The Candid Voice in Retail Technology: Objective Insights, Pragmatic Advice

Will Retailers Ever Make Their IT Security Foolproof?

						Username: 
Name:  
Membership: Unknown
Status: Unknown
Private: FALSE
					

By Ramesh Sethuraman, Guest Contributor

Every year retailers and consumer services companies claim to invest millions in smart IT security solutions. At the same time, every year criminals use more innovative ideas to outsmart these retailers and their security measures. The end result is multiple security breach stories we hear about almost daily.

Sadly, the security breach incidents that happened in 2014 are worse than in prior years. The list of affected retailers and consumer services companies (Staples, Target, The Home Depot, K-Mart, Neiman Marcus, Sally Beauty, Sony, and Bebe) is alarming. While retailers and consumer service companies are claiming to build fort walls around their IT systems to handle attacks such as Distributed Denial-of-Service (DDoS), they unconsciously fail to address the weak spots or leave the “back door ” wide open.

The recent incident of Hollywood celebrities’ iCloud accounts getting hacked is proof that even the world’s leading companies are not secure enough. Sadly, in some cases, the companies underestimate the hackers and do not prioritize fixing vulnerabilities, which ultimately impacts their end users. It’s also true that they are not always aware of those vuinerabilities.

During mid-October 2014, KrebsOnSecurity first reported a suspected breach at office supply chain Staples Inc. A series of incidents were reported by banks that identified a pattern of card fraud. This pattern suggested that several Staples office supply locations in the Northeastern States were breached. Unfortunately, at the time, Staples said it was investigating “a potential issue ” and was in touch with law enforcement agencies about it.

Days closer to Christmas, Staples finally acknowledged that a malware intrusion this year at some of its stores resulted in a credit card breach. The company said some 119 stores were impacted between April and September 2014, and that as many as 1.16 million customer credit and debit cards may have been compromised as a result.

Similarly, an Atlanta-based offsite airport parking service, Park-n-Fly (it allows customers to reserve spots in advance of travel via an Internet-based reservation system) appears to have been breached. Like Staples, multiple financial institutions say they are seeing a pattern of fraud that indicates an online credit card breach has hit Park-n-Fly. If confirmed, it would be the latest in a string of card breaches involving compromised payment systems at parking services nationwide.

The cyber criminals utilize vulnerabilities in old operating systems and software that are exposed to the outside world. They breach corporate networks and siphon off some of a company’s most sensitive data. The most recent incident of security breach at Sony Corporation is the most ridiculous and classic example. The company had stored passwords in simple text files! Sony is in deep trouble. Along with potential lost revenue from its movie “The Interview “, it is now facing law suits from employees and other groups over alleged digital security negligence.

The FBI in its preliminary investigation report suggests that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. While other parties claim it’s not such an open-and-shut case, the US is sticking with its original analysis.

I personally worked with a leading beauty care supply retailer in United States that stored the personal information of their employees (like SSN, address, etc.,) in an Excel spreadsheet, stored on a public folder accessible over the intranet, without any password protection! I had warned them about the possibilities of this sheet falling in the wrong hands and the reply was “we trust our people “. I told them, “Trust in God and pray. But tie your horses “. After a couple of years, we are hearing about a breach in that very company, with customer credit card information being stolen!

Many retailers fail to upgrade their IT systems like Point of Sale terminals, thinking that they are safe because they are not connected to external networks. Unfortunately, this is not true in the Omni-channel era, and the risk is very high. All systems are inter-connected and if vulnerabilities remain, the cyber thieves will find their way to critical data. For example, the courts have ruled that Target had fatal flaws in the system such as POS allowing hackers to gain access to business sensitive information.

Criminals are consistently one step ahead. They target systems in multiple ways to gain access into the most secured enterprise networks. Some of these include:

a) Free apps – We have heard many stories about fake apps and free apps stealing personal information and account details. In spite of that, retailers’ employees continue to download games and other applications on their mobile devices. 

One interesting thing to note is that many app developers seem to be simple, when they are approved for various mobile App stores. However, over a period of time, as the app becomes popular, they release updates which demand critical access rights and most users allow it by default due to negligence. This is no different than pressing the ‘I agree’ button when companies change their privacy policies or End-User license agreements (EULA). 

