Cyber Theft: Another Holiday Tradition?
Brace yourselves. Black Friday and Cyber Monday are just around the corner, and they’re going to be huge. Consumer spending is forecasted to grow by a remarkable 47% over the same period last year. And while the post-Thanksgiving rush to the malls is a longtime tradition, online shopping has become the main event. Adobe predicts that total online sales for the 2017 holiday weekend will surpass $107 billion—almost 14% growth over 2016 and 10% more than traditional brick and mortar sales.
But, consumers aren’t the only ones eagerly anticipating the big holiday weekend. This busy sales period is a prime time for hackers to cause widespread disruption by launching high-volume DDoS attacks. Let’s examine one such attack to better understand where the gaps in security protocols may lie.
Remember Target’s Black Friday Breach?
There’s a lot to be learned from the notorious 2013 cyberattack on Target, which involved the theft of credit and debit card information from 40 million shoppers, and compromised the personal data of an estimated 70 million customers. The incident is a timely reminder of what can go wrong without effective security systems and processes in place.
In late November, hackers targeted IoT devices as the primary points of entry and installed malware on the retail giant’s point-of-sale (PoS) systems, which were managed via a third-party vendor, whose own security systems were flawed. The cybercriminals used this initial foothold to push malicious software to every cash register in over 1,800 stores.
Initially, a “small amount” of hacker activity was logged by the security system and flagged at the start of the incident, but after reviewing the data, Target’s security team decided the activity was insignificant and did not necessitate further investigation, a decision which would prove to be disastrous for the organization.
Post Breach Discoveries
After the breach, Target hired Verizon security experts to probe for weaknesses. They found that Target had “no controls limiting their access to any system, including IoT devices within stores such as point of sale registers and servers.” The report noted that Verizon consultants were able to directly communicate with these PoS systems and servers from the within the core network. In one example, they communicated directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.
It’s reported that the Black Friday breach cost Target somewhere in the range of $200M. Furthermore, executives were fired, and the company suffered an immense hit to its brand reputation. The retailer has since invested hundreds of millions of dollars in building a “cyber fusion center” and has added additional security personnel.
The breach was first reported by Brian Krebs in his. For a detailed report and analysis of the attack and Target’s clean-up efforts, check out Brian Krebs’ KrebsOnSecurity blog.
Retail Cybercrime Tactics
Cybercrime within the retail sector is particularly on the rise, as unsecured IoT endpoints can leave networks wide open to malicious attacks. More specifically, most IoT devices—like PoS card readers and payment terminals—are threatened by a common process referred to as “dump, scrape, store and infiltrate”. FastPOS, initially identified last year by Trend Micro, is true to its name. It’s designed to pilfer as much data as possible, as fast as possible, even at the expense of stealth. Small and medium retailers make especially good targets for PoS malware.
And then there is ‘patchy patching’. Online skimming is a growing tactic for hackers. Like physical skimming, it steals credit card details; but it is much harder to detect and nearly impossible to trace. Unpatched software—remember Equifax—is the entry point. Hackers gain access to a store’s source code using security holes in popular e-commerce software such as Magento. Once a store is under control of a perpetrator, they can funnel live payment data to an off-shore collection server and sell skimmed credit cards on the dark web. Retailers should expect to see more of the above cybercrime techniques this year.
What’s on Your Holiday Security To-Do List?
The upcoming holiday shopping season and these high-profile, industry attacks provide a strong reminder for retailers and their security teams to be prepared and remain vigilant. In fact, here are a few security best practices for consideration this holiday season:
- Security teams should possess the ability to discover, profile and monitor all network devices for abnormal behavior, especially IoT endpoints such as PoS systems, scanners and IP cameras.
- When necessary, use network segmentation to restrict access to sensitive systems and data.
- Establish processes to continuously identify and resolve vulnerabilities, such as software patches. Be sure to develop follow-up procedures to verify the gaps have been closed.
- Train both technical and non-technical personnel on proper protocols for identifying and responding to potential threats.
- Limit, disable and/or reset vendor and contractor access as well as reduce employee access privileges.
- Regularly attack your own network to find holes in your security posture before the hackers find and exploit these gaps.
Still looking for more information? Check out the Market Trends report, Grow Your IoT Security Business, to get Gartner’s recommendations for building your IoT security strategy and architecture.