The six-week period in the holiday season at the end of the year propels many retailers to profitability. However, it’s also a very popular time for cybercriminals to gain access to both point-of-sale (POS) systems as well as individual user accounts. The result is a greater chance of account compromise and data breaches than at any other time of the year.
And breaches are occurring at rates not seen before. According to TransUnion, more than 25% of all Cyber Monday transactions were fraudulent in 2020. That’s some serious criminal activity. Black Friday was not far behind with 12.02% of transactions suspected of fraud. ‘Tis the season as they say…
Customer data is incredibly valuable to retail establishments. Chains and individual stores use customer data for target marketing and to keep track of their purchases. Retailers can suggest additional items based on an aggregation of purchases others have made, or similarities to what someone has already bought.
But this data is also valuable to attackers. They are able to use customer data to impersonate legitimate buyers, using their personal data and credit card information. While initial purchases are often small-value items, attackers can use them as a steppingstone to make increasingly larger fraudulent purchases.
And attackers may find it more immediately profitable to sell accounts and account access. Selling thousands of hacked accounts to others may end up being more immediately profitable than breaking into individual accounts. So while your account may be compromised, you may not know about it for several months, until it is used by third parties.
Fraud and account hacking continue to be a serious problem. Attackers break into accounts using known usernames and guessing at passwords, or compromising accounts in other ways. They may create a false account, using information from customers at other retail locations or harvested off of the dark web.
Probably the most basic thing that retailers can do is to segment their network based on the purpose and data. Customer data should not be accessible on the same network as corporate data, for example. If it requires separate networks, or hard stops between network segments, it is worth it to prevent enterprise-wide breaches. If an attacker is able to breach the network, it should only be a part of that network.
Another important point is to not use the standard username and password with databases. Most organizations use administrative credentials for general purpose database access, making it possible for attackers to gain full access to databases. Retailers should use limited credentials on customer and inventory databases to prevent attackers from getting administrative database access.
Retail enterprises should be monitoring their networks to look for unusual activities, either by customers or by attackers. Analytics can be a big help here. If a given customer spends significantly more than usual, or makes a purchase from an unusual location, analytics can help determine a risk score for that activity. Given a high enough risk score, SOC analysts can largely eliminate false positive results by focusing on the most risky user activities.
Machine learning (ML) models are also useful in catching rare or unusual actions that might be indicative of suspicion. These models process log and other network and application data in real time, so that they can “learn” what is normal and abnormal. They can alert SOC analysts to unusual events, use risk analytics to assess the seriousness of the problem, and begin automatic remediation.
Make no mistake; attackers seek to make money off of their efforts, either through outright theft or by ordering goods they have no attention of paying for. Once they are in the retail network, they typically can access anything in that network, either through social engineering or permissions elevation. Unpatched software can lead to direct security holes that are often easily exploited, so prompt patching is a necessary part of the cybersecurity equation.
Customers also have a responsibility to examine their accounts periodically to make sure there is no unexpected purchases or other activities. Customers have to report those activities to retailers to help do their part to combat breaches and theft. Customers and retailers working together can be highly effective in combating theft.
Gurucul can help retail establishments through risk-based analytics and User and Entity Behavior Analytics (UEBA). UEBA can be useful with not only customers and external threats, but also with internal threats from employees and others with legitimate access, identifying unusual logins, locations, and wandering activities.
Gurucul also has ML models that can help identify retail activities that are out of the ordinary, and initiate remedial actions. This is an important approach to retail cybersecurity, where activities tend to change based not only on time of year, but also day of the week.
Retail remains a large and growing target for cybercriminals and others with illegitimate purposes. There is no one single silver bullet to address retail breaches and theft; they require a concerted effort by IT staff, SOC analysts, legitimate internal users, and customers. But a key aspect of any effort is automation, using analytics, ML, and remediation to assist in the effort.