When it comes to cybersecurity, consumers want to trust that retailers are protecting them in some way, shape or form. But with high-profile breaches at Target, Home Depot and Neiman Marcus, among others, it behooves buyers themselves to know what to watch for, what scams can happen and what retailers can do.
“Retailing involves more and more digital technology, and as consumers we leave more data footprints, both online and offline,” says Denise Dahlhoff, research director at Wharton’s Baker Retailing Center. “Data is collected at all stages of the shopping process — from browsing and buying online, opting into mobile ads at a store, posting store check-ins and reviews on social media to paying with a credit card or mobile wallet. More technology and data have many benefits for consumers and retailers, but they also increase the risk of security breaches.”
“Generally it’s not a question of ‘if,’ it’s a question of ‘when,’” adds Christopher Yoo, professor of law, communication, and computer and information science at the University of Pennsylvania Law School, and founding director of the Center for Technology, Innovation, and Competition. No matter how many protections are put into place from the retailers, consumers and banks, there are constant threats from hackers and fraudsters coming from all over the world at all hours of the day. The so-called “black hats,” or cybercriminals, just need one weakness, one way to get in, and they can leverage any type of customer information — anything from credit card numbers, debit card numbers, passwords, email addresses and Social Security numbers — into lucrative, illegal income streams.
A couple of years ago, major retailers like Target, Home Depot, Neiman Marcus and Michael’s Stores were making headlines for major cybersecurity breaches. Fortunately, “there have been no major security breaches in retail recently” in the headlines, says Dahlhoff. Retailers have learned hard lessons from the past, but it helps to understand what happened to prevent it from occurring again.
“Generally it’s not a question of ‘if,’ it’s a question of ‘when.’” –Christopher Yoo
With nearly 1,800 stores in the United States, Target was a victim of one of the most widespread data breaches in history. More than 40 million Target customers had their debit and credit card records stolen, along with 70 million people who had their email and mailing addresses taken. The New York Times reported that quarterly profits dropped by 46% as the hit happened during the busy holiday shopping period. Target’s CEO resigned and later the retailer had to pay $10 million to settle a lawsuit from Target shoppers.
The culprit was malware, which made its way through the laptop of an HVAC contractor onto Target’s main computer network. Through the third-party vendor, hackers were able to access Target’s database, according to a report from the Ponemon Institute. “The greatest vulnerabilities for retailers are attacks from third-party vendors,” Yoo says. “The attack on Target put a spotlight on the fact that retailers have to do more than just secure their own network. They should be negotiating terms in the contracts with vendors obligating them to have strong security measures, as well agreeing to a compliance audit. They can’t take their word for it. It’s a pretty onerous task to be on top of vendors.”
“Retailers have been caught out by bad data architecture. You should never store sensitive information on a network that third-party vendors have access to. Create a systematic classification categorizing what’s sensitive and what’s not,” suggests Yoo.
Daniel Garrie, CEO of consulting firm Law & Forensics and senior advisor at Risk Assistance Network and Exchange (RANE), suggests to his retail clients to go as far as providing cybersecurity to the vendors themselves. “I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.”
In the case of Home Depot, the breach occurred at the point-of-sale terminal system. Yoo explains that a cybercriminal was able to insert a memory stick and inject custom-built malware into the system. The cyberattacks resulted in 56 million payment cards in the United States and Canada compromised over a period of several months, costing the home improvement store $62 million in expenses from credit monitoring to extra staffing at call centers, according to The New York Times. “The irony was the point-of-sale terminal system was 30-year-old technology. If you [personally] were using a 30-year-old computer, you would be replacing it,” Yoo points out. Companies are used to the idea of replacing computers in their capital replacement cycle, but they haven’t regarded point-of-sale terminals equally as important and avoided spending the money. “That’s a problem for larger retailers, and even a bigger problem for small and medium enterprises,” adds Yoo.
As a result, Home Depot “upgraded its security to make sure it was state of the art,” says Yoo. Recently, Home Depot has filed an antitrust lawsuit against Visa and MasterCard for allegedly blocking the adoption of chip-and-PIN technology on credit-card transactions, a more secure system for transactions, according to ZDNet. Walmart also filed a similar lawsuit against Visa, reports Fortune.
Dahlhoff explains that the way chip-and-PIN technology works is that the chip creates a unique identity number with each transaction. You can use that identity number for one transaction only and it can’t be used again for another transaction. “In its current antitrust lawsuit against Visa and MasterCard, Home Depot is saying [to the credit card companies] that they’re not doing the best job with security that they could do,” says Dahlhoff. The retailers argue that they have put in all the hardware to make their stores safe, but the credit card companies and banks are providing payment systems that mostly require signature verification instead of PIN verification, which in turn means higher transaction fees for retailers.
Types of Scams
Companies have learned from the weaknesses that have already been exposed in their systems, but there are a large number and variety of scams happening all the time, says Robert Meyer, Wharton marketing professor and co-director of Wharton’s Risk Management and Decision Processes Center. “It’s almost like a game of Whack-a-Mole,” he adds.
