The internet has transformed the way we live our lives in so many areas. But perhaps one of the biggest changes has come in the retail sector, where global e-commerce sales are predicted to top $3.5 trillion in 2019. But while digital transformation continues to generate a huge windfall for retailers, it also brings risk — as new customer-facing services and back-end infrastructure is targeted. Stores can’t continue to prioritise the customer experience without addressing this major security challenge.

Executives must lead the fightback with a comprehensive cybersecurity strategy to tackle customer data theft, fraud, and attempts to disrupt core IT services. That will require a key role for real-time, dynamic threat intelligence to accelerate incident response and proactive threat and fraud detection.

Digital growth means digital challenges

The sector has fully embraced digital transformation in the ongoing battle for consumer hearts and minds. Today’s shoppers, especially the younger ones, value compelling experiences above all else. This can mean anything from buy online pickup in-store (BOPIS) options to information kiosks and tablet-toting staff roaming the premises with mPOS devices. Accenture claims that 68% of all Millennials demand a seamless, integrated experience, regardless of channel.

This has led to a great deal of pressure on IT to come up with the goods. Mobile applications and payments, loyalty programmes, online accounts, and much more have been rolled out to enhance engagement and streamline the shopping experience. At the same time, retailers have actively encouraged consumers to share more of their personal and behavioural data to feed smart algorithms that can improve sales performance and the customer experience.

Liv Rowley, Threat Intelligence Analyst, Blueliv

The problem is that as retailers invest more of their profits into these systems, they’re unwittingly expanding the attack surface for cyber-criminals. Cloud-based customer databases, point-of-sale (POS) systems, e-commerce payment pages, and customers’ online accounts can all be remotely compromised in theory. Retailers are also a major target for fraudsters using data stolen from them or other sources to impersonate legitimate cardholders. Combine this exposed attack surface with the potential for human error and social engineering, of both customers and retail employees, and you have a potent recipe for cybercrime success.

Cyber-attacks against retailers have grown dramatically both in volume and sophistication over the past few years. The British Retail Consortium revealed that nearly 80% of 11,000 surveyed retailers saw an upsurge in cyberattacks over the course of 2018. Accenture claims the average cost of a breach in the sector was $11.4m in 2018, up 24% from the previous year. Meanwhile, Shape Security estimates that automated account takeover attacks cost the industry around $6bn a year in fraud, versus just $1.7bn in the banking sector.

Following the money

Innovation is the key to competitive advantage in retail, as it is in most verticals. But innovation at the expense of best practice cybersecurity can be self-defeating, if it leads to damaging breaches and high fraud levels which critically damage the bottom line and customer loyalty. Profit-making must be tempered by a risk management approach to business which incorporates the growing threat to digital systems and customer data. Up until now, the former has won out in too many boardrooms, encouraging cybercriminals to focus their efforts on the sector, rather than better protected organisations like banks.

What are they after? In short: making money. Retailers store highly monetisable identity and card data on their customers, in back-end databases and customer-facing accounts. Hackers might go after the former by spear-phishing employees to target the weakest link in the security chain: people. They may even look to employees in third-party partner organisations to provide access into the corporate network, as happened in the mega-breach at US retailer Target

Malware can also be installed on POS networks to exploit unpatched bugs and harvest card data from bricks-and-mortar stores. Although this is less popular since the advent of EMV, it still happens from time to time in the US. Much more popular these days is digital skimming by inserting malicious JavaScript into e-commerce sites to covertly steal card data as it’s entered by customers. So-called Magecart attacks were one of the stand-out threat trends of 2019, with retailers like Newegg, Macy’s and British store Sweaty Betty all victims. In one automated attack, almost 1,000 e-commerce sites were compromised in a single day. This kind of data can be posted to dark web forums before the victim organisation has even discovered they’ve been hit, increasing the value of the stolen details.

Following the money trail also leads to customer accounts which hold pre-stored card and identity data to speed up the transaction process. Hackers may go after these by directly phishing the customer, perhaps using the retailer’s brand to trick them into clicking on a malicious link. Or, increasingly popular is use of credential stuffing tools. These take huge volumes of breached log-ins and try them on multiple online accounts, hoping that password reuse on the part of the consumer lets them in. The bad guys only need a small success rate to make it worth their while. As we’ve seen, this kind of account takeover fraud alone is costing global retailers billions each year. Hackers could sell the resulting data or access to these accounts or use them personally to make fraudulent purchases without raising any red flags.

Fraud takes its toll

In fact, fraud is arguably the biggest threat facing retailers. What do you do if you’re a fraudster wanting to monetise a stolen credit card? Typically, you buy a high-value product with it. In the UK, e-commerce fraud jumped 27% year-on-year in 2018 to reach £393 million — 59% of total card fraud in the country. Sometimes fraudsters make the most of omnichannel retail whilst circumventing address fraud checks by purchasing goods on stolen cards and picking them up in store. Sometimes gift cards are purchased to make it easier to launder the stolen funds. Sometimes card data isn’t used at all. In refund fraud the scammer simply uses social engineering to convince a store assistant that a delivery hasn’t arrived.

Let’s not forget that retailers also face a barrage of the same cyberthreats that impact organisations in all sorts of verticals: including business email compromise (BEC), ransomware and DDoS. The risks associated with the latter two are particularly acute in the retail sector as companies can’t afford their web infrastructure to go down during busy shopping periods.

The impact of all of these threats can range from customer attrition and brand damage to compliance fines, investigation and clean-up costs, share price devaluation, and credit monitoring for breached customers. In a highly competitive industry like retail, the loss of customer loyalty can be particularly hard to recover from.

Fighting back with threat intelligence

An effective response to these threats requires a layered effort coordinated from the top-down. That means an engaged C-suite keen to ensure the organisation has a tried-and-tested incident response plan to kick into action in the event of a breach. Equal weight needs to be paid to ensure no vulnerabilities exist in web infrastructure, POS systems, and the supply chain. This means getting the basics right: patch management, staff awareness training, network monitoring, web app firewalls, cloud security posture management, comprehensive fraud prevention and more. But traditional controls are no longer sufficient. Retailers must go further, by integrating threat intelligence into their security posture.

The best systems will deliver context-rich, actionable threat intelligence in an automated manner so that organisations can detect threats both inside and outside their network and prioritise responses. This allows security teams of all sizes to focus their resources on the most imminent risks to their networks and infrastructure.

Threat intelligence can help identify and protect critical assets, such as customer and payment information, as well as intellectual property. It can help retailers define what is of interest to attackers, where these assets are located, and how they can be accessed. Systems can also detect stolen information like credit card details and credentials that are traded in underground markets. Armed with this information, security teams can react more quickly to security incidents, mitigate risks, and implement effective defence measures against new threats.

Visibility into threats is crucial to ensuring that retailers stay one step ahead of their attackers. Building a cyberdefence strategy around real-time threat intelligence can accelerate threat and fraud detection and enhance incident response capabilities. With these capabilities at the heart of the business, you stand the best chance possible of proactively mitigating risk — not only to keep the regulators happy and preserve the bottom line, but to help build a brand that can differentiate on data protection and transparency.

Liv Rowley, Threat Intelligence Analyst, Blueliv