- Every card transaction leaves data in the retailer’s payment terminal.
- There are many malicious and counterfeit websites with fake products that are used for phishing.
Hackers targeting retail industry seem to be growing in number as the frequency of attacks in the past couple of years have also gone high. In a recent study, it was revealed that retailer have lost over $30 billion to cybersecurity attacks.
Let’s explore the various ways in which attackers target the retail sector.
Credential stuffing: Hackers purchase credentials via dark web or other sources obtained from massive breaches. They use stolen usernames and passwords and use them to hack into retailers and buy products. Chipotle faced a similar encounter earlier in 2019 where customers' credit cards racked up hundreds of dollars in food purchases.
Near field communication (NFC): Cellphones, price scanners, and card readers are easy targets for NFC-based breaches. Even malware can pass from infected phones to retail systems upon scanning a QR code, for example. However, hackers use various methods to manipulate data transfer over the distance, such as using a third device to intercept a connection between two other electronic devices. Also, eavesdropping on devices opens up an opportunity for adversaries to gain credit cards and other payment information.
RAM scraping: Hackers use this technique to enter point-of-sale (PoS) software. Every card transaction leaves data in the retailer’s payment terminal. Threat actors take their shot by implanting PoS malware that reads this input before it disappears. It should be noted that text strings containing credit card information can remain in a retailer’s database for seconds, minutes, or hours.
Magnetic strip reader: Crooks do not always have to break into systems of their potential targets to obtain credentials. Magnetic strips on credit and debit cards also do the job for them. Attackers can easily glean data from a single card swipe including card number and PIN. This information is further used or sold in large numbers to make a profit. Due to this, many card issuers have replaced their magnetic strips with chips. Chips create a unique code that is only used for a single purchase.
Social engineering: Lastly, the oldest but the best bet for hackers is social engineering. Social engineering in pre-internet days would be an unidentified person dressing like a staff and entering the premises to access private information. But today, there are many malicious and counterfeit websites with fake products that look too good to be true. When a target enters their personal information, they simply end up losing control over their data. Watering hole attack strategy is a similar technique to target a chosen group by infecting the websites they frequently visit.
The bottom line
Though no system is entirely secure, you can always build a solid foundation by encrypting point-of-sale, card systems, and processors first. Organizations can also leverage threat intelligence to know about imminent threats in their sector. And, training employees to bring cybersecurity awareness across the organization is also important.