Chapter 12

Beefing up security

The retailer is highly dependent on the security practices of the customer, leaving them over-exposed. But, it is possible to create a better balance, if the retailer takes proactive measures to secure customer data. We take a look at the changing data landscape and how the retailer can proactively manage this aspect of the customer relationship.

I sat down with the team at Pen Test Partners to find out how retailers should start thinking proactively about security threats. Pen Test Partners provides security testing, consultancy and training to businesses. To find out more about them, visit: www.pentestpartners.com.

Online retailing has seen a strange dichotomous relationship emerge between the seller and the customer. The retailer has more data at their disposal, can build a closer, longer-lasting relationship with the customer and can leverage this to create cross-sales opportunities. But the reverse side of this sees the retailer exposed and reliant upon the customer to protect that relationship by observing security best practice. Changes in customer buying habits, the emergence of the Internet of Things (IoT) and an imminent escalation in data generation means online retailers should act now to improve their data security practices. We will specifically look at:

  • managing data over multiple touchpoints;
  • the security impact of the IoT paradigm;
  • responsible retailing and the need to provide security advice, channels to report issues and processes to update products and services to create a responsive retailing experience.

Key findings

  • The omini-channel retail model and the ramifications for data security.
  • The IoT and the problem posed by connected data.
  • Customer care and the need to get security smart.

The advice

At first glance, data breach statistics suggest that the retail sector is performing well in mitigating data breaches. Globally, the Breach Level Index (BLI) states that the retail sector saw a decrease (down 93 per cent) in the number of stolen records compared to the previous year, with the total number of records affected standing at 40.1 million, or just under 6 per cent of all stolen records.1 The 217 data breaches in the industry accounted for 13 per cent of the total number of breaches worldwide in 2015. Therefore, even though statistically there were more breaches in 2015, the number of records stolen was down dramatically in the same period.

In the UK, data breach incidents seem to have plateaued, with the retail sector coming in fifteenth place out of the 43 industries analysed by the Information Commissioner’s Office (ICO) in the Data Breach Audit 2015.

Yet, the statistics tell a different story when the data breaches are analysed by type. The BLI survey found identity theft accounted for 53 per cent of all data breaches, followed by financial access (22 per cent) and account access (11 per cent). These three causes all relate to the online retail experience. In the future, identity theft or unauthorised account access could see information obtained that could then facilitate an attack against an online retailer.

Omni-channel access and social media data leakage

The omni-channel world has enabled the consumer to conduct purchases over any touchpoint (mobile, PC, laptop, tablet, wearables) and this is seeing an increase in the take-up of mobile purchasing. According to the PricewaterhouseCoopers (PwC) ‘Global Total Retail Survey 2016’, 34 per cent of those surveyed believed their mobile phone would become their main tool through which to purchase items going forward.2 This raises the issue over whether the apps being developed for mobile purchasing are robust enough.

The Tinder premium app, for instance, was recently exposed as being easy to reverse-engineer and recompile, allowing fraudsters to use premium services for free.3 Then there is the danger posed by mobile payment processing itself. The Starbucks mobile app can be used to pay for purchases instore and can top up the ‘wallet’ in the app by drawing funds direct from PayPal or bank accounts. This had profound implications when the app was hacked, with Starbucks’ customers seeing funds siphoned from their bank accounts.4

The threat posed by mobile purchasing can be mitigated by better security design and testing. When developing a mobile app, the retailer should:

  • decide on the security approach and use this to develop a scope of work or a specification which includes the correct controls;
  • examine frameworks like OWASP, NIST, SANS and others that detail what good security is and how it should be approached. Ask to see the secure application development lifecycle;
  • look to see if the developer uses source code control, practices peer code review and performs unit testing;
  • if using a hosted managed solution, look at the security provisions. If there is IDS/IPS, look at how logs are monitored and reacted to;
  • consider app security as an ongoing process, making regular security testing a must.

