One of the most popular times of the year for hackers to attack retail websites is during the holiday season when retailers are too busy to think about security. Finding and fixing security vulnerabilities often takes months, so now is the perfect time to start.
Although attackers most often hack retail sites to obtain customer card information, they also do it to steal from retailers, especially those that sell goods. Credit card data, which can fetch up to $80 per card on the underground websites, is the main loot, but if a retailer sells products, hackers are out to get them too. If your software is flawed – and what software isn’t? – an attacker might be able to get into the backend of your website and make a slight change, allowing buyers to purchase a TV you’ve priced at $900 for just $9.
When attackers break into your site remotely through a vulnerability – either via your software, hardware or employees – they can enter the backend of your website and insert malicious code into a link that customers are likely to click on, such as a link that says Check Out. When someone clicks on that malicious link – unless the user’s computer is protected by anti-malware software that can detect and block that specific malicious code – malware is imperceptibly downloaded onto the victim’s computer.
Simultaneously, one of two other things happen. Either the link won’t open or it will send the user to a Web page controlled by the hacker. If the link sends the user to the attacker’s Web page, the user has no idea because that attacker’s page usually looks exactly like a legitimate page that is part of the official retailer’s website. If the user were to click on a malicious link in the checkout process, often the link sends the user to a hacker’s Web page that looks like the retailer’s actual checkout page. This faux checkout page, like the retailer’s legitimate page, requests users to login and input their credit card information. Then, the user inserts his login credentials and credit card information to check out. When he clicks the Submit button, the hacker grabs his login credentials and credit card information. After the user clicks the Submit button, often the page stalls and he refreshes the page, at which time the hacker sends the user back to the retailer’s legitimate Web page. The user, having no knowledge that he has just been attacked, once more inputs his login credentials and credit card information. This time when the user hits the Submit button, the purchase goes through the actual retailer’s website. The user really did make that last purchase. He also clicked on a malicious link and has no idea that an attacker now has access to his data.
Often hackers will attack a retail site just to leave malware on it and attack visitors. Once the attackers have access to your visitors’ computers, the attackers can steal their credit card information and banking information. People who have a proxy that has knowledge of your defiled website won’t be able to visit your site because the proxy will block it.
In addition to being concerned about their network and their company computers, retailers with brick-and-mortar stores need to be concerned about vulnerabilities with their POS systems and personal identification number (PIN) pads. There are two main ways credit card data gets into the POS system, through the magnetic strip reader (MSR) and PIN pads. Both read card data. All a hacker has to do is manually install malware on a card reader on your POS system at your register when no one is looking. That POS connects to the backend of the system, giving the hacker remote access to all its credit card data and privileged customer data.
If your retail location provides wireless access that is connected to your network, it’s fairly easy for an attacker to gain access to your systems. For example, if the administrator misconfigured the Wi-Fi system, the hacker might only need to change his laptop's settings to connect to the business network. However, even if you have an independent Wi-Fi infrastructure, an attacker may be able to exploit something, such as your Wi-Fi Protected Setup (WPS) by using “brute force” to guess its eight-digit PIN and jump onto the business’s network.
There are many means by which an attacker could break into your POS system as it could abound with numerous vulnerabilities. That’s why it’s wise to work with an independent security architect to help analyze its structure and help with any redesign needs. Once attackers get inside your network by any means, they traverse the network to find your credit card data, capture it and extract it, often in one fell swoop.
When your system gets breached, it could not only damage your income and your customers, it could also damage your reputation and scare away customers. Below are some basic security tips for retailers, but a security architect can provide you with much more knowledge about your own system’s weaknesses and ways to correct them.
Retail Information Security Tips
- Wireless access points should have controls in place so people cannot connect to the network. After a power outage or reset, some security settings will default to off, so be sure to consistently check the settings.
- Install a separate ISP connection as a guest Wi-Fi, with a separate firewall. Do not let this network touch your retail or corporate network.
- Research POS systems to find the most secure ones. Don’t use outdated WindowsXP operating systems, which expose you to higher security risks.
- Consider working with a Qualified Security Assessor to become or maintain compliance with PCI requirements, even if you don’t have to have one to become compliant. A good QSA can advise you on securing your network and end up saving you from getting breached.
- Remove old software that may contain unencrypted data in databases and then do a complete reinstall of the entire system when you upgrade to a PCI-compliant version.
- Conduct security awareness training throughout the year and include security training for the front end of the POS system.
- Avoid storing credit card data unless it’s absolutely necessary to meet your business needs.
- Put physical controls in place to prohibit all employees from using personal email accounts on their work computers as their personal accounts may be more susceptible to phishing emails.
- Monitor your network and your endpoints (servers, workstations and laptops) 24/7. At some point attackers will get in your network, and the sooner you spot them, the sooner you can get them out before damage has been done.
- Warn all employees who use a work email address not to click any links or attachments in emails without verifying with the sender that they are legitimate.
- Prohibit browsing the network for anything other than business as many sites are tainted with malware.
- Train employees to close their browser immediately after browsing. Browsers can become infected and bad guys can browse when there’s an open Web browser!
- Conduct Web app scans and penetration tests often throughout the year, including every time a change is made to your websites.
- Update your software and devices with patches as soon as they are available. Go directly to the vendors’ websites to ensure the patches are authentic. If you don’t get automatic notices about the updates, check online monthly to see if any new patches have been released.
- Uninstall software and web browser plug-ins you don’t use. All software has vulnerabilities and must constantly be updated.
- Conducting online banking only on a computer that is dedicated to financial transactions – no emailing or Web browsing.