerned with cybersecurity.

“Once businesses are ready to push out new products and services, it is hard to slow down to evaluate whether there may be any security concerns,” Peretti says. “However, the concept of building security as you go — or ‘security by design’ — is gaining traction, although we still have a way to go.”

Shifting consequences

In some cases, hacking incidents might not particularly harm the victimized entity but could still cause serious disruption for others. Using IoT as an example, Peretti notes that a toaster in someone’s home might be hacked and become part of a botnet used to take down servers at a business.

“The consumer might not care, or even know that the toaster was hacked,” Peretti says. “How do you shift the consequences to the sources of the hacking rather than the end victims?”

Even as new technologies are developed, they are covered by a patchwork of out-of-date laws and regulations. Most states have breach notification statutes, some quite different from others, making it challenging for multi-state businesses like retail chains. NRF has asked Congress to pass a uniform national data breach law that would supersede state laws. NRF says such a law needs to apply to all entities that handle data, not just retailers.

“While there is nothing definite on the horizon, federal breach notification legislation has been a topic of discussion in Congress for years on both sides of the aisle, given the proliferation of varied state laws and regulation in the area,” Peretti says.

“Along those lines, one of the obstacles facing any such legislation is the issue of state law preemption. It would be difficult to put a number on the probability of a federal statute actually passing in such a complicated statutory environment, but federal data breach notification laws are likely to get at least some congressional attention.”

David P. Schulz has been writing for STORES since 1982 and is the author of several non-fiction books.


Comments are closed.