Other media sources are also increasingly influencing purchase decisions. Customers are no longer simply looking to compare prices but also want to use recommendations and user experiences to inform their choice. The same PwC survey found 45 per cent of respondents worldwide (33 per cent in the UK) use reviews, comments and feedback from social media sites to influence their online shopping.

The role of social media in the shopping experience can expose the retailer, however. Users often take to social media, such as Twitter or Facebook, to publicise their purchase, post an online query or vent their frustrations. They may use a common hashtag or even write a post directly on the manufacturer’s social media company page. The savvy attacker who is aware of a product vulnerability can use this information to identify potential targets and then use directory sites and geolocation applications to physically locate the victim.

A recent investigation into the Smarter iKettle found the device could be used to steal WPA PSKs, enabling the attacker to compromise the router and DNS, before stealing other details, such as online emails, account logins, etc. Twitter users who tweeted about the kettle to @wifikettle could be identified, even down to determining Android versus Apple iOS users, and information used to determine where they lived. (The Android-configured kettle is much less secure than the iPhone-configured version and the time taken to crack the PIN should take, on average, four hours. So this information would be key to an attacker.)

Protect the password to protect the data

Customers often reuse passwords for multiple sites and presume that it is down to the site owner to ensure that password is kept secure. For the retailer, a reused password increases exposure to attack exponentially. In effect, the security measures adopted by the responsible retailer are only as effective as the security provisions made by the least secure site where that password is used.

There are numerous cases of stolen password hashes, obtained from less secure sites, being cracked and then reused against other sites. The retailer can take a proactive stance against this by using sites such as http://haveibeenpwned.com to collate breach data that has been dumped publicly (an API is available that can make the process easier). If the hashes have already been cracked and published, it is also possible to run the plaintext through the retailer’s website’s own hashing/salting process to verify if the password has, indeed, been reused.

These methods are far preferable to the blanket password resets that have been adopted by online retailers in the past and which can prove frustrating for the end user. But, if the compromise is so severe and there is no alternative but to issue a reset, some key considerations that should be observed include:

  • Do not reset the user’s password immediately on submitting the forgotten password form. Mail the customer a link and only reset it when the link is clicked and the reset page is landed on. If not, the hacker can, potentially, create a denial of service by scripting a wide-scale reset of valid customer account passwords.
  • Do not allow enumeration in the forgotten password form. Return generic errors, not ‘this account doesn’t exist’, otherwise the above attack becomes much easier. Also, if the username is the customer’s email address, customer contact addresses can be leaked through mining the form.
  • Before allowing a password reset, ask for another item of data. Ideally, a pre-shared secret question or, at the very least, an item of data that the customer is not going to forget. Bear in mind addresses, etc. are available online for anyone to look up.
  • Make sure that reset link or token is one-time only.
  • If a temporary password is used, the app must force it to be changed on first use.
  • When storing passwords, one-way hash them. Even if the hashes are stolen, it is a slow process to crack complex passwords, even using Hashcat (hashcat.net).
  • Enforce a good password policy. Consider password length, use of alphanumerics, case and special characters.
  • Do not leave password reset requests live. Find a sensible duration, maybe a few hours, and set the reset to expire then.

Customers are for life, not just for Christmas

Customer relationships are changing because the retailer is becoming more involved in the data management process. The Internet of Things (IoT) has ushered in a new wave of invention that is seeing common household devices reinvented and connected to the internet. IoT devices typically connect using a mobile app or over WiFi and generate data that, in turn, can be used by the retailer to track usage behaviour and predict trends.

Yet, the rush to market has seen many of these devices shortcut the security process as a result of which they are hitting the shelves with startlingly obvious vulnerabilities. From broadcasting sensitive data in the clear, to default settings, to war walking, these devices are now providing a weak point over which to launch an attack on the home network or the mobile device to devastating effect, providing access to account logins, email, contacts, etc.

