While consumers are checking items off their shopping lists this holiday season, retailers may need to double check their cybersecurity methods as hacking attempts rise during the seasonal shopping flurry.
Crain’s spoke with retail and cybersecurity experts to help retailers prepare themselves to safely carry out their day-to-day business and process increased payment transactions during the season.
Philip Lieberman, president and CEO of Lieberman Software, has more than 35 years of experience working in the software industry. He said one reason the holiday season is a busy time for phishing hacks is because of the amount of cash flow businesses tend to see.
Phishing attacks primarily occur via emails in which a person imitates the identity of another person or organization, such as a customer buying a product.
“[Retailers may] believe that they’re a customer and open the email and then they end up with their machines infected or being remotely controlled,” Lieberman explained. “The attacker can then go into their bank account and do all kinds of mischief. The thing that changes during the holidays is that there may be more money in your bank account to steal.”
Tom Litchford, vice president of Retail Technology for the National Retail Federation (NRF), a retail trade association, also said phishing attacks are among the most common cyberthreats during the holiday shopping season.
Litchford said the NRF operates a retail information sharing and analysis organization that provides a threat alert system for businesses to stay attuned to threats that could impact their company.
He calls the threat alert system “the crown jewel” of the NRF’s cyber security program, adding that they typically send out about 12 to 15 alerts per day to their members to help them better defend themselves against cyber attacks. Litchford said phishing attacks make up about 90 percent of the alerts the organization has been sending out recently.
While retailers are becoming more aware of the phishing attacks, Litchford said it is now time for business owners to educate their employees to be skeptical of such emails.
“Whether it’s someone pretending to be your CEO asking you to wire thousands of dollars to China or someone pretending to be Microsoft saying your account is going to go bad, you just have to really start thinking, ‘this doesn’t look right,’ and then get your IT people involved to see what it really is,” Litchford said.
Lieberman also explained that smart hackers will alter their phishing attacks to make them more realistic by targeting a retailer in ways that address the seasonal holiday.
“Criminals will change their attacks and target people based on the holiday,” Lieberman said. “If you’re not expecting an email or it looks the least bit suspicious, it’s sometimes better to get on the phone and talk to the person and make sure what you’re reading is real.”
Credentials and multi-factor authentication
Another thing retailers should consider is using tokens or multi-factor authentication—the practice of using more than just a username and password to login, such as asking the user personal history questions or sending a code to their phone via text before allowing the login process to be complete.
Lieberman said multi-factor authentication is especially useful for retailers when working with their banks.
Before carrying out a wire transfer with the bank, multi-factor authentication would require that the retailer enter a token code that can be sent to them by phone through a text, or it may be a physical token the bank provides, Lieberman said.
Stephen Gates, chief research intelligence Analyst for Zenedge, a cybersecurity company focusing on bot management solutions, cloud-based attack mitigation and more, said he has seen a rising bot phenomenon amongst cyber attacks.
Gates said while some bots are good to have around, like those operating for Google or Yahoo to aid in keyword searches, there is a growing problem with bots and “bot armies,” as Gates called them, which can cause problems online.
“Many devices are vulnerable to various cyberattacks on their own, and so the hackers begin building these bot armies,” he said.
Gates explained that the rise of bots and bots armies, which hackers can set up and then let loose to carry out their misdeeds without supervision, also cause confusion for retailers and website administrators.
With the growing use of bots, Gates said it can be difficult for retailers and companies to determine whether their site is busy because consumers are checking out their products, or if the traffic is even coming from human beings or malicious bots, after all.
He said the bots can even be used to make repeat purchases or cancel purchases, negatively affecting both businesses and consumers.
“I often tell people that the hacker is vacationing on his private yacht in the Mediterranean while all those bots are doing all this work for him, because bots never get tired,” Gates said.
Web application attacks
Gates said another area of particular concern is attacks on web applications.
“Anything that human beings have ever created is going to be vulnerable in some way,” Gates said. “Dealing with the vulnerabilities in an application is extremely crucial. When we look back at Equifax and the breach there... they were basically exploited by a simple vulnerability that was not patched.”
Gates said the web application attacks tend to be very targeted, and these hacks usually involve someone directly testing a company’s application, finding where it is weak and gaining access to private information. He said installing a web application firewall makes the process more difficult and time consuming for the hacker, often causing them to move on..
Gates said an easy solution to these attacks is for businesses to make sure they use a web application firewall technology to protect their websites and applications.
“The old school firewalls are good about protecting networks, but they’re terrible about protecting applications because they don’t understand the application,” he said.
Gates describes hackers of web applications like burglars who walk in right through the front door.
Response and recovery
Lieberman stressed that although what hackers are doing is illegal in the U.S., because they generally tend to be working from abroad, there is rarely anything law enforcement can do to recover any of a company’s financial or data-related losses.
“As a business, your most important thing is to provide good ways of restoring things but also to try to minimize your losses by adding layers of protection to your systems,” Lieberman said. “Undoubtedly, one or more of your machines will end up getting infected by something. Resiliency means having a plan and coming up with a way of rebuilding or resetting your machine.”
Lieberman said resetting an infected machine could be as easy as taking it back to the store where it was purchased and having it reset. Following a machine reset or hack of any kind, Lieberman advises companies who don’t already use cloud-based software to begin doing so in order to make data recovery an easy step going forward.
Having an incident response plan—an organized list of steps the company will take to address a hack—ready to go in the event of an attack is one of the most important ways a business can protect itself, Litchford said.
“After you’ve been breached is not the time to figure out how to do all of this,” Litchford said. “I’ve been trying to really educate the industry. This is not an IT problem, it’s a business-risk problem.”