By Angel Grant, Director of Digital Risk Solutions at RSA Security
Retail has always been one of the most popular targets for fraud and cybercrime. Hardly surprising, given their complex supply chains, cyber-immaturity relative to other sectors, and the huge volumes of customer data they often possess. But the rush to digitalise during the pandemic may have inadvertently exposed retailers to even more cyber-risk than normal. From new mobile commerce applications to employees working remotely, the attack surface today is larger than ever.
In the UK alone, retailers are said to have spent £186 million on “cutting edge” cyber-security over the past year. But the headline figure may be misleading: how this money is spent is as important as how much is being allocated. For maximum results, retailers must go back-to-basics and reassess their security posture, covering everything from IT infrastructure to customer awareness.
Disruption is a cyber-criminal’s best friend
COVID-19 has provided the bad guys with a big opportunity. Cyber-criminals thrive in chaos; they’re masters at adapting quickly while their victims are still floundering, and disruption doesn’t come much bigger than a global healthcare and financial crisis. The sudden closure of “non-essential” stores at the start of the year forced many retailers to work rapidly on two fronts: supporting mass remote working for their employees and accelerating digital transformation to ensure they could continue to serve their customers. In many cases that meant upgrading POS and retail management systems, designing new applications, re-invigorating social media, and redesigning business processes to, for example, encourage BOPIS (buy-online-pickup-in-store).
The problem with these much-needed changes is that in many cases they were actioned without proper attention to risk management, compliance, and security best practice.
Where are the risks?
From an IT perspective, security gaps have arisen from poor integration between newer digital infrastructure and legacy systems. In the home working space, for example, some reports suggest VPNs were overwhelmed by the demand from users, causing security bottlenecks that may have persuaded some users to bypass security controls altogether. This was especially risky as it came at a time when those same users were being bombarded with COVID-19-related phishing emails and may have been using personal devices for work needs.
Changes to retail supply chains have also introduced extra cyber-risk. Retailers outsourcing parts of their IT to streamline infrastructure during the pandemic must keep a keen eye on compliance and security standards. GDPR regulators will simply not allow you to push responsibility for an incident onto a supplier.
As more consumers flooded online, so have the cyber-criminals. Those touting digital card skimming code have been particularly prolific; most notable was a coordinated campaign in September that saw an unprecedented 2,000 e-commerce sites compromised in a single weekend. It’s unknown how many customer card details were silently stolen as a result.
Hitting the customer
These risks extend to the customer sphere. As many retailers launched mobile apps or new functionality to their sites, our threat researchers noted a spike in fake apps masquerading as various real brands. Due to resource constraints, many retailers weren’t monitoring for this kind of activity, which is designed to harvest customer card and personal details.
On other occasions, scammers targeted the apps themselves, impersonating legitimate customers to make fraudulent purchases. Account takeover is a particularly popular strategy here, as it’s more difficult for a retailer to spot malicious activity if a user has already logged in and appears legitimate. In reality, scammers use ‘credential stuffing’ techniques, which means they try previously breached log-ins across a range of different websites until they find one they can unlock because the person re-used the same password. One report claims the retail sector accounted for over 90% of the 64 billion credential stuffing attempts detected between 2018 and 2020.
At a basic level, the pandemic provided fraudsters and cyber-criminals with a new group of tech novices who may be more susceptible to scams and social engineering, and whose IT hygiene may not be up to scratch. Consumers have also been more distracted, vulnerable, and emotional than ever—a perfect combination for attackers.
Fraud schemes have included simple fake sites set up to ‘sell’ hand sanitiser and face masks, but which harvest card and personal details instead. They have also stretched to more sophisticated plans to capitalise on omnichannel retail and the growing popularity of BOPIS to get goods to customers. In recent months, cyber-criminals have been known to buy card details that align geographically with the location of their ‘money mules’, so that these individuals can physically collect high value items fraudulently purchased for BOPIS.
Faced with these varied threats, how can retailers continue to succeed without impacting staff productivity or introducing friction to the customer experience?
From an enterprise IT security perspective, it all comes back to risk management. Now is the time to take stock of your digital transformation efforts over the past few months and understand exactly where your data flows, where gaps in protection are, and which controls should be applied to plug them, both to shore up security and stay compliant with any relevant regulations. Visibility and governance must of course extend to any new cloud and mobile environments, third parties/suppliers, and potential ‘shadow IT’ (unauthorised IT applications) lurking in remote working environments. At the very least, working through these challenges can help security teams bring the conversation into the realms of the senior management team – having them bought-in will be essential to ensuring the necessary support and funding is available.
From a customer-facing perspective, now is a great time for retailers to take it upon themselves to educate consumers, so that they can better differentiate between legitimate marketing and phishing attempts. Enhance this with improved monitoring of social media and app stores for brand impersonation; new risk-based authentication measures for customers; and transaction fraud prevention via systems like 3D-Secure. Remember, fraud prevention should span across all commerce channels to ensure there is no potential single point of failure.
As we approach a vitally-important holiday shopping season, the bad guys are primed and ready to take advantage. In anticipation of this battle, retailers must act now to ensure they can limit the cyber and fraud risks they will inevitably face.