With the holiday season quickly approaching, many retailers might be finding themselves in the crosshairs of criminals, both physically and online. The unfortunate reality is that most of them are soon entering an IT freeze, or already have, where no new projects go live and performance and availability take precedence. In many cases, this means that any new security upgrades or technology are put on hold until after the busy holiday shopping season and only the most critical security patches get installed. Threat and vulnerability scanning are both throttled back during high volume periods to ensure optimum performance and avoid impact to customer satisfaction.
Ask anyone waiting in line for this year’s MUST HAVE gift if they have concerns about the retailer’s security posture. Most likely, you’ll get a blank stare. They should care, though. While most credit card companies have safeguards in place to protect the consumer, there is nothing that prevents their personal information (Social Security #, DOB, home address, etc) from being stolen and used later for malicious purposes.
While most people understand that financial institutions, telcos and other businesses are entirely reliant on their IT infrastructures to deliver value, many people don’t consider the fact that retailers are in exactly the same boat. In many ways, retailers face a more difficult problem with IT than other industries:
- They have employees who might enjoy a tenure of 6 months or less, with very little security training.
- They typically have widely distributed networks with many remote locations, plus an online presence, with many points of attack.
- They handle sensitive personal data from their customers on a regular basis, and they have to be able to accept credit cards in order to do business.
- The highly competitive and fickle nature of their business requires them to be “easy” for consumers to deal with, and we know security often introduces complexities.
- Their business is insanely cyclical, with a large amount of their business done in the holiday timeframe.
- They must work with legions of suppliers and other affiliates, with sometimes shaky or even nonexistent security policies and practices.
- They have slim margins and stockholders holding them accountable for every cent – hardly encouraging security investments, above and beyond the obvious physical security requirements to handle shop-lifting.
- Cash registers and POS systems are networked computers, so compromising them can compromise the entire infrastructure.
To top it all off, attackers are coming up with new ways to steal your information and ruin your holiday season. For example, a new exploit acts as a proxy for a well-known site and then redirects the traffic when its time to receive payment. While earlier methods that redirected users to a copy of the website relied on the quality of the imposter website to convince users of its authenticity, this approach uses the exact same content and is nearly undetectable by the site owner, not to mention the unsuspecting target.
Following are a few tips for retailers and consumer to help protect themselves during this technology “holiday freeze.”
Tips for Retailers (the real victims)
- Go “all hands on deck.” The typical situation that occurs with retailers during the holiday season, where IT staff is expected to work long hours, is helpful in defending against opportunistic attackers. With most IT staff on hand and watching for suspicious behavior, the likelihood that attackers can access cardholder data is reduced.
- Use tools to help with detection of exploits. In fact, especially during the holiday freeze, it’s actually more about detection that prevention. Tools like SIEM and IDS, which are included with AlienVault’s Unified Security Management (USM)TM are particularly helpful for detection.
- Share threat data with other retailers. Retailers are increasingly sharing threat data, which can help a great deal with attacks that tend to be the same across all Point of Sale (POS) terminals. With the commonality of attacks, this threat sharing may be extremely valuable to retailers.
Tips for shoppers (consumers)
This is a terrible situation, but as far as consumers go, the liability is not that great for fraudulent charges on credit cards. In fact, the top liability is $50 for unauthorized use of your credit card, and if the credit card number is stolen, but not the card, your liability is $0 if you report it on a timely basis. So the best tip is to monitor your credit card activity and notice those unauthorized charges. Debit cards and ATM cards require you to report fraudulent transactions within 60 days of your statement – again, you just need to keep an eye on them.
The big danger is loss of your personal information, which can be used to open additional credit cards and to take control of your assets by combining the stolen information with other information acquired with social engineering. Black markets for your personal data seem to be limited to credit card numbers right now, but there is nothing stopping these organizations from aggregating more of your personal information from many sources and creating more valuable offerings for criminals to pursue.
For now, the best tip of all is to be suspicious of attempts to acquire your personal information. No need to wear a tinfoil hat, but it’s a good idea to safeguard your personal information and to treat it as a personal asset.