The sector has been hit by more data breaches than any other this year as criminal groups devise more advanced hacking methods, says threat intelligence company IntSights.
With the holiday season underway, retail companies are busy trying to attract customers with sales and promotions. At the same time, another group will be busy but with more nefarious intentions, and those are cybercriminals targeting the sector.
In fact, the retail industry is the most vulnerable one for cyberattacks with more incidents recorded this year than against any other sector. A report released Thursday by IntSights describes some of the threats facing retail companies and how they can better protect themselves.
SEE: The Future of Retail (Free PDF) (TechRepublic)
One of the top threats that retail companies face are cybercriminals in the form of organized retail crime (ORC), IntSights said, costing retailers around $30 billion each year. These criminal groups procure large sets of leaked credit card numbers and personal information from the Dark Web. After acquiring this information, they can make hundreds of illegal purchases across retail websites before the banks even step in.
One method favored by ORC is carding, a type of credit card fraud in which a stolen card is used to charge prepaid cards. The "carders" who obtain stolen cards are able to upload them to a website, which then sells them anonymously and at huge discounts to their customers. This type of scam costs retailers millions of dollars in lost sales from both the gift cards and the products they're used to purchase, according to IntSights.
Another popular method is card-not-present (CNP) fraud, a type of scam in which the customer doesn't have to physically present the card to a merchant during a transaction. Typically occurring online, this kind of fraud has risen due to the increased popularity of e-commerce sites. To fight this type of crime, many online retailers now require the CVV code from the card during a transaction. However, even CVV codes are now available on the Dark Web.
In fact, full profiles of victims with their ZIP codes, PINs, and CVVs are worth more on the Dark Web because they help criminals more easily sneak past any security measures on a retail site. The Dark Web is home to many marketplaces that sell such credit card information, including one known as the Jokers Stash, according to the report. The underground credit card theft industry even works like a regular business with customer support and user reviews.
Keeping up with security
Online retailers also put themselves at risk by not keeping up with the latest security developments and advances. Many retailers still are behind at updating their legacy security systems, which makes them a prime target for hackers and cyberattacks. Cybercriminals also take advantage of compromises in retail web apps from which they can use account takeovers, digital skimming, and code injection to steal credit card data.
But traditional brick-and-mortar retail stores are far from immune to data loss and theft. Thanks to advances in security, incidents involving point-of-sale (POS) systems have decreased over the past year. But criminals still go after POS systems through malware, specifically memory-scraper trojans that scan for, obtain, and exfiltrate card data from the POS equipment.
Sophisticated cybercrime groups such as FIN6, FIN7/Carbanak Group, and FIN8 have done quite well targeting retailers with POS malware. However, such malware kits are available on the Dark Web, allowing anyone to launch this type of attack. Retail stores also suffer financial losses from employee theft, shoplifting, paperwork errors, and supplier fraud, forcing them to invest more money in loss prevention technology.
To better protect themselves against cyberattacks, retail companies should consider the following recommendations from IntSights.
- Begin by building a solid foundation. Migrate data to a secure infrastructure. Encrypt your point-of-sale and card systems and processors.
- Monitor threats where the cybercriminals gather. External threat intelligence is a critical part of an effective security strategy. The best way to mitigate a threat is to ensure it never develops into a full-blown attack. Automated external threat intelligence solutions give security teams the ability to identify and validate a threat targeting their organization and stop it before it causes any damage.
- Marry loss prevention with cybersecurity. Train your loss prevention employees and have them involved in providing intelligence to your cyber protection teams. Don't wait for an incident. Proactive defense and teamwork are critical in the retail industry.
- The retail industry CANNOT afford to be non-compliant. Find out what compliance is required for your retail locations and make sure you have a team keeping up with this effort as laws change and threats evolve. Now is the time to launch this effort, not after a significant fine cripples your business.
"Monitoring the Dark Web for criminal threats to the retail industry should be a priority," Charity Wright, cyber threat intelligence adviser for IntSights, said. "In order to defend forward, we must know the humans behind the threat, what their plans and targets are, and what tactics they will use against retailers. Having that visibility allows retailers to get ahead of the threat and defend their assets before they are compromised, taking control back from the criminals."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)