With Black Friday behind us and the holiday shopping season slipping into high gear, it’s more important than ever for retailers to keep an eye on security, both online and in store. We’re making it easy by wrapping up the week’s top retail security stories in our Security Tracker.
“The Most Sophisticated Point-Of-Sale Malware Ever Seen”
Physical retailers had a dose of bad news heading into Black Friday weekend with a new and particularly sophisticated piece of POS malware used to harvest card details from shoppers at the point of sale surfacing just days before the big shopping event.
According to iSight Partners, a threat intelligence company, the new piece of malware is incredibly versatile in how it collects consumer data, making it hard to detect. Maria Noboa, senior technical analyst at iSight Partners, stated ominously that the latest is the “most sophisticated point-of-sale malware ever seen to date.”
The firm spent several weeks leading up to Black Friday (Nov. 27) warning large retailers that the malware was potentially hiding out in their systems. However, iSight noted, even if retailers became aware of the malware, it is extremely challenging to find and fix the problem.
“There is new point-of-sale malware every week, which takes our engineers 20 to 30 minutes to reverse the code,” said Noboa. “With this, it took them about three weeks to determine it was indeed malicious and then several more weeks, two of them working at the same time, to figure out what each module consists of.”
While there have been no reports yet of the malware actually being used this year, the risk is still high, and Noboa and others are warning retailers to remain diligent throughout the holiday season as a breach of this type could put a large dent in their holiday profits and long-term customer loyalty.
VTech Breach: A Shot Across The Bow For A.I. Retailers?
As PYMNTS reported earlier this week, Hong Kong-based VTech, maker of smart toys and games for children, was the victim of a cyberattack. Its online Learning Lodge portal, which is used by consumers to access children’s games, eBooks and other educational content, was compromised in the attack. With “smart” toys making a big push during the holiday season, this may be a warning for how data collected from these toys and games — as well as the information of parents and children who use them — is managed and protected by retailers.
The information of as many as 4.8 million parents and more than 200,000 children may have been stolen from the site, although VTech would not confirm those numbers. The company did verify that the data breached included parents’ full names, email addresses, passwords and home addresses; the first names, gender and birthdays of children who have accessed the site were also reportedly taken.
VTech was quick to clarify that its customer database does not contain any credit card data and that any transactions completed in order to access content in the Learning Lodge portal were handled through a secure third-party payment gateway, which was not involved in the attack. It did acknowledge that encrypted passwords, secret questions and password retrieval information, as well as IP addresses and download histories, were housed in the database and potentially compromised during the breach.
Tips For Mitigating Security Risks All Holiday Season Long
U.K.-based SC Magazine came out with a rock-solid list of tips to help retailers mitigate risks heading into Black Friday. But what’s good for retail security on that big day holds true throughout the holiday season — when stores are busy, online transactions are streaming at a steady pace and in-store systems are pushed to operate at maximum capacity.
When asked about keeping POS machines safe, Jules Pagna Disso, Nettitude’s head of research and development, suggests retailers learn from previous industry attacks, many of which were conducted via fake POS terminals with wireless access.
“Only trusted third parties should be instructed to maintain PoS terminals, and it is vital that wireless communications is monitored,” Disso says, “as this is commonly used by criminals to exfiltrate data in attacks on retailers.”
Another topic discussed in the article is production freeze. Trey Ford, global security strategist at Rapid7, describes the potential issue: “[Retailers] halt updates and configuration changes in their payment and order fulfillment systems to limit the risk of interruption and slowdowns to mission critical systems.”
This means there are few updates being made to in-store systems over the next 90 days, leaving retailers vulnerable to attack. Ford suggests retailers stay proactive during the holiday season.
“Think of this in terms of the security lifecycle: Prevent, Detect, Correct,” adds Ford. He recommends retail energy investment being made on those three stages moving forward.
The article also goes on to discuss insufficient transport layer protection, as well as what is (very Britishly) referred to as “Too Bloody Busy Syndrome,” in which retailers get so caught up in the holiday rush they lose sight of the importance of adhering to security protocols. All good advice for retailers looking to avoid breaches between now and Dec. 25.