The retailer is highly dependent on the security practices of the customer, leaving them over-exposed. But, it is possible to create a better balance, if the retailer takes proactive measures to secure customer data. We take a look at the changing data landscape and how the retailer can proactively manage this aspect of the customer relationship.
I sat down with the team at Pen Test Partners to find out how retailers should start thinking proactively about security threats. Pen Test Partners provides security testing, consultancy and training to businesses. To find out more about them, visit: www.pentestpartners.com.
Online retailing has seen a strange dichotomous relationship emerge between the seller and the customer. The retailer has more data at their disposal, can build a closer, longer-lasting relationship with the customer and can leverage this to create cross-sales opportunities. But the reverse side of this sees the retailer exposed and reliant upon the customer to protect that relationship by observing security best practice. Changes in customer buying habits, the emergence of the Internet of Things (IoT) and an imminent escalation in data generation means online retailers should act now to improve their data security practices. We will specifically look at:
At first glance, data breach statistics suggest that the retail sector is performing well in mitigating data breaches. Globally, the Breach Level Index (BLI) states that the retail sector saw a decrease (down 93 per cent) in the number of stolen records compared to the previous year, with the total number of records affected standing at 40.1 million, or just under 6 per cent of all stolen records.1 The 217 data breaches in the industry accounted for 13 per cent of the total number of breaches worldwide in 2015. Therefore, even though statistically there were more breaches in 2015, the number of records stolen was down dramatically in the same period.
In the UK, data breach incidents seem to have plateaued, with the retail sector coming in fifteenth place out of the 43 industries analysed by the Information Commissioner’s Office (ICO) in the Data Breach Audit 2015.
Yet, the statistics tell a different story when the data breaches are analysed by type. The BLI survey found identity theft accounted for 53 per cent of all data breaches, followed by financial access (22 per cent) and account access (11 per cent). These three causes all relate to the online retail experience. In the future, identity theft or unauthorised account access could see information obtained that could then facilitate an attack against an online retailer.
The omni-channel world has enabled the consumer to conduct purchases over any touchpoint (mobile, PC, laptop, tablet, wearables) and this is seeing an increase in the take-up of mobile purchasing. According to the PricewaterhouseCoopers (PwC) ‘Global Total Retail Survey 2016’, 34 per cent of those surveyed believed their mobile phone would become their main tool through which to purchase items going forward.2 This raises the issue over whether the apps being developed for mobile purchasing are robust enough.
The Tinder premium app, for instance, was recently exposed as being easy to reverse-engineer and recompile, allowing fraudsters to use premium services for free.3 Then there is the danger posed by mobile payment processing itself. The Starbucks mobile app can be used to pay for purchases instore and can top up the ‘wallet’ in the app by drawing funds direct from PayPal or bank accounts. This had profound implications when the app was hacked, with Starbucks’ customers seeing funds siphoned from their bank accounts.4
The threat posed by mobile purchasing can be mitigated by better security design and testing. When developing a mobile app, the retailer should:
Other media sources are also increasingly influencing purchase decisions. Customers are no longer simply looking to compare prices but also want to use recommendations and user experiences to inform their choice. The same PwC survey found 45 per cent of respondents worldwide (33 per cent in the UK) use reviews, comments and feedback from social media sites to influence their online shopping.
The role of social media in the shopping experience can expose the retailer, however. Users often take to social media, such as Twitter or Facebook, to publicise their purchase, post an online query or vent their frustrations. They may use a common hashtag or even write a post directly on the manufacturer’s social media company page. The savvy attacker who is aware of a product vulnerability can use this information to identify potential targets and then use directory sites and geolocation applications to physically locate the victim.
A recent investigation into the Smarter iKettle found the device could be used to steal WPA PSKs, enabling the attacker to compromise the router and DNS, before stealing other details, such as online emails, account logins, etc. Twitter users who tweeted about the kettle to @wifikettle could be identified, even down to determining Android versus Apple iOS users, and information used to determine where they lived. (The Android-configured kettle is much less secure than the iPhone-configured version and the time taken to crack the PIN should take, on average, four hours. So this information would be key to an attacker.)
Customers often reuse passwords for multiple sites and presume that it is down to the site owner to ensure that password is kept secure. For the retailer, a reused password increases exposure to attack exponentially. In effect, the security measures adopted by the responsible retailer are only as effective as the security provisions made by the least secure site where that password is used.
