By Rick Caccia, firstname.lastname@example.org
It is surprising to realize that 2010 is coming to a close. To me, it seems like only yesterday that we spent New Year’s Eve wondering if the Y2K bug would shut down the computers and the power grid. In the ensuing decade, the retail industry, like many others, has seen some very clear technology trends: More information is online and stored in systems connected to the web; employees, partners, and customers have more access to information and applications (for example, account self service or online shopping) via the web; and as a result, there is now greater opportunity for loss of information, particularly payment-card information, than ever before.
We believe these trends will continue. Shoppers expect more access to information and easier ability to pay, both of which often involve leveraging third-party software to make it happen. New technologies enable online retailers to roll out better user experiences for less cost and effort. Additionally, these businesses continue to grant employee (and contractor) access to more applications and data so that they may do their jobs efficiently and productively. And as a result, the possibility for sensitive data to be exposed or even lost is suddenly much higher. The trick is to operate securely in a world of new technologies and new business opportunities.
While companies in almost any industry face some common security-related business risks, retailers are especially susceptible to certain risks, and should consider these when designing an information risk-management program:
Account takeover: Customers who enjoy the shopping experience are more likely to be repeat customers, and stored address and payment information certainly makes the experience better. Of course this means that retailers face many of the account takeover risks that banks face every day. Controls that detect and mitigate account takeover should be a part of any online risk-management program, and the techniques are well known. These include analysis of the shopper’s home location versus ordering location (e.g., you live in Spokane but are ordering plasma TVs from a computer in Russia) as well as new shipping addresses.
Malware: Many of the high-profile data breaches at retailers, consumer payment processors, or banks involved some form of malware, such as a “bot,” that gained access to the customer credit card system, then subsequently stole card numbers and sent them out via the network to an external IP address. Even Google, a very secure consumer company, was subject to such an attack. The most common route for malware to enter the company is via an employee’s web browser. While it may be hard to believe that a shipping clerk in a warehouse looking at an online greeting card could trigger a massive loss of customer credit-card numbers, remember that the corporate network ties together many systems, and one person’s browsing can expose the company to significant loss. While modern malware can be quite subtle and tricky, there are again known techniques for detecting attacks, including looking for unusual network traffic. Many bots, upon installation on a user’s computer, try to “phone home” for additional instruction. This “beaconing” can be detected by looking for certain types of network traffic heading to foreign IP addresses. While not perfect, these and other detection techniques can find threats early, before they cause significant loss of customer data.
“Web hacks:” By this I mean breaking the normal online shopping process with