With the holidays nearly behind us and the new year looming ahead, retailers are still very much in the midst of their holiday rush. With gift cards to be used, unwanted gifts to be returned and after-Christmas discounts to be taken advantage of, retailers — and the payments technologies they employ — are still experiencing heavy volume, leaving them vulnerable to data breaches. Here’s what to keep an eye on this week.
Securing The Back Door
The recent Juniper Network data breach has reignited a debate over intentional “back door” access points — protocol built into systems to allow administrators to bypass their own encryption efforts and access data within a network — and who has the ability to use them. Unfortunately, these access points, no matter how advanced, leave networks vulnerable to attacks by sophisticated hackers.
As PYMNTS recently reported, in the case of Juniper’s breach, it is suspected that the attack may have been carried out by a nation-state, making things even more alarming. Dave Palmer, director of technology at Darktrace, a cybersecurity firm, recently told Reuters: “If this really was intended as a ‘nobody but us’ back door and then subverted by a nation-state, that’s a tricky place for policymakers.” This incident has caught the attention of Washington and sparked renewed debate over who, if anyone, can request access through these back doors to view decrypted information when there is a vital national security risk.
Stewart Baker, former general counsel at the NSA, explained to Reuters: “Whenever you build in access, you’re running a risk … that that access will be misused. The question here is: Is this a risk that ought to be managed, or should we refuse to accept it at all?” Undoubtedly, a debate that will continue to heat up into 2016 and beyond.
Gift Cards Keep On Giving — To Hackers
KrebsOnSecurity is reporting that online gift card retailer Gyft has forced a password reset for some of its users in response to the theft of usernames and passwords from the eCommerce merchant’s database. Gyft allows users to buy and use gift cards all from their mobile device and is a favorite among bitcoin enthusiasts, as gift cards are one of the easiest ways to convert bitcoin currency into actual cash.
These types of phishing schemes are also lucrative for hackers who can take login credentials and apply them across various Internet sites (including banking apps) to try and gain access to other accounts held by the users compromised in the breach. This is another good reason for consumers to use a variety of login info across the Internet. While the company has not disclosed how many customers it has or how many were impacted by this breach, sources tell Krebs that the percentage of users affected was in the “high single digits."
Two Gyft executives told KrebsOnSecurity they first learned of the issue about three weeks ago, and that all of the affected accounts were being monitored for suspicious activity.
App Vulnerability Raises Unpleasant Memories For Target
Cybersecurity and antivirus software company Avast recently revealed what it considers to be a “major security flaw ” in the popular Target Wish List app. The vulnerability left personal information vulnerable to anyone able to figure out how the app auto-generated a username for account creators.
Avast examined the security protocols of several major retailers’ mobile apps, including Walgreens and Home Depot, and found that many request access to contact phone lists, photos and location information from the user’s phone. The Target app was found to provide shockingly easy access to this data.
According to Avast’s cybersecurity expert, Filip Chytry, “the only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.” A JSON file is a format to make the storage and exchange of data easier.
Upon learning of the vulnerability, Target immediately shut down parts of the app to deal with the issues. It is unclear how many people may have been impacted or what the level of the threat was.