Typically, an Over The Air (OTA) update is seen as a cure-all for any security issues, but this is naïve. It fails to allow for the kind of serious network compromise already outlined. Plus, what manufacturers and their retail partners fail to appreciate is that IoT will redefine their relationship with the customer by making them responsible for securing that data for the lifetime of that product. From data collection, to how it is transmitted and stored, and the device updated and patched, the IoT retailer will need to demonstrate unprecedented levels of customer care.

IoT is a nascent industry, but there are already examples of manufacturers who are eager to reduce the odds of data leakage. FitBit was quick to rectify a firmware update vulnerability on its Aria bathroom scales, which saw the device surrender the WiFi PSK. Similar issues were found with the Crane Sports Connect bathroom scales and wrist fitness monitor, with the added complication that an online database of customer accounts was also susceptible to attack and could be brute-forced to obtain user login details or even delete all accounts. Again, Crane moved quickly to address the issues, but this case is interesting because it illustrates how data held remotely, in the Cloud, is also at risk.

The retailer as role model

Building a better relationship with the customer and their data is vital to the brand. The recent VTech debacle over the reissuing of terms and conditions that sought to absolve the manufacturer of any responsibility in the event of a data breach is both irresponsible and untenable as we move towards mandatory data protection legislation in the form of the EU General Data Protection Regulations (GDPR) due to come into force in the next two years.5

For online retailers, there is a real opportunity to steal a march on market developments by occupying the middle ground between customer and manufacturer and promoting data security. Security procedures that can be considered include:

  • promotion of password managers – password managers or vaults can be used to create strong unique passwords for each site the user goes to, without the need to remember them, reducing the risk of password reuse. Retailers should offer a password app or link to a free password vault and incentivise its use.
  • use of 2FA/2SA – this might seem like overkill for a retail site, but a breach could be far more devastating. Retailers typically capture customer mobile numbers anyway for delivery information, etc., so why not use this to SMS as a one-time code? This will also make authentication easier on subsequent visits to the website.
  • consideration of federated authentication or social login – Facebook and others make it easy to integrate their login process. It is an attractive method to make authentication easy for customers. This does mean the retailer is reliant upon the provider and that is worth bearing in mind: if the provider has an outage, then this could impact the retail site. Plus, if the social media account is compromised, this exposes the retail site.
  • Retailers also need to look at the procedures they have in place for incident reporting. Is the customer able to reach the retailer other than by social media? Is that the best place for customers to voice issues? Or are more formal disclosure processes needed that encourage and actively respond to data issues as and when they are flagged?

Recommendations

Online retail has predominantly focused on price comparison, speed of and ease of use but, in the future, security will become increasingly important not just as a differentiator but as a key staple of the customer service offering. Responsible retailing recognises the need to pre-empt attacks through secure app design, to protect access channels and secure data through the effective management of data generated by products and services in the future. But it should also encourage disclosure and engagement with the customer in an open way so that, when the inevitable happens, the retailer can react quickly to dispel fear and demonstrate customer commitment.

_______________

1 Gemalto (23 February, 2016) ‘2015: The Year Data Breaches Got Personal: Findings from the 2015 Breach Level Index’, www.gemalto.com/brochures-site/download-site/Documents/ent-Breach_Level_Index_Annual_Report_2015.pdf.

2 PricewaterhouseCoopers (PwC) (February 2016) ‘They say they want a revolution – Total Retail 2016’, www.pwc.com/us/en/retail-consumer/publications/assets/Total-Retail-Global-Report.pdf.

3 Fox-Brewster, T., Forbes (9 February 2016), ‘Tinder Not Bothered By Clone App That Dodges Premium Payment’, www.forbes.com/sites/thomasbrewster/2016/02/09/tinder-bad-security-design/#69da0bf449ba.

4 Pagliery, P., CNN (14 May 2015) ‘Hackers are draining bank accounts via the Starbucks app’, http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/.

5 Kelion, L., BBC Technology (10 February 2016) ‘Parents urged to boycott VTech toys after hack’, www.bbc.co.uk/news/technology-35532644.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset