“The retail industry is experiencing more breaches than any other industry in 2019,” starts a new report on threats to the retail industry. This is somewhat surprising to those accustomed to see healthcare, education, manufacturing and finance at the head of breach statistics. Nevertheless, retail as a breach sector is growing rapidly.
Earlier this month, Risk Based Security issued findings placing retail second only to healthcare for the number of breaches reported in Q3 2019 (307 against 343). For the whole of 2018, the same company had finance, healthcare and public sector as the three most breached sectors, with retail coming in only at number 5.
Given this growth in retail breaches during 2019 so far, and the approaching holiday online buying season, it would not be surprising to see retail at the head of breach statistics by the end of the year.
The attraction of retail for criminals is obvious. Criminals go where the money is, and the population is spending increasing fortunes online. On Cyber Monday 2018 alone, $7.9 billion was spent online. The problem, according to IntSights (PDF), is that retailers are spending their budgets on improving their e-commerce platforms to receive money while neglecting to invest adequately in advanced security protocols to safeguard the data behind that money. “This trend,” says IntSights, “makes retail one of the most vulnerable industries for cyberattacks.”
Retailers face four primary challenges. Three are directly related to cybersecurity while the fourth could be reduced using cybersecurity principles. These are organized retail crime (ORC), network-based threats, the cost of compliance — and fourthly, the cost of shrinkage and store-based thefts.
ORC costs retailers in the region of $30 billion each year through stolen credit card data and other assets. Much of this is through subsequent carding and card-not-present fraud (CNP). To a degree, and at least partly accounting for the rise in online retail attacks, the rise in CNP is a side-effect of the move from magnetic stripe bank cards to EMV cards. Card present fraud has become harder, tipping criminals towards online CNP fraud. CNP does not require the criminal to have the actual or a cloned card — all that is necessary are the relevant card details, which can be stolen online.
But something isn’t working. Around the turn of the century, card issuers began to add a three- or four-digit card verification value, or CVV. The purpose of the CVV on EMV cards is to prove that the customer is holding the card (that is, it is not just stolen credentials) during CNP purchases. For this to work, the CVV must never fall into the hands of the criminal — and the PCI DSS security standard, to which all companies accepting card payments must adhere, states “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.” (Requirement 3.2.2.)
However, IntSight’s report notes, “Unfortunately, though, many stolen cards sold on the dark web include the CVV code.” The card details, the CVV code, and personal information are often combined and sold as ‘fullz’ on the dark web. “If a retailer requires a customer to enter the zip code, CVV, and a PIN, and the criminal has that information on hand, it will be relatively easy to utilize the card without problems.” (PINs, like CVVs, are prohibited from storage by PCI DSS.)
The question then becomes, how do the criminals acquire this data? Two obvious routes are skimming RAM data from payment devices before it is encrypted, or by stealing databases where retailers are storing more data than they should. The latter is given more credence since the CVV is not generally required for card present purchases through payment devices.
The second threat to retail from organized crime is ‘carding’. Carding, says IntSights, “is a form of credit card fraud in which a stolen credit card is used to charge prepaid cards.” Examples given by IntSights (from the Bitify carding store) offer $50.00 NYX cosmetics cards for $12.00, and $50.00 RibCrib cards for $10.00.
IntSights obtains its insights through the nature of its work. It continuously monitors its customers’ external profile across the surface and dark web. “Our bread and butter,” cyber threat intelligence advisor Charity Wright told SecurityWeek, “is the dark web, where the majority of our automation is working to collect intelligence. Our analysts watch trends and look for mentions of our customers. If we see our customers mentioned, we’ll alert them immediately.”
IntSights asks its customers if they want it to purchase and remove any detected threat. So, for example, if it finds that a criminal is trying to sell access to a customer’s server, IntSights can buy the access and tell the customer which server has been compromised and how. The server can then be fixed, and the threat removed.
IntSights defines network-based threats as primarily attacks against on-line web stores, and secondly point-of-sale- (POS) based scraping. Both, it suggests, are exacerbated by the industry’s reluctance to sufficiently invest in modern security technologies. “According to BDO’s 2019 Retail Rationalized Survey,” it comments, “only 53 percent of US retailers reported making significant investments in cybersecurity recently, and nearly 10 percent admitted to making no investment at all.”
POS malware is a generic term for the many memory-scraper trojans that are designed to scan for, grab, and exfiltrate bank card data from the point-of-sale machines that process it. Despite the introduction of EMV technology, many retailers have not implemented end-to-end encryption. Such processes could steal the card details and perhaps the PIN, but would not be able to steal the CVV number.
The third threat to the retail industry is defined as the cost of compliance. Most large retailers are already required to comply with GDPR (although it is not certain that all do), and all online retailers must comply with PCI DSS (although we know that compliance between audits is falling). It may be that U.S. retailers are waiting for an anticipated U.S. federal data protection law, although the California Consumer Protection Act (CCPA) coming into force in January 2020 will effectively fill that role for national online retailers.
However, since the purpose of compliance is to improve security, better compliance is a route to reduced losses for the industry. Failure to be compliant is a double whammy: it combines potentially very high regulatory fines with the losses directly attributable to a security breach.
The fourth threat to retail puts the online threat into some perspective. Online losses are quoted as $30 billion per year; but, says IntSights, “According to a 2018 National Retail Federation (NRF) study, inventory shrinkage costs US retailers more than $46.8 billion per year.” The four main causes of shrinkage are employee theft, shoplifting, paperwork errors, and supplier fraud (think third-party risk).
While this is not primarily a cyber loss, nevertheless cybersecurity disciplines could help reduce losses (through better use of facial recognition within stores, third-party evaluations, better document control and AI-enhanced analysis of big data). The same NRF survey, says IntSights, “revealed that loss prevention employees believe they have something to contribute to cyber defense, and yet they feel as if they’re not as involved with their cyber teams as they should be.”
The overall picture provided by IntSights is an industry that is increasingly suffering from cyber and physical crime without yet doing enough to protect itself. Compliance, for example, should be treated as an opportunity to improve security rather than a cost sink. In fact, full compliance with existing regulations would go a long way to reducing the cyber costs currently experienced.
Related: A Crash-Course in Card Shops
Related: A Guided Tour of the Asian Dark Web