Retail in the Age of Cyber Crime

Retailers are venturing out into the choppy waters of the digital ocean. Unfortunately, the sharks are circling eagerly.

Retail is going digital so it should come as no surprise that shoplifting is doing the same. Cyber-attacks against retailers have grown dramatically, both in volume and sophistication over the past few years. Although retailers are upgrading their defences, the landscape is shifting so quickly it can be difficult to keep up.

PwC estimates that attacks against retailers are up by 30% year on year. According to the British Retail Consortium nearly 80% of the 11,000 retailers surveyed have seen an increase in cyber-attacks over the course of 2018. Spending by British retailers on cybercrime has shot up from £139 million to £162 million, an increase of 17%. Even so, the number of attacks continues to rise. Criminals are spurred on by numerous success stories in which not even the biggest names are safe.

Earlier in the year, Amazon had to admit that it had been the victim of cyber fraud attacks when criminals broke into merchant accounts and syphoned away funds. Sports Direct suffered a major attack in 2016 in which the names and addresses of approximately 30,000 members of staff were revealed. Their problems were compounded by their response. Although the attack occurred in September it was not until December that they learned of the issue and, even then, they failed to inform those affected.

Back in 2013, US retailer Target suffered one of the biggest breaches ever when hackers stole the data of 110 million people, 40 million of which including bank details. According to investigators, the hackers were located in Eastern Europe and used a technique called RAM scraping in which the personal details were sold on the black market.

Retail represents the number one target for cyber criminals. According to Trustware’s 2018 Global Security Report, the retail sector accounts for 17% of all cyber-attacks. It is particularly vulnerable because retailers routinely transfer vast amounts of money and sensitive data including bank and payment card information.

A digital revolution

The problem for retailers is that, as they move into the world of online retail, it is becoming increasingly difficult to protect themselves against attacks. ECommerce is booming. More than half of shoppers say they prefer online shopping to in sore. That is music to the ears of Cyber Criminals. As Trustware’s Security report shows, almost all cyber-attacks occurred in the eCommerce space including infrastructure dedicated to websites which handled credit and debit card data.

Retailers face an uncomfortable choice. Going online is more or less unavoidable because that’s where their customers are to be found. It opens up all sorts of opportunities, but it does put them right in the firing line of cyber criminals.

The problem becomes even more complicated with the rise of digital transformation. This is the notion that businesses of all sizes can transform their prospects by embedding digital technology at the heart of everything they do.

It is revolutionising the retail industry taking power away from businesses and putting it into the hands of consumers. They have more choice than ever before and are influencing trends through social media and online reviews. One dissatisfied customer can become a very public PR problem.
Their expectations are growing. They expect a seamless omnichannel and personalised shopping experience in which they can buy what they want, where they want and with whatever device they want.

For retailers trying to keep up, life is pretty tough. They need to be able to provide the seamless connected retail experience their customers want, which means upgrading their service to offer faster picking and shipping. Equally, they want to be able to capture all the data coming their way from these digital interactions. They are looking to shift from basic spreadsheets to advanced analytics models based on big data.

For this they need to shift operations onto the cloud. They are moving towards public, private and on-premises private cloud models to reduce their operating costs and improve their data insight capacity. It offers the ability to scale up or down as needed and ensure they are always paying for as much capacity as they need and no more.

According to McKinsey, a quarter of industry workloads currently lie in the cloud, but this could rise to a third in 2020. However, more traditional retailers who have embedded and hard to abandon legacy systems are struggling to make the transition as smoothly. By using the cloud, retailers may unlock many opportunities, but they also make themselves vulnerable. That data has to travel to a third-party provider and if their security is weak it could create problems. Debenhams discovered this the hard way when hackers revealed the details of 26,000 people when they breached the defences of Ecomnova a third-party eCommerce provider.

Such partnerships are crucial in eCommerce, but they muddy the waters when it comes to security. Before entering into any arrangement with a third-party, retailers need to conduct extensive due diligence to understand what security measures they have in place and what happens if there is a breach. Under the terms of GDPR, all companies will retain responsibility for their data even if it is in the hands of third parties. So, while Ecomnova may have been at fault for the breach, Debenhams could still potentially be on the hook for that lost data in the eyes of the regulators.

Where attacks are coming from

Cyber criminals are using all sorts of different approaches to breach defences. The British Retail Consortium’s report states that the most common attacks come in the form of phishing and data theft with denial of service and ransomware following close behind. Less serious was the threat from spoofing and doxing.

Phishing emails have long been a staple diet of the cybercriminal, but in recent years they have become somewhat more sophisticated. The basic premise remains the same. They send an email hoping to fool you into either clicking on an infected link or giving away your personal details.

For example, fraudsters will often pretend to be from a bank telling you there is an issue with your account. Once upon a time, these were pretty easy to spot. Attackers used to target their emails randomly, and the format would be quite amateurish. Now, they have learned to design convincing emails which take people through to links which look and feel like the websites of the bank. Because there is so much data available, they can also find certain details such as who you bank with.

Some of them play very effectively on our psychology. If we want something to be true, we will be more inclined to believe it. They may send emails purporting to be from HMRC or the DVLA suggesting you are due a tax refund. Common sense may tell you that it’s unlikely, but you’ll still be tempted. They are relying on your heart overruling your head.

