Preventing many data breaches at retail via basic controls seems so easy, it’s almost embarrassing.
Verizon’s 2014 Data Breach Investigations Report noted that 94 percent of all security incidents in 2013 can be traced to nine basic attack patterns that vary from one industry to another. Often a simple control such as some form of password protection can deter many security incidents. So, too, is having a limit on the number of access attempts before a site becomes locked out.
Verizon’s security team has compiled 10 years of data-breach analytics. This is the seventh year that the team has published its data findings.
According to Suzanne Widup, managing principal and senior analyst on Verizon’s Security Services team, the latest survey includes data from 50 data-sharing partners. That’s up from the 18 who contributed in 2013 and just five in 2012. As for other metrics, the most recent report analyzes 1,367 confirmed data breaches and 63,437 reported security incidents. Over the 10-year period, there have been more than 3,800 confirmed breaches across all types of industries.
In retail, the most common attack patterns are point-of-sale intrusions, Web application attacks and payment card skimmers, Widup said.
The Verizon study noted that there were 467 security incidents last year in the retail industry, with 148 of those incidents resulting in confirmed data loss.
In general, last year POS intrusions accounted for just 14 percent of incidents, compared with Web application attacks at 35 percent. That’s compared with POS intrusions at 31 percent during the years 2011 to 2013 and Web application attacks at 21 percent. Card-skimmer breaches were down to 9 percent last year versus the 14 percent level between 2011 and 2013. That makes Web application attacks the new “hot spot” for the retail industry. Other threat patterns less common in retail include crimeware, the forms of malware aimed at gaining control of systems; insider-privilege misuse, such as access to passwords; cyberespionage; physical theft-loss; denial-of-service attacks that compromise a network, and miscellaneous errors, such as sending an e-mail to the wrong person.
Widup noted that deterring breaches include use of passwords that are hard to guess, double password access, limits on the number of attempts at access to a password-protected site, remote access restriction and having a plan in place in the event of an attack as well as the testing of that response plan. Using antivirus software to guard against malware also helps.
“A lot of times, criminals go after the easy stuff, where basic controls just aren’t in place,” Widup said.
Nowhere is that more evident than in POS retail breaches — including brick-and-mortar, accommodation and food services — where card-present purchases are made.
In many instances, perpetrators have easy access due to no password protection, or use of weak or default passwords. In some cases where franchisees of the same vendor were breached, stolen vendor credentials impacted all groups managed by the same vendor system since they all used the same password. In other instances, the POS intrusion was on a nondedicated machine that was open to the entire Internet, including social-media sites and corporate e-mail accounts.
While last year’s retail data breaches include attacks on the systems at Neiman Marcus Group and Target Corp. — where at least 40 million to as many as 70 million consumers who shopped at the discounter between Black Friday and Dec. 15 had their personal data stolen — the number of POS intrusions has been trending down, Widup said.
“We’ve been seeing fewer incidents. Some of the incidents that happened include a high number of cards being compromised, but the actual number is trending down,” said Widup, who explained that there actually have been fewer attacks involving small businesses or franchises.
In 2013, there were nearly 200 incidents involving POS intrusions, with RAM-scraping malware used 85 percent of the time as the primary tool to capture data. According to the Verizon report, RAM scrapers allow payment card information to be grabbed while being processed in memory, where it is unencrypted, versus being stored on a disk, or processed in transit across a network where encryption is presumed to be in place.
In the case of Web application attacks, the primary aim when the retail industry is targeted is payment-card information. These attacks occur when someone is accessing the site and its data without proper credentials. While validating inputs is one way to deter hacks, enforcing lockout policies and monitoring outbound connections also can help. The survey noted that if a server has no reason to send data to a particular geographic location, such as Eastern Europe, then the business should lock down the Web server’s ability to do so.
