Retail Cyber thieves: Targeting retailers for easy money
Few business sectors today have managed to escape the notice of cyber thieves, but the retail industry has the dubious honour of being the most popular target for hackers looking for payday.
Our 2016 Trustwave Global Security Report, which investigated hundreds of data breaches around the world, found the retail sector to be by far the most under attack. 23 per cent of all the cases we investigated were in the retail industry, followed by 14 per cent in hospitality and 10 per cent in the food and beverage industry.
One of the reasons retail is such a popular target is that a successful breach provides access to a wealth of data that can be used for a variety of lucrative activities. Payment card data can be used to launch campaigns of fraud and theft against victims, making it a valuable commodity on the black market, especially when acquired en masse.
In 60 per cent of all of the incidents we investigated, hackers were targeting payment card data, split more or less evenly between card track (magnetic stripe) data acquired from point-of-sale (POS) environments, and card-not-present (CNP) data primarily from e-commerce transactions.
Hackers have also shifted their focus to keep pace with consumer shopping trends, with the data held by e-commerce now the main priority. In total, 81 per cent of all the retail incidents we investigated were targeting CNP data used in online transactions.
Vulnerable technology
Retail data can also be targeted in a number of ways. In the physical retail environment, data can be accessed from the dedicated cash registers where businesses accept payment for in-person retail transactions. POS terminals process payment cards using magnetic stripe scanners and smart card readers. Most run versions of the Windows Embedded or Linux operating systems customised for POS devices, and they are usually networked to transmit card and sale data to a centralised location and/or a financial institution.
In the online environment, attackers primarily target web server infrastructures dedicated to websites that process payment information and/or personally identifiable information (PII). Just like any organisation, retailers are also vulnerable to corporate and internal network environments that comprise enterprise networks in general. Aside from all the other valuable internal corporate data on the network, these frequently include sensitive data that was originally collected in a POS or e-commerce environment.
Where to start with cyber security
The retail security landscape moves so quickly that attempting to counter specific threats is often futile, and our research has found many of the prominent POS malware families of 2014 had lost ground by 2016. Instead, it’s much more effective to guard against the common attack vectors they employ. For example, most of the top POS malware families are simple memory scrapers that search for card stripe data, sometimes dumping the contents of RAM to disk before reading it.
The Payment Card Industry Data Security Standard (PCI DSS) provides a strong base that can cover off many of the vulnerabilities exploited by attackers – but businesses should think beyond PCI compliance and adopt additional security tools and practices for better data security. Simple good practice can shut down most potential threats before they begin. External and internal scans should be carried out to proactively find and remediate vulnerabilities. Scans should be carried out at least once a year, or after any significant upgrades or changes to infrastructure.
Poor password practice continues to be a major factor in data breaches, contributing to 13 per cent of all of the corporate and internal network intrusions we investigated. All personal computers, servers, firewalls, routers and other network devices should follow password complexity requirements, and should be changed at least every 90 days. They should also be changed when an employee leaves the company.
Defences must move with the times
Anti-virus software must be kept current and in-license on all systems and set up to update virus definitions so that new threats are detected. If a system is infected by malware, it should be fully rebuilt to ensure the removal of the threat.
Retailers should be making use of hardware-based firewalls that provide stateful packet inspecting (SPI) capabilities to properly restrict inbound and outbound access to and from the network. Any system connected to a payment processing environment should also not be allowed normal web browsing access, to reduce the chances of encountering harmful malware. All firewalls should also be audited for accessible ports and services.
Systems should be configured based on industry-standard best practices, and no unauthorised modifications, such as external storage devices or unsupported software, should be allowed. A strong change control process should be in place to track all changes. Windows environments should be configured to clear the pagefile.sys on reboot, and have restore points disabled – two features that can be manipulated by malware to enable it to remain on the system.
The combination of valuable data and potential technological exploits means that retailers will continue to be a top target for cyberattacks, so the sector must ensure that security is a top priority. The steps outlined above will give provide a good starting point, but organisations must ensure they have a dynamic strategy that takes new technology and threats into account if they are to keep themselves – and their customers – safe.
Lawrence Munro
Director at Trustwave
