By Daniel Solís, CEO and Founder Blueliv.
As retailers become omnichannel, they become more vulnerable to data breaches. During the Easter weekend, four data breaches came to light from Saks Fifth Avenue, Saks Off Fifth, Lord & Taylor and Panera Bread. The breaches were the result of the payment system of Hudson's Bay, the parent company of the three department stores, being compromised, with Panera Bread ignoring reports of vulnerabilities in its systems.
Interestingly, Hudson's said there was no indication that the breach had affected its online shopping websites or other brands, nor did it say how the customers were affected. But according to Gemini Advisory, a security firm, a cybercriminal group known as JokerStash or Fin7 had 125,000 payment card details already available for sale on the dark web, believing that five million in total were taken. The security firm also confirmed that the evidence suggested the breach had taken place a year prior to Hudson Bay making the breach public. These four breaches alone bring home the message that retailers need to step up their game when it comes to data protection.
In line with this, the 2018 Verizon DBIR found that roughly one-third of all confirmed breaches in retail involved a web application. Common attack types include OS commanding, SQL injection, and the use of stolen credentials to compromise the system. However, there still seems to be a misconception or a lack of education around how customer data becomes vulnerable, and what happens when it's stolen.
It takes just one good credential to cause havoc
Make no mistake - cybercriminals steal credentials to make a profit. From blackmail and ransom, through to selling sensitive information on the dark web, there's nothing a hacker wouldn't do to ensure they get a return on investment following their efforts. Tactics that cybercriminals use include malware infections, phishing, DNS hijacking, leaked databases and social engineering. What's more, the hackers that steal the credentials are usually not the same ones that use them.
Once credentials are captured, they can be used in a variety of ways, depending on their type. For example, leveraging corporate account credentials allows serious intrusions into the organisation or impersonating real customers to steal goods and services, using personal emails and payment details. Unfortunately, while the customer also has to face the worries of where and how their data is being used, it is the corporate offering the service or goods that will usually shoulder the cost of any fraudulent transaction.
So what key things do retailers need to understand if credentials are stolen?
Quality over quantity: cybercriminals see more value in one solid corporate credential than thousands of records from unreliable leaks. Corporate credentials from VIPs or assets are the most valuable, fetching a fair price on the black market.
The fresher the credential, the better. A recently compromised credential means a higher chance the cybercriminal can achieve their financial objective. It is even better if the credential has been compromised without alerting the affected user.
Cybercriminals don't use data in real-time: unless they're compromised in highly-targeted attacks, hackers need time to analyse the reams of data they capture, filter out the prime credentials and sell the data if they are not going to exploit it themselves.
How much are you worth to a cybercriminal?
Having access to an account of a retailer or e-commerce company normally allows the attacker to perform purchases using the stolen account balance or configured payment method. Depending on the balance and how quickly purchases are performed, the loss will have a different impact. Each retailer or e-commerce company will have its own policy in case of fraudulent transactions, but normally reporting it as soon as it happens could help to recover most of it (chargeback).
On the other hand, if the victim reports this quickly, but the purchase is already shipped, then the company will lose money here, which will cause a big impact if many customers do it. This kind of attack is usually carried out by threat actors who want to get a quick win from the stolen credentials and costs retailers and e-commerce companies a good amount of money, which increases every year.
Professional cybercriminals could use those accounts to transfer stolen money to, or use stolen credit cards to purchase goods, shipping them to mules who will reship the goods to an anonymous postal address belonging to the bad guys (reshipping). This is a way for criminals to launder their money, transforming the 'dirty' money from illicit activities into goods that they can resell in legitimate markets to obtain 'clean' money.
Depending on the retailer or e-commerce organisation, additional fraudulent activities could be performed once the attacker has access to an account, such as taking advantage of reward points or gift cards. In the case of gift card fraud, for instance, the attackers obtain a gift card number with a certain amount of money that they can use online or in a physical store, permitting a fast cash-out of the money. These can also be sold on and transferred to other accounts.
What can retailers do to protect their credentials and customer data?
As with many aspects of cybersecurity, education is key to mitigating attacks. Under no circumstances should an IT security team be the only group within a company that knows how to identify potentially malicious activity. The ability to recognise when credentials might be compromised can save a huge amount of pain and financial loss.
In the event of a breach or suspected breach, the first thing to do is also the most obvious: change your credentials. In fact, this action should be done regularly anyway, along with reminders never to share them. However, before changing the password it is critical to making sure the system is no longer compromised.
Once credential theft has occurred and retrieval processes put in place, it is likely that it will be all hands on deck to find the hole and plug it, fast.