There are numerous cases of stolen password hashes, obtained from less secure sites, being cracked and then reused against other sites. The retailer can take a proactive stance against this by using sites such as http://haveibeenpwned.com to collate breach data that has been dumped publicly (an API is available that can make the process easier). If the hashes have already been cracked and published, it is also possible to run the plaintext through the retailer’s website’s own hashing/salting process to verify if the password has, indeed, been reused.
These methods are far preferable to the blanket password resets that have been adopted by online retailers in the past and which can prove frustrating for the end user. But, if the compromise is so severe and there is no alternative but to issue a reset, some key considerations that should be observed include:
Customer relationships are changing because the retailer is becoming more involved in the data management process. The Internet of Things (IoT) has ushered in a new wave of invention that is seeing common household devices reinvented and connected to the internet. IoT devices typically connect using a mobile app or over WiFi and generate data that, in turn, can be used by the retailer to track usage behaviour and predict trends.
Yet, the rush to market has seen many of these devices shortcut the security process as a result of which they are hitting the shelves with startlingly obvious vulnerabilities. From broadcasting sensitive data in the clear, to default settings, to war walking, these devices are now providing a weak point over which to launch an attack on the home network or the mobile device to devastating effect, providing access to account logins, email, contacts, etc.
Typically, an Over The Air (OTA) update is seen as a cure-all for any security issues, but this is naïve. It fails to allow for the kind of serious network compromise already outlined. Plus, what manufacturers and their retail partners fail to appreciate is that IoT will redefine their relationship with the customer by making them responsible for securing that data for the lifetime of that product. From data collection, to how it is transmitted and stored, and the device updated and patched, the IoT retailer will need to demonstrate unprecedented levels of customer care.
IoT is a nascent industry, but there are already examples of manufacturers who are eager to reduce the odds of data leakage. FitBit was quick to rectify a firmware update vulnerability on its Aria bathroom scales, which saw the device surrender the WiFi PSK. Similar issues were found with the Crane Sports Connect bathroom scales and wrist fitness monitor, with the added complication that an online database of customer accounts was also susceptible to attack and could be brute-forced to obtain user login details or even delete all accounts. Again, Crane moved quickly to address the issues, but this case is interesting because it illustrates how data held remotely, in the Cloud, is also at risk.
Building a better relationship with the customer and their data is vital to the brand. The recent VTech debacle over the reissuing of terms and conditions that sought to absolve the manufacturer of any responsibility in the event of a data breach is both irresponsible and untenable as we move towards mandatory data protection legislation in the form of the EU General Data Protection Regulations (GDPR) due to come into force in the next two years.5
For online retailers, there is a real opportunity to steal a march on market developments by occupying the middle ground between customer and manufacturer and promoting data security. Security procedures that can be considered include:
Online retail has predominantly focused on price comparison, speed of and ease of use but, in the future, security will become increasingly important not just as a differentiator but as a key staple of the customer service offering. Responsible retailing recognises the need to pre-empt attacks through secure app design, to protect access channels and secure data through the effective management of data generated by products and services in the future. But it should also encourage disclosure and engagement with the customer in an open way so that, when the inevitable happens, the retailer can react quickly to dispel fear and demonstrate customer commitment.
_______________
1 Gemalto (23 February, 2016) ‘2015: The Year Data Breaches Got Personal: Findings from the 2015 Breach Level Index’, www.gemalto.com/brochures-site/download-site/Documents/ent-Breach_Level_Index_Annual_Report_2015.pdf.
2 PricewaterhouseCoopers (PwC) (February 2016) ‘They say they want a revolution – Total Retail 2016’, www.pwc.com/us/en/retail-consumer/publications/assets/Total-Retail-Global-Report.pdf.
3 Fox-Brewster, T., Forbes (9 February 2016), ‘Tinder Not Bothered By Clone App That Dodges Premium Payment’, www.forbes.com/sites/thomasbrewster/2016/02/09/tinder-bad-security-design/#69da0bf449ba.
4 Pagliery, P., CNN (14 May 2015) ‘Hackers are draining bank accounts via the Starbucks app’, http://money.cnn.com/2015/05/13/technology/hackers-starbucks-app/.
5 Kelion, L., BBC Technology (10 February 2016) ‘Parents urged to boycott VTech toys after hack’, www.bbc.co.uk/news/technology-35532644.