Cyber security threats are a rising concern for retail companies as they increasingly adopt self-checkouts through Apple, Google Pay or other payment platforms. Since 2005, retailers have seen over 10,000 data breaches, mainly due to flaws and vulnerabilities in payment systems.
Point of sale (POS) systems often utilize a plethora of external hardware, software, and cloud-based components.
“At minimum, retailers must ensure that their contracted party complies with them and will observe the same security compliance requirements that the company itself has. There are numerous opportunities for a cybercriminal to take advantage of the system, whether this be at the source of the vendor providing the solution or when the technology is deployed onsite. Exploiting a vulnerability in the software used on POS devices (or even in the back-end cloud services) could allow a cybercriminal to deploy malware on the POS device. This would further enable them to harvest financial data, inflict a malware attack such as ransomware or to use the device to connect to other internal systems,” said Chief Security Evangelist, Tony Anscombe from ESET.
Cyber-attacks’ effects on retailers may include hefty fines, penalties, data loss, financial losses, and reputational damage.
There are also security threats that users face when using IoT devices in retail. Over 84 percent of organizations use IoT devices. However, less than 50% have taken solid security measures against cyber-attacks. For instance, most organizations use the same passwords for a long time, which increases brute force attacks, enabling hackers to steal and manipulate data.
IoT devices can be used to track customers’ movements and purchase histories, and hackers could potentially gain access to this data. Additionally, customers could be at risk of being scammed when using payment platforms such as Apple Pay. These scams can take many forms, such as fake apps that steal personal information or websites that trick customers into entering their credit card details.
“The introduction of these new payment mechanisms signals the beginning of a new technology adoption cycle. From the security point of view, this is when things are typically the most vulnerable. What’s more, connected devices that drive this transformation are already considered the weakest link in other much more mature deployment scenarios. I believe that in retail, just like in other industries, we will see these devices being exploited to gain persistent network presence, expose sensitive data, run digital scams, and more. And even if the new devices are extremely secure themselves – and this is a big IF – they are still being introduced into an environment full to the brim with legacy IoT, which can be used to circumvent their own defenses. Looking at things from the bad actors’ perspective, what we have here is a massive expansion of the attack surface – one which adds many new high-value “opportunities” to what was already a target-rich environment,” said Natali Tshuva, the CEO and cofounder of Sternum, a code-free, device-resident IoT security, observation, and analytics company.
Each IoT device has its own software supply chain inside. This is because the code that runs the device is actually a combination of several closed and open source projects. As such one of the most immediately present threats is the exposure of clients’ sensitive or even personal information with cyber fraud. “This is different from other digital scams, like phishing and other types of social engineering” said Tshuva.
“Here the target won’t have an option of preventing the attack through vigilance or even suspecting that something is happening – certainly not until it’s too late”.
“We surround ourselves with connected devices, but they are ‘black boxes’ to us and we never really know – or have ways of knowing – what’s really going on inside”.
According to Tshuva, most IoT devices today already run on code from several (maybe a few dozen) different software providers, some of whom you’ve never heard of. Usually, these 3rd-party components are the ones in charge of encryption, connectivity, and other sensitive functions. And even the operating system could be a mix of several different OSs baked together”.
“This exposes one of the major challenges of IoT security which, again, goes back to the idea of expanding the attack surface. Because with every device you introduce to the system, what you are actually adding is a code concoction from several software providers, each one with its own vulnerabilities to pour into the mix,” Tshuva concluded.
Retailers need to take a number of steps in order to protect themselves and their customers from cyber security threats. They should ensure that their systems are up to date with the latest security patches, and they should also have a comprehensive security plan in place. Employees should be trained in how to identify and respond to security threats, and customers should be made aware of the risks of using IoT devices in retail.
“As retailers adopt IoT for location surveillance of their customers, they build rich datasets about the movements and purchasing habits of consumers. These records create a data trail that must be guarded very carefully as purchasing information coupled with movements can reveal extremely private habits. We have seen a myriad of targeted attacks on retailers at the point of purchase and, if this can be coupled with the path that customers take through a store, a mall, or even across cities and continents, consumers will have strong recourse for damages against retail chains,” said Sean O’Brien, founder of Yale Privacy Lab.
To understand the threats, organizations need to understand that adopting digital solutions by retail businesses means adopting software-dependent solutions and increasing the attack surface for cybercriminals.
“What used to be a mechanical cash register is now a “smart” point of sale that processes and collects customer payment information, making them a desirable target. These systems are frequently connected to a greater e-commerce solution like online shops/billing/inventory, etc., which might make them an entry point to more critical systems. Being dependent on smart solutions, retail businesses also find themselves susceptible to ransomware and denial-of-service attacks that block their ability to make transactions. Also, the PoS devices, being little computers, can be used in large botnet attacks,” said Maty Siman, CTO and founder of Checkmarx.
E-commerce companies use many different vendors for their processes. From hardware and software to operations and financial services, all vendors use more third-party software and components that, in turn, are also dependent on third-party components.
“If a malicious actor can exploit or introduce a “backdoor” to any component along the way, they are essentially getting access to the finalized solutions that can be found later in retail businesses. When everything relies on software these days, the reliance on open-source software intensifies these issues,” said Siman.
According to Siman, the education of employees on security best practices is essential. “Data needs to be backed up regularly, and retailer users should use strong passwords and MFA. The network used for transactions needs to be isolated from other networks, and the devices and their software needs to be regularly updated and patched.”
Humans are still the most prominent threat, says Sean Tufts, IoT/OT security leader at Optiv. “Having fewer employees or face-to-face interaction at the point-of-sale and/or check out leads to more physical theft, but it also opens these retailers up to more tampering by savvy threat actors looking to take advantage of a store’s trust. The more these machines are left unattended, the more interfaces can and will be manipulated, e.g. skimmers installed and ports accessed.”
Source: https://www.forbes.com/sites/dennismitzner/2022/09/14/self-checkouts-iot-and-the-rise-of-retail-cyber-security-threats/