News

Understanding the Point-of-Sale Hacking Threat

BY CSA STAFF

By Jason Glassberg, co-founder of Casaba

Target’s massive data breach continues to reverberate in the headlines, but in reality it’s just one of countless attacks that affect the retail industry on a daily basis. Whether it’s highly sophisticated malware developed out of Russia, local hit-and-run point-of-sale thieves or insider threats, retailers must adapt to this increasingly risky environment.

First of all, it’s important for retailers to understand that just because you meet PCI compliance doesn’t mean you’re not at risk. PCI is the bare minimum that your company should be doing to protect itself — but it won’t stop today’s more sophisticated attacks.

Here is a quick breakdown of the top hacking threats retailers face, and how to boost your defenses:

• Skimming: This is the ‘traditional’ POS attack. Attackers physically modify the card reader or other POS terminal with additional hardware that can capture Track 2 data from all debit/credit cards. This type of attack has been used in a wide range of retailer hacks, including Nordstrom, Barnes & Noble, numerous gas stations, ATMs, etc. While this is now an outmoded attack due to the rise in POS malware, skimming is still widely used and popular. In the past few weeks, skimming operations have been uncovered in New York City, Albany, N.Y., Tampa Bay, Fla., Cincinnati, San Francisco, etc.

Security Tips: There are several ways retailers can protect against this type of attack – but the simplest method is to simply limit unmonitored physical access to the POS terminals. For example, if the card reader is not physically attached to the checkout counter, it should be locked up when the cash register is not in use.

Retailers should also have managers or security personnel physically inspect the card readers throughout the day for any noticeable signs of tampering. Employee training can also help to reduce the threat, by teaching employees how to spot compromised PIN pads, and common scams criminals use to get access to a POS device.

• POS Malware: One crew can only skim so many retailers at a time — so the preferred method these days is to deploy POS malware into a retailer’s network to infect hundreds or thousands of POS terminals at one time and reduce the physical threat to the attackers. POS malware basically just automates the skimming method with a computer program — the malware infects the POS device (which is usually Windows-based) then collects Track 2 data stored in the device’s memory every time a card is swiped. This type of malware is known as “RAM scraper” malware and is increasingly common in retail networks. The malware saves this captured Track 2 data in its own file on the POS device, which is later removed by the hacker. There are many different types of POS malware out in the wild, but a few that have been discovered include “Dexter,” “BlackPOS,” “ChewBacca,” and “Project Hook.”

Security Tips: Keeping POS software applications updated is critical. Retailers should also disable remote access software on the POS system; segment POS systems so they’re not connected to the Internet; use strong passwords and change them often on POS systems; install POS firewalls; and use Windows antivirus. Another step to consider is to eliminate the Windows-based POS machine altogether, since it’s easy to write malware for the Windows operating system. Instead, connect the POS terminal directly to a payment processor service.

• Breaching the Network: The problem with POS malware is getting it on the actual POS devices. In most cases, these aren’t connected to the Internet, so instead, hackers have to find a way in through the corporate or in-store network. Hackers can employ a wide range of methods to breach this network in order to get their malware onto the POS terminals. They may send “phishing” emails to employees with a poisoned payload, use “social engineering” to trick employees into giving up passwords or network access, leverage a malicious employee, launch SQL injection attacks on a Web server, compromise a third-party vendor with access to the network, or simply exploit a default password on a network device.

Security Steps: Of course, infecting a POS terminal with malware first starts by breaching the retailer’s network security. Since there are many ways to attack the network, as listed above, retailers must have a rigorous and comprehensive security program in place to effectively block these attacks.

Employee training is helpful for preventing breaches via phishing and social engineering — but retailers should take additional steps. Segment your employees’ access to key systems, databases and information so if they’re infected by a phishing email, the infection won’t spread laterally across the network, and social engineering attacks will be less threatening. Companies should perform ongoing security audits and code reviews to look for software vulnerabilities that might enable a SQL injection or other type of attack. They should also review the level of access and security of all third-party vendors that are in their supply chain.

Additionally, retailers should undergo periodic “penetration testing” (also known as “ethical hacking” or “red-teaming”) by a qualified cybersecurity contractor with experience in POS systems to test for weaknesses in their corporate networks that may have gone unnoticed.

Unfortunately, there is no such thing as a 100% safe network — and cybercriminals will constantly put your systems to the test, looking for any vulnerabilities they can exploit. But by being proactive and implementing an aggressive cybersecurity program, retailers can greatly reduce their chances of being compromised, detect breaches early on before they have a chance to escalate and make it harder and more expensive for cybercriminals to attack them, which increases the likelihood that they will move on to softer targets.

Jason Glassberg is co-founder of Casaba, a cybersecurity/ethical hacking firm that consults for retailers, major banks, Fortune 50s/100s/500s. Prior to forming his own company, was the senior technical lead on retail systems for Charles Schwab & Co. He can be reached at [email protected].


More Web Exclusives/Guest Commentaries

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

Polls

Consumer confidence is high. Is that reflected in your stores’ revenues?

View Results

Loading ... Loading ...
News

Ahold USA appoints Hershey exec. as SVP, marketing

BY CSA STAFF

Ahold USA has appointed Amy Hahn to the newly created position of SVP marketing effective April 28. In this role, Hahn will lead and drive critical initiatives of strategic marketing, market insights and analytics, advertising, promotion, brand development, corporate communications, innovation, digital strategy and execution.

She will also be responsible for developing digital retailing and loyalty plans.

“Amy brings a wealth of retail marketing experience to her new role with Ahold USA and will be utilizing her expertise to drive the voice of the consumer throughout all of our communications and loyalty initiatives,” stated Jan van Dam, EVP marketing, supply chain and e-commerce.

Hahn joins Ahold USA after more than 20 years with the Hershey Company where she established a reputation for driving revenue and profitability through innovation in strategy, product development, merchandising, marketing and category management. She began her career with Hershey in engineering and supply chain, moving into progressively responsible positions in brand management and product merchandising. Hahn also led the revitalization of Hershey’s e-commerce and web business. Most recently, she served as the global VP/general manager for direct retail and licensing where she led a 700-person cross-functional team, expanding Hershey’s presence across North America, Asia and the Middle East.

Hahn holds an M.B.A. and B.S. in mechanical engineering from Pennsylvania State University.

keyboard_arrow_downCOMMENTS

Leave a Reply

No comments found

Polls

Consumer confidence is high. Is that reflected in your stores’ revenues?

View Results

Loading ... Loading ...
News

Winning Strategies for Returns Management

BY CSA STAFF

By Jim Rallo, president, retail supply chain group, Liquidity Services Inc.

The retail industry has seen its fair share of challenges in recent years with decreased foot traffic through stores as consumers move online to purchase products. Regardless of where consumers purchase goods, returns are an issue with the NRF estimating the amount of merchandise returned in 2013 totaling $267.3 billion.

To improve cost efficiency, retailers are working to improve overall supply chain performance. In addition, increased use of social media and changing regulations has emphasized the importance of brand protection and the need to support sustainability initiatives across the enterprise. By addressing these trends through the reverse supply chain where returned and overstock inventory is managed, companies can focus their employee time on customer interaction and increase recovery in secondary markets while supporting the larger strategic goals of the organization.

A Better Way Forward for Returned and Overstock Inventory
Retailers invest millions to bring customers into their stores and increase interaction with their brand. However, when a customer decides to return an item, the behind-the-scenes process receives significantly less attention, and has the potential to cost retailers valuable margin and buyer loyalty. By working with a trusted provider to address challenges and leveraging trends in the reverse supply chain, retailers can align their returns process with best-in-class practices.

Create a High-Performance Reverse Supply Chain
Working harder to obtain market share means the costs to stay top-of-mind have continued to increase, while retail sales have slowed. To remain competitive, retailers have to optimize their supply chain, decreasing costs. A capable service provider can work with a retailer to leverage technology and proven processes to streamline operations.

For example, many retail warehouses boast sophisticated warehouse management systems (WMS) to manage the forward flow of goods, but few invest in a robust WMS for the reverse supply chain. Vendors should be able to handle both sides of the profit equation. On one side, they can manage costs through accessible distribution centers equipped with world-class WMS and data and analytics to measure results. On the other side, they play a role in managing revenue – driving higher recovery by tapping a large buyer base and providing superior marketing and sales strategies.

Protect the Brand in Secondary Markets
Secondary markets can be fraught with risk. Without appropriate guidance, a retailer’s brand can be negatively impacted. Comprehensive vendor services should include data wiping on electronics to ensure that customer data on a returned laptop, game system, or tablet, does not end up in the wrong hands. Second, retailers need to manage merchandising to ensure that products are accurately described. In a recently conducted survey, we found that 79% of consumers consider accurate product information on refurbished products to be important. Third, retailers have to manage where product is sold. From EBay to boutique online stores to flea markets, there are a number of places where returned product could potentially end up. By directing the right product through the right channels, audiences are appropriately targeted.

Finally, it’s critical to manage the customer experience – which varies by channel. The same customer that enjoyed a top-notch in-store engagement might have a frustrating experience in secondary markets, potentially costing the retailer their brand loyalty. Rather than leaving the brand open to potential risk by selling product through a channel that lacks a customer service department or utilizes incomplete product information, a retailer can ensure that channel use aligns with larger company goals by employing a vendor who knows how to navigate secondary markets. Vendors should also be able to provide retail clients with complete transparency into the process with regular reporting against the metrics needed to ensure success.

Focus on a Sustainable Process
Retailers can boost sustainability metrics for the entire company by following the “R” Cycle in returns management: Re-use, Re-furbish, Re-commerce, Re-distribute, and then Re-cycle. The return-to-vendor (RTV) process often hinders efforts to improve sustainability due to landfill disposal protocols. In addition to being environmentally-unfriendly, this practice includes expensive landfill fees on top of lost profits. An experienced provider will be able to work between retailers and OEMs to create mutually-aligned incentives in the RTV process, ultimately deferring product from landfills, providing a second life for goods, and improving brand loyalty for environmentally focused customers.

Conclusion
With the right process and the right partner, managing returns and dealing with overstock does not have to be a headache. The reverse supply chain provides opportunity for retailers to create competitive advantage and produce results that support larger strategic goals, whether that be streamlining the supply chain, improving brand perception, or enhancing sustainability initiatives. By better managing the returns management process, retailers can increase recovery and cut costs, while addressing risks in the new retail supply chain with winning strategies.


More Tech Guest Viewpoints

keyboard_arrow_downCOMMENTS

Leave a Reply

A.Boon says:
Apr-16-2014 03:29 pm

Technologies can help retail
Technologies can help retail industries in a large way to ensure quality products throughout their supply chains. Constant Innovation and new strategies will help retailers improve their shipping and delivery systems. This will directly reflect in their productivity. I work for McGladrey and there's a very informative whitepaper on our website that readers of this article will be interested in. @ “Count, manage and move: Warehouse inventory control strategies “ http://bit.ly/1kgYXWo

A.Boon says:
Apr-16-2014 03:29 pm

Technologies can help retail industries in a large way to ensure quality products throughout their supply chains. Constant Innovation and new strategies will help retailers improve their shipping and delivery systems. This will directly reflect in their productivity. I work for McGladrey and there's a very informative whitepaper on our website that readers of this article will be interested in. @ “Count, manage and move: Warehouse inventory control strategies “ http://bit.ly/1kgYXWo

Polls

Consumer confidence is high. Is that reflected in your stores’ revenues?

View Results

Loading ... Loading ...