WASHINGTON — Cyber-criminals are becoming more sophisticated in their attacks against retailers, targeting point-of-sale systems with more advanced malware and developing new techniques to breach systems and steal valuable customer data.
But retailers are also stepping up their defenses, developing stronger mechanisms to thwart attacks in the store and online, while also intensifying collaboration among themselves and with state and federal law enforcement agencies.
That was the message delivered by cyber experts in the retail arena at a forum cohosted by the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence on Thursday which focused on challenges and steps retailers have taken to curb the threat and minimize the damaging effect of cyber attacks.
The forum comes at a time of heightened concerns over cyber attacks, following major breaches over the last few years at stores such as Target, Neiman Marcus and Home Depot, not to mention breaches at federal government agencies.
Troy Leach, chief technology officer at PCI Security Standards Council, said one of the most significant challenges facing retailers is the focus by criminals on POS systems.
“The criminal techniques themselves are becoming much more sophisticated. We are starting to see a revisit of some malware attacks that were very prevalent in 2010, 2011,” he said. “They are learning from us; they are taking our security best practices and they are turning it into their game,” he said. “They are starting to use point-to-point encryption in order to encrypt the stealing of that cardholder data.”
Leach said he is also starting to see more attacks in the “cloud” space.
“It’s very hard to find that footprint there and criminals are becoming very good at removing any discovery of what they’ve been doing in the past,” Leach said.
The point-of-sale malware that has been developed in the last two to three years is also a growing concern.
Leach said in the third quarter of this year alone, one of the more prominent types of malware known as “Cherry Picker” has proliferated, as well as other malware kits.
“There are more than 2.5 million of these that are open and active on retail sites in the U.S. alone,” he said.
“In the breaches in 2013 and 2014, there were a lot of attacks around memory-scraping malware,” he added. “That has become a crucial issue for use. It is very hard to protect against once that type of malware gets into the system. And we are doing things in the payment space to protect against it.”
Tom Litchford, vice president of retail technology at the National Retail Federation, said the breaches that have occurred at retail in the past couple of years have “morphed into advance malware threats.”
“The actual malware you see going on in the industry right now is malware that is memory scrapers sitting in [POS] terminals,” Litchford said.
When a customer swipes or dips a card (with a chip) the data is sent through a network that can be retrieved by hackers.
He noted that in a recent NRF survey 80 percent of retail members said they will have point-to-point encryption in place, meaning they will encrypt the data at the point a credit or debit card is swiped or dipped.
“Our biggest challenge is to totally eliminate that threat surface and make the data at the [POS] terminal worthless [to criminals],” Litchford said. “You can steal all day long but as long as it is encrypted, you won’t be able to use it.”
Another significant challenge confronting retailers is third-party vendors that have been targets of cyber criminals in some cases.
“For large companies, third parties are one of the chief vulnerabilities,” said Nicholas Ahrens, vice president of privacy and cybersecurity at the Retail Industry Leaders Association. “When you have more than 10,000 third-party vendors, you have to make sure that they have the appropriate access at the appropriate time in the appropriate way and at the scale we are talking about.
“You want to bring in cool, innovative technology into your company, but at the same time you have to figure out how to evaluate them and their relative risk,” he added.
He said there are new companies developing strategies to detect problems.
“They are evaluating what kinds of problems that companies may be having [such as] botnet infections — there is a huge correlation between the amount of botnet infections that you have and your susceptibility to breaches.”
Another critical issue in the fight against cyber attacks is retaining talent, he noted.
“It is incredibly difficult to retain talent,” Ahrens said. “It is a huge problem across the sector. Companies are looking at turnover of their entire teams over the course of two years and almost constantly.”
Retailers have also stepped up efforts to fight the growing cyber threats and attacks.
RILA and NRF last year joined with other associations to form a cyber-security partnership with the financial services industry to increase information-sharing among companies.
An area of focus was on developing stronger ties between retailers and the financial services industry’s information-sharing mechanism, known as the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a program launched by the financial services sector in 1999 that eventually developed into a public-private information-sharing program about physical and cyber-security threats and vulnerabilities aimed at helping protect the U.S. critical infrastructure.
Developing more secure technologies is also a top priority. The partnership has highlighted the development of new systems that will “transmit payment data in a way that is unique and dynamic to reduce the risks.”
“It’s not natural for retailers to work together because there is so much competition between retailers,” Ahrens said. “But we founded an organization for the retail industry that shares information and that is a huge step for our industry.”
Ahrens also pointed to the transition retailers have been making to Europay, MasterCard and Visa (EMV) technology. Credit and debit cards now contain embedded and encrypted chips that are designed to provide another layer against fraud, although there has been controversy around how secure the cards are, without the use of person identification numbers, which are widely used in Europe.
“We’re investing $8.6 billion in the EMV transition. That, from a technological standpoint, is a huge upgrade from where we are now,” Ahrens said. “We recognize there are better technologies out there but the problem is one of volume. The vast majority of people are still using cards and some people still use checks.”