Ransomware and denial of service (DOS) attacks could also be immensely damaging. Digital innovation means businesses of all kinds are increasingly reliant on IT especially in the retail space. DOS attacks attempt to shut victims out of those systems denying service until a ransom has been paid. With profit margins already tight, this could see retailers losing revenue by the minute. The retail sector would also be more susceptible than most to a global attack such as the WannaCry Virus which hit organisations and companies across the world. The slowdown in consumption could have ripple effects across the industry which could be devastating.

Innovative attacks

New attacks are also developing all the time, which specifically target the retail industry. These include:

  • Gift card fraud: Hackers have shown themselves to be capable of hacking into retail gift cards. It’s a simple but effective process. A hacker collects some gift cards from a retailer and spends time identifying the patterns in the card’s identification numbers. Sometimes the variation in these digits can be small so the hacker can use the retailer’s own balance checking website to try number combinations until one with value appears. They can then steal the funds by making a purchase.
  • Internet of Things: The internet of things (IoT) is a great opportunity for businesses of all kinds, but it can also be a threat. It creates multiple entry points into systems all of which create a potential vulnerability. Keeping these entry points secure will be a major headache for retailers.
  • Refund fraud: This particular approach is especially common during peak buying periods. A criminal creates a fake receipt and dupes the retailer into providing a refund. Alternatively, they may request an item and claim it never arrived.

Criminals are not always after payment details or data. One of the big surprises from Trustware’s report was a finding that crooks were less concerned with stealing data than with other forms of attack such as ransomware or theft against the website owners. In many cases, the report found that criminals had breached a system which contained payment information but were content simply to leave malware. Sometimes they may be leaving this information because they are after a bigger score. Accessing payment details involves a lot of time and energy on their part. Equally, by leaving the data in place, they hope to ensure the malware remains on the system undetected.

Fighting back

The inescapable truth for retailers is that cybercrime will continue to be a major threat. It has a low cost of entry and a minimal chance of being caught. That retailers are upping their spend on cybercrime suggests they are taking it seriously, but the fact that crime continues to rise suggests it might not always be working. Staying safe is difficult and, as we’ve seen, even the biggest names are not immune.

The challenge for retailers is twofold. They need to protect their own business systems but also to safeguard their customers. Online shopping and loyalty schemes mean customers are handing over more personal information about themselves than ever before. This data has enormous value on the dark web and the more complete a picture criminals can build about their targets the more valuable that information will be.

Retailers will need to educate their customers. Phishing attacks represent one of the most common issues with cyber criminals attempting to impersonate a retailer. Retailers should make it clear to customers when and how they will contact them and how they can tell if a message comes from a fraudster.

Equally, retailers can remind customers of the importance of maintaining strong and separate passwords for their accounts. Surprisingly, even in today’s digital world, consumers remain remarkably relaxed about their passwords. A recent poll found that almost 60% of people had the same passwords for everything. So, while we might be savvier than we used to be, we still have some way to go.

Internal defences

Improving security within an organisation could present a significant challenge. Many retailers feel intimidated by the scale of the tasks. Experts are in short supply, embedding security throughout systems can be a logistical and financial challenge. Some companies are turning to outside providers which is seeing the rise of cyber security as a service. These teams can provide an expert assessment of a company’s needs and advice on how to build defences.

Whichever approach retailers choose to take, cyber security needs to become a key priority. Guidance from the British Retail Consortium suggests this be made a board level issue. It needs to come away from the IT team and spread across the organisation. Executives may struggle to understand the technical details, but they do need to take ownership setting a strategy from the top down.

This starts with making a comprehensive cyber resilience assessment which looks at where vulnerabilities lie, how they can be addressed, how third parties are monitored and what happens if a breach occurs.

Every person within an organisation needs to receive training in cyber security and to be made to follow best practice. This might include only using registered devices for work purposes, rotating passwords regularly or quickly reporting suspicious activity as and when it arises. This training should form a key part of induction and be updated regularly.
User access should be monitored and controlled. Every employee should only have the level of access to internal systems that they need to do their job effectively. When they leave, their passwords should be deactivated promptly.

Last but not least, an organisation must have good response strategies in place. Cybercrime is here to stay whether we like it or not and, for all the efforts to stay safe, it is highly likely that an organisation will suffer a breach. The question then is what happens next? For example, if you suffer a ransomware attack will you be able to continue operations until the attack is resolved? If data is breached, can you minimise the damage done to customers?

GDPR requires a data breach escalation process to be put in place which involves a privacy impact assessment and notification process. One of the things which businesses dread about a cyber-attack is that they will be forced to notify those affected. In a sector which relies heavily on data, nobody likes to admit that their systems have been breached. Like Sports Direct, it can be tempting to try to keep issues under wraps but doing so would not only bring you under fire from the regulators but will further harm your reputation with customers.

Cybercrime is an enormous issue and attacks are coming from all directions. Staying safe on the digital high seas will not be easy, but retailers can do much more. It starts with understanding the threat. As things stand, many retailers are pushing forward with a false sense of security, blissfully unaware of the risks they face. That way disaster lies. Retailers need to recognise that this is an issue for everyone, from the IT teams to board members, front line staff and customers. Everyone has a role to play in keeping data safe and thwarting the plans of the cyber criminals.

C-19 Cyber Resilience Service: