Security Experts:

Attacking the Organism: Retail

My Apple News app recently served up some targeted marketing that really hit home. There before me was the opportunity to purchase a limited-edition 11 Herbs & Spices Firelog from KFC and Envirolog, sold through Walmart. 

Sometimes it’s just plain spooky how these internet algorithms understand us on a deeper level. How did they know I’d been thinking about the broader application organism as it pertains to companies in different industries such as retail, and how the CHEW framework of malicious motivations fits uniquely into each industry? 

After all, here was an online retail opportunity being presented to me through a news app on a mobile phone over a wireless network. With just a few clicks I could have gone to an e-commerce site and entered my personal financial information. In doing so I would have certainly been tracked and counted, with personal data being presumably sent to two major retail corporations, a manufacturer, and their multiple respective marketing agencies. 

In addition to the advertising and sales mechanisms that brought me to this point, there are also all of the other logistics, shipping, warehouse, and inventory systems that are involved in any sale. All of this coming together just in time for the holidays to bring me a fried chicken-scented yule log. 

Today all these processes are expressed as apps. As industries continue to build out new digital experiences, they are moving very quickly, creating ever-expanding organisms consisting of dozens, hundreds and even thousands of applications spanning this entire landscape of functions. 

In retail especially, companies iterate rapidly, pushing out new features and functionality, building targeted offerings and promotions, and in the case of longtime brick-and-mortar shops, transforming to offer more digital services. Those services today are being consumed at a higher volume than ever, with shipping boxes sitting on porches from coast to coast.  

From new in-store experiences, to rich e-tailing, to hybrid services like ordering coffee on the way to the Starbucks on the corner, to managing all the information and inventory on the back end, the entire retail industry today is built on crisscrossing flows of information. 

This means there is risk of malicious actors targeting any given insertion point connecting any app or piece of infrastructure, anywhere. With so much personal information—including high-value targets like financial data and account information—flowing through such dispersed channels, the prime CHEW motivation for attacking the retail organism is of course criminal intent. 

Case in point: The popular server-side language PHP runs on as much as 80 percent of the web, and accordingly, we’ve seen a continual rise in malicious traffic focused on PHP over the past few years. Magento has long been one of the world’s most popular credit processing platforms—so much so that a prolific hacking organization, Magecart, has grown its business on targeting it. 

There are also good old-fashioned confidence scams focusing on consumers. People spend $127 billion each year on gift cards alone, so it’s no wonder that gift card fraud has become a massive threat. The Federal Trade Commission disclosed in November that $74 million in gift card scam losses were reported in the first three quarters of 2019, compared to $78 million in all of 2018—which was up from $40 million in 2017.   

Another big risk for retail organizations is the seasonality of the industry. In 2019, U.S. retailers reported $9.4 billion in online sales during this year’s “Cyber Monday.” 

The importance to retailers of single-day sales moments like Cyber Monday or Black Friday leads to risks that extend far beyond simple theft or fraud. Going back to the CHEW motivations, if an idealistic hacker organization or a hostile foreign power wanted to target major online retailers for a DDoS attack to impact availability, these major shopping events around the holidays would represent a prime opportunity to maximize the damage. 

Targeting those dates for criminal attacks also makes sense, with a large spike in traffic providing air cover for malicious code. This proverbial needle-in-a-haystack situation means that security orgs must be thinking more about how they automate their monitoring solutions and augment those with machine learning and artificial intelligence.   

All these factors are part of the risk portfolio for any retail organization, representing avenues of attack that security pros must look to cut off. Retailers have always been a juicy target for criminal activity, and with the explosion of applications being used for both online and in-store purchases and experiences, the stakes are only growing. 

When it comes to cross-site scripting, formjacking, and Magecart-style attacks, standard protections like a web application firewall are critical. Retailers should also ensure that they are proactively scanning for vulnerabilities in the website, as well as deploying a solution to monitor traffic. 

And when it comes to fighting credit card and gift card fraud, mitigating against bots and automated attacks is just as important as preventing manual attacks and is becoming more so all the time. Organizations need the capability to immediately identify and prevent account takeovers, and also to identify fraudulent accounts after they’ve been created, to mitigate the damage. 

As the application organism for retail continues to expand, understanding the unique risk factors for this industry—and your own unique blend of herbs and spices in terms of app security insertion points—is the key to protecting your customers, as well as your brand.


Related: F5 to Acquire Shape Security for $1 Billion in Cash

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.