“I tell my clients you need to secure them. Spending any amount of money is worth it if these are vendors you can’t live without.” — Daniel Garrie
David Lawrence, founder of RANE and a former federal prosecutor, explains, “In order to understand why the retail space has been particularly attractive to hackers, it is necessary to understand that this is a low-risk, high-reward crime. Attacks can be launched easily, cheaply, remotely, and the risk of prosecution is extremely low. Stolen consumer data is highly valuable and marketable in the commission of identity theft and financial fraud.”
Historically, one of the original scams was almost like a “sleight-of-hand” when credit card companies “gave your credit card information to an affiliate marketer as a ‘personal convenience’ to you” as you checked out of a retail website, explains Meyer. Since then, Congress has enacted legislation to prevent that type of fraud. However, people might still find themselves enrolled in something like a shopper’s club for something they don’t need. “As a consumer, there’s a tendency to be trusting. The first line of defense is really to be very distrusting about revealing any type of personal information. Be very careful with [personal information]. Be scrupulous of charges [that] immediately look illegitimate. Instantly contact your credit card company,” says Meyer.
While some of these scams sound like they might be more applicable to consumer protection, these channels are also weaknesses where a user can unknowingly provide access for hackers to the entire computer system of a retailer.
Whether an employee is checking email on their work computer or bringing their own device to log on to the company’s network, vulnerable access points to a retailer’s network can be pervasive. “Threats to retailers have multiplied by leaps and bounds,” says Rhea Siers, formerly a National Security Agency official and now a senior advisor to RANE and scholar-in-residence at George Washington University’s Center for Cyber and Homeland Security. “If you go to a store, you will often see employees accessing company systems through their own personal devices or surfing the internet on company computers. If they don’t button down the basics, retailers remain vulnerable. You’re often dealing with an entire workforce that is under-trained about the risks of phishing scams, malware and viruses.”
These days, malware can get installed onto a computer system when consumers click on a “maladvertising” banner placed on a website to advertise a product or service, says Florian Malecki, international product marketing director at Dell Security. Malware is a term that includes computer viruses, spyware, adware, trojan horses and ransomware by installing software onto your computer unbeknownst to the user. According to the Digital Citizen’s Alliance, around 70% of malware is a type of Remote Access Trojan, or RAT, which can give remote administrative control of a computer system to a hacker. Even Facebook’s Mark Zuckerberg has taped up his web camera and microphone to prevent malware from taking over his laptop to spy on him and Facebook’s business.
“Phishing” emails, which trick people into revealing personal information, can also cause security breaches. Spear phishing, where a hacker uses specific personal information on a target, is one of the most successful hacks. “Fear drives a lot of spear phishing. The more fear, the more uncertainty, the more doubt” helps cyberhackers succeed in duping their targets, says Garrie. David Maimon, criminology and criminal justice professor at the Maryland Cybersecurity Center based at the University of Maryland, notes that it’s a “complicated, sophisticated type of online fraud” where information gleaned from profiles on say, LinkedIn, can help make false emails very believable.”
Moreover, hackers “steal customer activity details to sell on the darknet” says Malecki. The “darknet” is a shadow network that can be a platform for illegal activity.
Another popular hack is a Denial-of-Service (DoS) attack. By sending multiple requests to a website simultaneously, a hacker can render a retail website or network unresponsive, says Malecki. The consequences can lead to significant loss of revenue as well as customer dissatisfaction.
In addition, the CEO or C-Suite scam has become increasingly common. Hackers will access the email account of executives, and wait until they are traveling in a distant time zone or out of contact. Lawrence explains that in a recent incident, the finance department of a major retailer received an email, seemingly from the traveling CEO, asking for $250,000 to be transferred to an offshore bank account. The email explained that the funds were needed immediately, so the CEO could close a business deal that was time sensitive involving retail space in Asia. Fortunately, due to training, the COO was alerted and advised that the staff first call the CEO on his cell phone to confirm. However, Garrie adds, there have been plenty of instances where this particular scheme works.
“In its current antitrust lawsuit against Visa and MasterCard, Home Depot is saying [to the credit card companies] that they’re not doing the best job with security that they could do.” –Denise Dahlhoff
Retailers are essentially technology companies these days, says Yoo. “Technology is embedded in every company.… Retailers have to reeducate themselves and incorporate a technical strategy, and this requires the attention of the C-Suite,” explains Yoo.
“For a single company to do everything in house is costly and hard to do. Collaborating with outside experts and finding industry-wide solutions would be a good way to deal with security risks. True experts who keep updated about trends will know about the latest security issues and ways to address them to help keep systems safe,” says Dahlhoff.
Maimon works on nudging hackers to do things like remove log files, which might send a “red flag” to IT managers. He also suggests “deploying surveillance on the system” to make sure workers are not providing channels for security breaches.
“Some people are just habitual clickers. We can’t change their behaviors. However, we can train them,” says Garrie. “Training is not a one-time thing. It involves reiterations,” adds Lawrence. Employees need to realize that their browsing behavior, attachments they open, or software they download could lead to security breaches.
“Most of us know the weak link in cybersecurity are the users,” notes Yoo. “You have to do cybersecurity in a layered, multifaceted way and assume some attacks will get through. You have to have fast detection, remediation and firewalls to keep hackers from doing any [long-lasting] damage,” he explains.
Yoo adds, “Retailers are always asking ‘what’s the fix? What are the steps to ensure my network is secure?’ That’s asking for the impossible. There is no such thing as perfect prevention. Hackers are always finding new avenues.”