While payment-card skimmers still rely on physically implanted devices to read magnetic strips on cards, the criminals no longer have to retrieve the physical devices to collect the data. That’s now being retrieved via Bluetooth and other cellular means. Moreover, skimming devices with built-in SIM cards that allow for remote configuration, as well as remote uploading of data, can be bought online, the survey noted.
Widup said businesses can decrease the chances of success by criminals via the purchase of tamper-resistant terminals, using tamper-evident controls such as an alert sent out when there is tampering or the visual monitoring of the devices, and monitoring by businesses for signs of tampering.
The annual Veuve Clicquot Polo Classic in Pacific Palisades this weekend drew Kate Hudson, Tracee Ellis Ross, Laura Dern and more. See pictures of the star-studded event on WWD.com. (📷: @chelsealaurenla) #wwdeye
In his new book “Hollywood Royale,” Andy Warhol’s Protégé Matthew Rolston celebrates the Eighties revival of Hollywood glamour. Featuring more than 100 portraits taken by Rolston from 1977 to 1993, the book contains photos of icons like Michael Jackson, Cyndi Lauper, and @drewbarrymore, pictured here in 1991. “Hollywood Royale,” out today, will be accompanied by an exhibition opening at Los Angeles’ Fahey/Klein Gallery on March 1. #wwdeye
"Nowadays when life is not so happy with everything going on in the world, I think people come to me for a little bit of whimsy and color and fun." - Designer Rebecca De Ravenel on her cult-favorite jewelry line. (📸 : @vsteves) #wwd40
“Everyone is talking about how the retail industry is struggling, but I think it’s an incredible time because brands who are doing something different and innovative are setting themselves up for the future,” said @adamgoldston, who founded the luxury athletic brand @apl with his brother @ryangoldsten. The Goldston’s are part of WWD’s 40 under 40: a group of industry notables. See the rest of the list on WWD.com. (📷: @vsteves) #wwd40
@eyeswoon blogger Athena Calderone debuted her first-ever cookbook, “Cook Beautiful,” which is heavily centered on the presentation and visual expression of food. Pictured here are her miso glazed carrots from the book. Get the recipe on WWD.com. (📷: @johnny_miller_) #wwdeye
“It’s passion that helps get anybody to a certain point and it’s what’s propelled me,” said Kith founder @ronniefieg, one of WWD’s 40 under 40: a group of industry notables who are changing the face of retail, fashion and beauty. Fieg, who opened a Manhattan flagship on October 7, began his career at age 13 as a stock boy and salesman for footwear chain David Z. “I think staying true to [my] beliefs, hard work and passion have gotten me to where [Kith] is today.” See the rest of the 40 at WWD.com. (📷: @vsteves) #wwd40
25-year-old @samweaving is about to break out this fall, starring in Netflix’s horror film “The Babysitter,” fittingly out today on Friday the 13th. That’s not the only place you’ll be seeing her, though — Weaving’s got a role Showtime’s “SMILF” and another alongside Frances McDormand and Woody Harrelson in “Three Billboards Outside Ebbing, Missouri.” Though she’s got a full plate at the moment, there’s one role she’s got her eye on: Marilyn Monroe. “I’m a little too young at the moment, but it’s on my bucket list,” the actress told WWD (📷: @dandoperalski) #wwdeye
BFF's Poppy Jamie and Suki Waterhouse celebrated the launch of their bag line Pop x Suki at Nordstrom last night. "The line is really about our friendship, and how we are so different but complement each other," said Waterhouse. 👯 (📷: Katie Jones) #wwdeye
After designing the new @louisvuitton and @bulgariofficial flagships and a @chanelofficial boutique opening in Japan, @petermarinoarchitect has another project on his plate: The Lobster Club. Located in the Seagram Building, it’s the famed architect’s first restaurant project in New York, serving up modern Japanese brasserie-style cuisine. Bronze hues, bespoke material detailing, blush and chartreuse tones and a heavy emphasis on Picasso can be seen throughout. Mark your calendars for Nov. 1 for the much-anticipated opening. (📷: @clint_spaulding) #wwdeye