As retailers tend to have more pressing day-to-day concerns than security — namely, selling their products to customers — it can be tempting for them to regularly presume, in acknowledging the endlessly escalating battle between cybercriminals and protective measure technologists, that the experts in the latter group will develop something to counteract whatever the bad guys come up with in short time.
Sometimes, that assumption is accurate.
In the recent instance of the XSS security vulnerabilities that befell the online shopping cart Zen Cart, for example, the company acted quickly to solve its own problem.
When researchers from Trustwave’s SpiderLabs Research team sussed out weaknesses in the Zen Cart application that could allow malicious actors to gain access to cookies, sensitive information and site defacement of online merchants that used the shopping cart, they informed Zen Cart of the situation and immediately began working with the company to develop a fix.
Zen Cart released a local patch to address the vulnerabilities in the interim, before ultimately rolling out an updated version of its software that addressed the security issues moving forward, and advised all of its users to implement the upgrade as soon as possible.
No harm, no foul, more or less; and those who stood to be most affected by the security vulnerabilities — the online retailers — hardly had to lift a finger to be protected against them.
But the fact is that things don’t always sort themselves out, effectively, in the retail security game.
Take what happened just last week, when the TREASUREHUNT malware, from out nowhere (as is predominantly the inherent business model, as it were, of malware), escalated from its initial version that had been around since late 2014 to suddenly pose the very real threat of capturing credit card details directly from retail point-of-sale (POS) systems.
FireEye Threat Intelligence posited that the current transition to EMV in the retail space created the perfect opportunity for TREASUREHUNT to up its game, as it were. As Nart Villeneuve, a researcher for the firm, explained:
“In the world of POS threats, there has been a rise in both underground offerings, as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip-and-PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip-and-PIN (as well as near-field communication technologies), many cybercriminals are looking [to] take advantage of memory-scraping POS malware while it still works.”
As of yesterday (April 4), there remained no cut-and-dry solution for retailers that have not yet moved over to EMV to combat the threat posed by TREASUREHUNT. Unlike the situation with Zen Cart, no one has come to the rescue on merchants’ behalf.
It’s likely that a temporary countermeasure to the malware could be developed before the EMV transition is completed en masse across the retail space in the U.S., but the incident in its current status reveals the plain truth that retailers simply cannot afford to sit back and wait for a fix of industry-wide security problems that arise.
The concept that “knowledge is power” can be applied to just about any circumstance, and retail data security is no exception.
To that end, late last week, the National Retail Federation (NRF) announced that the Association for Retail Technology Standards (ARTS) — which is part of NRF’s Technology Leadership Community — has released three new programs designed to help retailers help themselves by staying on top of all things security.
As a press release explains, there’s the ARTS Cybersecurity Primer, a research paper that provides guidance to non-security experts regarding risk factors and best practices in addressing them; the ARTS Data Privacy Primer, which advises retail organizations on consumer data protection; and the ARTS Data Classification Template, which provides retailers with a framework for implementing data security measures.
“Retailers today face major challenges in securing personal data of their customers and their employees,” IBM Worldwide Research Lead and work team Chair Sima Nadler stated in the release. “IBM was pleased to be able to contribute to a resource that will increase understanding of issues around privacy and data security in retail IT development.”
While retailers only have so much time to dedicate to tasks beyond their central focus of simply running their businesses, as recent instances have proven (and will certainly continue to prove), what time they do have to spend on data security — while they certainly aren’t equipped to directly solve any problem that might come along — will certainly be well spent on doing what they can to stay out in front of potential issues.
Otherwise, when the next security threat comes along, it could result in a retailer no longer having much of a business at all to run — or protect.