Holiday Hacking: Retailers to Witness A Surge in Hacking This Holiday Season

I’m guessing most of you have already completed a significant portion of your holiday shopping right? If you are like me, then most of your shopping will be done online – no long queues, less chaos, more convenience, same bargains and many retailers even offer free home delivery. That said there is still a considerable volume of consumers who do in-store shopping and use their credit/debit cards at the point of sale terminals for purchases. The National Retail Federation estimates that sales in November and December will increase 4.1% as compared to last year and reach $617 billion.

However, the holiday shopping season also acts as a magnet for cybercriminals. The same time last year (late 2013), US retailer Target was hit by one of the biggest data breaches in the industry's history. The breach not only led to the resignation of CEO Gregg Steinhafel and CIO Beth Jacob, but also several U.S. states and the federal government launched criminal investigations into the company. Target reported US$61 million in costs related to the breach and a 46% drop in net profit in the fourth quarter of 2013 compared to the year before. On the heels of Target's breach, luxury retailer Neiman Marcus announced that more than 1.1 million credit and debit card numbers might have been compromised. This was only the beginning of what ultimately became a string of major hacks against big-name retailers that resulted in the theft of millions of customer payment card accounts. The list included Michael's, Sally Beauty, P.F. Chang's, Dairy Queen, UPS, Staples, and Home Depot.

Now that the holiday season is kicking off both online and in stores, are yet another wave of cyberattacks waiting to happen? Most likely yes. The PoS systems on which financial transactions are conducted at nearly every physical retail location are fast becoming popular targets for sophisticated criminal organizations as well as standalone attackers. To address this issue, many retailers in the U.S. such as Home Depot, Target, Walgreens, Walmart and more have been working to migrate payment systems from the current magnetic stripe card readers to EMV systems, or the chip-embedded cards and PIN-code technology widely used in Europe. Visa and MasterCard are giving merchants until October 2015 to have an EMV system in place. If merchants don't comply, the responsibility to cover fraudulent purchasing will shift from the card companies to the merchants themselves. While upgrading to EMV is a step in the right direction, it does not address basic problems (e.g., CNP transactions) and lacks critical elements of fraud protection (e.g., PIN). Retailers, banks, and other corporations need to do far more to protect customers from identity theft and financial fraud.

Some of the key steps that retailers can take to secure their POS network from further attacks are listed below:

                    Use strong passwords(authentication mechanisms) to access POS devices and employ antivirus tools

                    Isolate the POS production network from other networks or the Internet by deploying firewalls

                    Keep POS software up to date

                    Ensure only authorized applications run within POS ecosystems

                    Focus on proactive malware detection and response

                    Deploy smartcard (aka chip-card) enabled POS terminals

                    Provide end-to-end encryption starting from the point-of-swipe

                    Data leakage/loss prevention solutions can also be used especially due to the fact that they can perform deep content inspection and contextual security analysis of transactions