For example, why would a music player app need access to the camera in your mobile device, photo gallery or contacts

b) Hotspot Honeypots – Everyone wants access to the internet for free. Unfortunately, many do not realize that free internet is a myth. As soon as one lands at an airport or checks into a hotel, there is a high probability that he/she would search for free Wi-Fi hotspots. In most cases, they even try connecting into dubious hotspots which show as open networks. Most of these are baits or honeypot hotspots to make users connect and then steal information. 

Users who connect to free Wi-Fi hotspots without adequate security measures like anti-virus and anti-intrusion apps ultimately pay a price – sometimes small and sometimes huge! 

Recently, a hacker group revealed how they used free internet Wi-Fi hotspots in hotels and airports to gain access to the devices of guests and collect confidential information. I have personally experienced this when I tried to access free wireless network of a leading airport in the Middle East. The network was trying to push malware via the proxy server through which the mobile device was connecting to the internet. Caveat emptor

c) Gadget Trojans horses – The entire store network of a leading deep discount apparel retailer in US got hacked because of one employee’s mistake. This employee connected his MP3 player into the USB port of a computer which was part of secluded intranet and was being used for remote troubleshooting of store systems. A Trojan horse virus residing in the MP3 player got transmitted to the network and brought down over 20 stores. With the help of security solution companies, the retailer was able to fix the issue, but only after 48 hours of struggle! 

USB ports have always been the Achilles’ heel of computers. As per a recent hackers’ report, the only way to avoid the USB vulnerability is to seal them (physically). In a typical office environment, we see people using USB powered gadgets such as coffee warmers, USB fans, and USB LED lights connected to corporate computers. Unfortunately, it has been found that many of these gadgets carry Trojan horses which are capable of gaining BIOS level access and spread through the network. They make connections to different remote servers and transmit confidential data. 

Recently, a UK-based retailer noticed that an unknown program was trying to access external network in some other corner of the world. Post investigation, they found the culprit to be the USB powered gadgets used by its employees.

Solution

The more retailers engage in digital commerce, the more vigilant they need to be and protect their end-points from security breaches. These may lead to major financial and customer confidence losses. Retailers need to continuously audit their IT infrastructure for vulnerabilities and try to replace systems that cannot be fixed (For example, there are numerous POS applications running on older version of Windows which are no longer supported by Microsoft).

While retailers back up their data in remote locations as part of their business continuity and disaster recovery process, they are not prepared for situations like their entire POS network across all stores being down. In such a situation, they do not have back up procedures to continue the check out and billing processes. Retailers need to seriously think about such situations too and be prepared to handle the same. This was once standard operating procedure. Now, it’s a rarity.

Mobility is a reality and almost all enterprises are now onboard with BYOD to reduce their spend (Cap-Ex) on devices while increasing convenient use for employees. However, they still need to invest in adequate security measures such as mobile endpoint security. In addition, they need to make sure that employees are cognizant and vigilant about these threats and aware of how these security incidents could cost their jobs.

Also, every individual (whether an employee or not) who wants to order cheap non-branded gadgets or spare micro USB chargers for their mobile devices should think twice and buy reliable brands instead. The initial cost might be lower for the former, but the probability of paying a heavy price in the future is much higher.

Conclusion

The recent security breaches are a repetitive wakeup call for retailers and consumer services firms who should no longer press the snooze button on the alarm, as they have done in the past. Retailers need to get serious about digital security, updating their policies and procedures, and not wait for the incident to happen. Let us hope that retailers resolve to be more secure in 2015.

 

References:

1. Staples: 6-Month Breach, 1.16 Million Cards

http://krebsonsecurity.com/2014/12/staples-6-month-breach-1-16-million-cards/

2. Staples Provides Update on Data Security Incident

http://staples.newshq.businesswire.com/press-release/corporate/staples-provides-update-data-security-incident

3. FBI: North Korea to Blame for Sony Hack

http://krebsonsecurity.com/2014/12/fbi-north-korea-to-blame-for-sony-hack/

4. Banks: Credit Card Breach at Staples Stores

http://krebsonsecurity.com/2014/10/banks-credit-card-breach-at-staples-stores/

5. Retail Security Breaches 2014: Home Depot, Target Should Have Stronger Countermeasures, Experts Say

http://www.ibtimes.


Newsletter Articles January 6, 2015
Authors
  • Guest ContributorsRamesh Sethuraman
Related Research