Retail cyber threat: better and worse

One thing you can say about the cyber threat to retail — it is constantly changing. According to a new report by IBM, the threat is getting weaker and stronger at the same time. While the retail/wholesale industry was the top industry target in 2014, the number of breaches during a key two-week holiday period actually dropped by 50+ percent vs. the same period in 2012. Further, the number of daily attacks dropped by nearly one third over the same period.

According to IBM, 61 million records were stolen from retailers during 2014, which is near an all-time high. Cyber attackers are apparently becoming more sophisticated, using new techniques to grab confidential information more efficiently. The general manager of IBM Security Services, Kris Lovejoy, says that the threat from organized cybercrime rings is "the largest security challenge for retailers."

In 2014, IBM says the main mode of attack was unauthorized access via Secure Shell Brute Force attacks vs. malicious code, which was the top method in 2012 and 2013. As attacks against retailers and consumers have progressed from theft of an actual credit card to website cloning to attacks on POS systems, a main weakness of many POS systems is that data is stored in a decrypted state in order for transaction authorization to take place.

The Privacy Rights Clearinghouse says that 260 million retail records have been leaked, lost or stolen in the U.S. since 2005, although IBM believes it is much higher because of occurrences where no total losses were reported. Major retail breaches have so far affected The Home Depot, Target, Sony PlayStation Network, Sony Online Entertainment, TJX, and many others.

Key factors in major breaches so far, according to IBM, have been outdated wireless encryption systems, failure to install firewalls, failure to implement security software already purchased, phishing attacks targeting employees with POS malware, and using operating systems with security vulnerabilities that haven’t been patched.

IBM provides a number of recommendations to retailers, some of which seem pretty basic:

• Retailers should not use default passwords when installing POS systems;
• Ensure that POS software applications are updated and using the latest patches;
• Protect POS systems with a firewall;
• Update antivirus programs that protect POS systems;
• Restrict access to POS system computers or terminals;
• Disallow remote access to the POS system.

In an interview with RetailWire, John Kuhn, a senior threat researcher at IBM Managed Security Services, said, "Many large retail breaches happen because the most basic retail security best practices are not being followed. In addition to the basics, retailers need to have tight control, monitoring, and updating of their POS systems, which in part is not happening because the systems have to be taken offline for updates. And retailers definitely need to use POS systems just for POS and not allow employee access to the internet via these systems."

• Industry Overview: Retail – IBM
• Holiday Trends: Black Friday/Cyber Monday – IBM