Threat Trends | 6 mins
How Cyberattacks Can Still Threaten Physical Stores
Security has long been an important consideration for retailers, with many relying on CCTV cameras and human security guards to protect their goods.
However, this only provides a defense against theft taking place in person. Although brick-and-mortar stores may feel that robust physical defenses offer all the protection they need, the truth is that physical stores are increasingly becoming targets for cyberattacks.
The rise of e-commerce - with online sales now predicted to exceed $6.3 trillion globally this year - may have lulled physical retailers into a false sense of security, but reports of stores being impacted by cyberattacks are not hard to find. Retail is one of the industries most vulnerable to cyberattacks, facing 10.7% of all attacks last year. It’s important to remember this includes physical stores as well as e-commerce sites.
Physical Stores' Vulnerability to Cyber Threats
Retailers have access to a treasure trove of sensitive information that cybercriminals are eager to get their hands on. Everything from payment details to customer contact information is potentially up for grabs.
Typically, hackers have targeted the retail sector by finding vulnerabilities within websites and e-commerce platforms. This is no longer strictly the case. In the UK, for instance, hackers have discovered ways of infiltrating in-store hardware so they can access networks and systems present. This is what happened recently when the UK toy, book, and stationery retailer, The Works, was forced to close several stores after discovering a problem with its cash registers - likely the result of “unauthorized access to its computer systems.”
The reason why many more physical stores are vulnerable to cyber threats today is that retail outlets often make use of digital technologies throughout. Perhaps they have invested in POS systems, personalized shopping experiences, self-checkout tools, or VR showrooms. These technologies can greatly enhance the shopper’s experience, of course, but they may also provide a viable method for a cyberattack.
Types of Cyberattacks Affecting Physical Stores
Just as e-commerce providers and many other kinds of online businesses must guard against a wide variety of threats, physical retailers also face several different kinds of exploit.
One of the most common threats that brick-and-mortar retailers are targeted by is a point-of-sale (POS) system attack. This exploit uses specially designed malware to steal customer data, particularly from electronic payment cards. Experts have speculated that this was the method used in the attack that compromised The Works’ physical stores.
POS breaches are not the only type of cyberattack that retail managers need to guard against, however. Vectors for attack can be found in many places - both inside and outside physical stores. For example, retailers must be vigilant against supply chain attacks, particularly if they provide third-party vendors with access to their critical systems and sensitive information.
Even digital technologies that may initially appear somewhat mundane could represent a profitable route into a retailer’s network for cyber attackers. This is what occurred in the 2013 hack of US retailer Target, where hackers stole network credentials by targeting the store’s heating, ventilation, and air conditioning systems.
It should also be remembered that physical stores are populated with real human beings facilitating customer transactions. It’s essential that these employees receive regular cybersecurity training to ensure they are able to identify and report suspicious activities, including tampering with POS terminals and phishing attempts.
POS System Breaches: A Major Threat
Although it’s true that physical stores must defend themselves against a variety of threats, POS system breaches are potentially one of the most damaging. For instance, the largest POS attack ever recorded took place in 2014 and affected US home improvement retailer Home Depot. The attack allowed hackers to steal over 50 million credit card numbers and 53 million email addresses over a five-month period.
POS System Vulnerabilities Explained
Whenever a customer swipes their card at a retailer, data is captured and transferred to the POS terminal, where it is encrypted and sent to the retail server. The data is then decrypted before being re-encrypted and sent to the payment gateway. The process is replicated when the data is subsequently sent to the customer’s bank. When everything is running smoothly, POS systems allow customers to carry out fast, convenient retail transactions, without any of their data being exposed. Unfortunately, things don’t always run smoothly.
Within POS systems, misconfigurations and security defects can mean that sensitive information is exposed to cybercriminals. Hackers may infect POS systems with malware that infiltrates the networks to look for unencrypted cardholder data. They can then sell this information on the dark web or use it to create virtual credit cards to purchase goods or transfer money in the cardholder’s name.
Aside from POS systems providing opportunities for hackers to inject malware, there are other vulnerabilities to be aware of. Retailers might store the POS encryption data in the same locations as their customer data or use default passwords that are easily compromised.
Skimming is another exploit to watch out for. This is where malicious actors insert a small, barely visible device, into a retailer’s card reader. This captures a customer’s card data as it is swiped before wirelessly transmitting it to the hackers. Another potential issue stems from POS systems relying on outdated operating systems. These represent a threat to retailers because the hardware’s security may no longer be supported by the manufacturer, meaning updates that could patch vulnerabilities won’t be issued.
Altogether, there are a range of vulnerabilities that cyberattackers can exploit to gain illicit access to POS systems. Once this has been achieved, whether the breach is known or remains undetected, cyberattackers are able to harvest a huge amount of financial data.
Examples of POS System Breaches and Their Impacts
Retailers have had to deal with POS system breachers for a number of years now. Aside from the aforementioned POS cyberattacks that have caused disruption for The Works, Target, and Home Depot, there are many other examples of cyberattackers employing this method to steal sensitive information.
POS system breaches can affect businesses large and small. According to Verizon, in a single year, more than 500 POS breaches took place in the retail industry, with the vast majority leading to the disclosure of sensitive information. The impacts of these attacks were wide-ranging.
As with other cyberattacks, POS system breaches can be hugely disruptive, forcing physical stores to close and damaging customer trust. In addition to the financial impact caused directly by lost sales opportunities, POS breaches can cause additional damage as a result of fines that may be issued by regulators for any compliance failures that contributed to the disclosure of sensitive customer information. Worse still, the reputational damage that may arise as a result of a POS breach could cause long-term financial damage that may be difficult to quantify and even more difficult to recover from.
Safeguarding the Digital
Just because you may be managing a physical retail outlet, doesn’t mean you aren’t at risk from a cyberattack. Most brick-and-mortar stores utilize a range of digital solutions - and each one presents an opportunity for cyber attackers.
POS systems are perhaps the best-known example of the ways physical stores can become targeted by hackers. But they are not the only ones. That’s why physical stores need to regularly assess their networks for vulnerabilities. Today, research indicates that an overwhelming 98% of applications in the retail industry contain security vulnerabilities.
The volume of sensitive customer data that retailers collect and store makes them attractive targets for cybercriminals. Even in a physical store, there are various touchpoints where this data could be intercepted by attackers. Every digital asset, whether a customer loyalty scheme database or a POS system, could be breached.
To prevent cyberattacks from disrupting your physical store, retailers need to have a clear understanding of all the digital assets within their supply chain and the connections between them. At Hadrian, our solution provides real-time vulnerability scanning for all your assets - not just your e-commerce platform.
We understand that the retail sector is fast-moving and it can be easy to forget that your (seemingly old-fashioned) physical assets are just as likely to be targeted by cyberattackers as your online ones. That’s why our solution ensures there are no blind spots when mapping your store’s attack surface.
Be sure to check out our eBook for more insights about retail cybersecurity.