Today’s consumers are beginning to experience the conveniences of having tableside payment kiosks in busy restaurants and store employees equipped with Point-of-Sales (POS) devices on the floor during peak shopping times.
While these technologies make for much shorter waiting times and are examples of how the Internet of Things (IoT) is improving customer experiences, they also bring with them serious security vulnerabilities.
These smarter and more intuitive experiences provide malicious actors opportunities to access private payment card data and other highly sensitive information. As was the case in a recent rash of retail chain breaches, the use of malware to compromise Point-of-Sales (POS) systems is becoming more popular.
Many national retail chains have made headlines after having their payment systems breached, exposing information pertaining to millions of customers. The Ponemon Institute found that in 2014, the average total cost of an organizational data breach was $5.4 billion, up from $4.5 billion in 2013. And it’s not just significant financial costs that are of concern; as many as 508,000 jobs are lost in the US because of malicious online activity.
So, why are POS attacks growing increasingly popular? It’s because criminals believe that using malware to steal sensitive payment card data from POS systems is more effective than stealing it directly from e-commerce merchants.
Attackers have become cleverer in finding their way into retailer networks. Often in ways out of the retailer’s control such as the networks of third-party vendors that have access to retailer systems. By understanding the three trends, retailers and third-party vendors can implement strategies that better protect consumer information:
1. Larger, Internet-Enabled Attack Surface: Retailers are constantly looking for ways to leapfrog competitors by connecting with their consumers. In-store kiosks, mobile apps and even free Wi-Fi are used to bring in customers and keep them connected, serving contextual and personalized experiences. Many of these devices and in-store systems are connected to the Internet and to the same network as the in-store POS systems. While this makes for faster transactions, new sales opportunities and richer experiences for customers and employees, it also creates more entries to corporate networks.
As the IoT evolves, the retail landscape will continue to experience attacks as we move beyond the traditional POS register. Handheld devices for checkouts, movie-ticket machines and any other devices connected to a corporate network are just a few examples. Attackers are keenly aware of these and work to exploit them to gain credit card and other sensitive consumer data.
2. Resource Limitations: Historically, fewer security resources have been dedicated to protecting payment systems. However as this trend of attacks has surfaced, it’s become vital that IT ensures an appropriate amount of resources are dedicated in protecting payment systems and understanding their points of entry.
After reviewing a sample of networks, Cisco was able to detect connections to domains that are known malware sites on 100 percent of these networks. This fact underscores that vigilance is required by retailers to protect customer payment information. The vital first step is protecting processed card information at rest, while controlling malware and malicious activity detection on these networks.
3. The Role of Third-Party Vendors: These partners are heavily used within the retail industry for a variety of services, including data storage, payment processing, and even the management of physical plant functions like heating and cooling in the retailer’s brick-and-mortar stores. Because these third-party vendors have access to the retailer’s networks, they can increase the risk of a breach occurring, especially when third-party vendors provide support for POS solutions.
Email phishing is one of the ways third party vendors are hacked in order to gain access to retailers’ networks. Episodes like these emphasize the importance of choosing third-party vendors who apply rigorous security measures to their own networks. It’s important to find vendors that meet or exceed the standards that the retailer would have for its own networks. The third-party vendor’s staff, once breached, can unknowingly find themselves acting as the hosting bodies who introduce malware to retail POS systems; all it takes is an innocent employee opening an email, unaware of a phishing scam, to compromise a network. CIOs and CSOs need to evaluate all entry points to network access and work to secure these.
After numerous POS security hacks making news and exposing customer information, retailers should consider how the POS system has evolved and evaluate how security measures to protect these systems should also change. Breaches no longer occur exclusively at the POS register; networks are the pathway for attackers to infiltrate and reach POS systems. With the expanded attack surface, simply introducing new retail-oriented devices in a store can increase the risk of POS network compromise.
To combat these trends and their potentially devastating effects to a retailer, organizations with POS systems should rightfully assume that malware is present – and the risk to their brand’s reputation is directly tied to preventing malware from exfiltrating, or removing that valuable customer information from their network.
Protecting customer information boils down to:
- Putting more resources into protecting customer data
- Partnering with third-party vendors to create a protected network
- Understanding where customer information is stored and who has access to it.
As consumers gain confidence that their information is protected, CIOs and CSOs have a unique opportunity to influence and protect brand reputation, adding value to their roles while increasing the significance of the work their departments perform.
It’s unlikely that hackers will reduce their usage of malware to gather and steal sensitive payment card data, but a bit of offense can help reduce the risks to retailers and their customers as well.