In the physical world, there were — and still are — multiple ways thieves and fraudsters could plague retailers. Adding digital sales channels increases opportunities for additional sales, but also increases the complexity of challenges for loss prevention and asset protection personnel. Though no one knows what next year has in store, here are some thoughts experts provided to STORES as to some major cybersecurity concerns facing retailers in 2020.
Senior Director of Retail Technology and Cybersecurity
National Retail Federation
Retailers continue to improve their cyber defenses, but new types of threats are leading to different kinds of cyber incidents than we’ve seen in the past. A few years ago, the greatest cyber risks were associated with the point-of-sale terminal in the store. As security has improved at the POS and in the payments system, cyber criminals are focusing on other means of compromise such as digital skimming of ecommerce websites, which uses malicious third-party code to steal sensitive customer information during a transaction.
Retailers also face new risks from the use of cloud services within their IT systems. While cloud technology offers some clear advantages over on-premise IT from a security standpoint, there are still risks of compromise due to misconfiguration, and new challenges from a management and compliance standpoint.
The introduction of 5G cellular technology into the store in the coming years will also have important security implications that retailers need to prepare to address. 5G will allow retailers to deploy tens of thousands of internet-connected sensors and devices in a single store, potentially delivering significant enhancements to productivity and the customer experience. But the 5G-enabled store also expands the number of entry points for cyber adversaries, and retailers need to consider and mitigate these risks as part of their broader in-store technology strategy.
Senior Vice President of Global Marketing
One growing trend in retail is about creating a comprehensive online-to-offline shopping experience. Consumers are increasingly encouraged to create an online profile using retailers’ apps or websites, and provide personal and financial information in exchange for rebate coupons, special offerings and access to preferred VIP perks. Creating such an integrated shopping experience comes with great cybersecurity risks that must be addressed from the beginning.
A good online-to-offline shopping experience can be compelling. How many Starbucks customers use the company’s app to get perks, order and pay for their beverages? Who isn’t signed up for loyalty programs from their favorite restaurants, hotel chains or retailers? The amount and sensitivity of data consumers share with their favorite retailers is very appealing to hackers and fraudsters. The news of major security hacks and customer data leaks are as frequent as scary. Consumers’ privacy is compromised, and retailers’ reputation is at risk.
As providers of CyberLink FaceMe, one of the world’s top facial recognition solutions, we are in contact with a growing number of retailers and technology providers. FaceMe can create a highly personalized online-to-offline shopping experience, for example, by recognizing opted-in VIPs the moment they set foot in a store. At the same time, facial recognition is one of the safest and most affordable means of authentication, ensuring a customer’s data and use of that data is safe, be it online or when visiting a store. We expect interest in facial recognition technology will exponentially increase in the coming year.
Former FBI Senior Computer Scientist; Senior Director of Counterintelligence
Retailers will increasingly have to contend with more organized, professional and advanced cybercrime groups that may also exist within a larger criminal hierarchy. This will make a variety of attacks more difficult for them to detect or remediate in time before the hackers are able to cause significant financial damage.
Of particular concern are the ongoing attacks on point-of-sale systems, which continue to evolve. Cybercrime groups like FIN 6, 7 and 8 set the standard for these types of attacks and indicate the overall direction this kind of organized activity is heading toward. The growing sophistication of these groups, and their increasing collaboration with one another, is a game-changer for retailers as it drastically increases the likelihood of a severe breach and the financial damage that could result.
Of particular concern are the ongoing attacks on point-of-sale systems, which continue to evolve.
From a practical standpoint, retailers need to realize they will face an increasing number of insidious attacks on their POS that they will have a much harder time detecting. They will also face new challenges during the incident response period, since these groups are likely to drop multiple “implants,” some of which will be backups in case the initial ones are discovered by the remediation team. These groups can be stopped, but it requires a more diligent effort on behalf of the industry, with a stronger emphasis on good threat hunting.
Governance, Risk Management and Compliance Practice Lead
Retailers should expect to see a continuation of most of the major threats we’ve seen over the past few years, like point-of-sale attacks, distributed denial-of-service, ransomware, phishing emails and the like. The other big issue is vendor security, as many of the breaches we see actually originate from the hack of third-party companies that have access to the retailer’s network.
“Modular” malware is an evolving threat that retailers also need to be preparing for, as these attacks are now surging. Compared with traditional malware, which is a single attack, modular malware is like a cluster bomb: It enables multiple stealthy attacks from inside the retailer’s network, many of which the company will not be able to detect. It essentially creates a persistent backdoor inside the network, and is then able to import new malware over any period of time to attack the company, or
In this way, just one modular malware infection can lead to a host of problems for the retailer: customer data breaches, employee account takeovers, malicious spam originating from the retailer’s domain, ransomware cryptominers and much more. Modular malware hides the initial infection through “fileless” injection and other crafty techniques, and it can scan the retailer’s network to adapt to its security.
I’m worried we are going to start seeing sophisticated attacks on the retail perimeter — think internet of things, building automation systems, all of the “connected” devices retailers and other companies are now importing into their operations to improve efficiency, productivity and data assessment. In the vast majority of cases, these devices are insecure from the time they roll off the production line — and they become even more vulnerable as time goes on, because they are difficult to patch or to even monitor for security problems once out in the field.
They become a huge blind spot for companies, and this is how criminals can slip in to attack the company from within a trusted device or connection, behind the firewall where a retailer’s defenses are at their weakest. There is a great example from a couple of years ago: Hackers breached a Las Vegas casino by first compromising a smart thermometer in a lobby fish tank. This may sound extreme and far-fetched, but it’s not.
As bricks-and-mortar retailers modernize their facilities and networks, they will increasingly rely on “smart” devices to do so, all of which expose them to innumerable hazards which they aren’t even aware of. It basically turns the retailer’s network into Swiss cheese — and hackers will lose no time in exploiting it.
David P. Schulz has been writing for STORES since 1982 and is the author of several non-fiction books.