Retail hacking is no new phenomenon, although it has increased in frequency over the last few years. In fact, retailers experienced more breaches than any other industry in 2019, and they've lost over $30 billion to cybersecurity attacks.
Both brick-and-mortar and online businesses experience retail hacking. Cybercriminals must often work harder to access online stores because these companies' reputations ride on secure transactions. However, they're not exempt from the flood of break-ins that happen during high-volume shopping seasons, including back-to-school, Black Friday, and the winter holidays.
Last-minute shoppers become the victims of retail hackers looking for simple ways in. Many consumers rush to buy gifts before the holidays sneak up on them, meaning they're less diligent about scams and fraudulent sites. Shoppers might be willing to visit stores and webpages they've never been to before in search of hard-to-find items. Threat actors know this and take advantage of it with scarily authentic scams.
Even though the holidays have passed, shoppers should remain vigilant about scams and retail attacks—especially as web skimmers up the ante with social engineering tactics and evasion methods. Businesses, too, will benefit from strengthening their security protocols and staying up-to-date on the latest hacking methods.
1. Credential stuffing
Retail hackers frequently use credential stuffing, or the use of stolen usernames and passwords, to break into systems because it's one of the easiest ways to siphon off data. Many people use the same passwords across multiple sites, which leaves them open to invasion. Hackers collect these credentials via purchase from the dark web or databases of personally identifiable information left online after massive breaches, and use them to hack into retailers and buy products.
Chipotle experienced a breach like this earlier in 2019, where costumers' credit cards racked up hundreds of dollars in food purchases. However, many customers argued that their passwords were unique to Chipotle, which begs the question of how else cybercriminals could have accessed their accounts.
2. Near field communication (NFC)
Price scanners, cell phones, and card readers are notorious targets for NFC breaches. NFC technology allows customers to use their phones to purchase goods by tapping them against a reader.
Similarly, someone can scan a QR code and gain access to an exclusive app or land on a site where they can purchase items. Though NFC is convenient, retail hackers have little problem intercepting the data from its transactions and stealing information.
Even malware can pass from infected phones to retail systems. NFC technology is prevalent in face-to-face transactions, but more sites are hosting QR codes for users to scan. Hackers generally use several different ways to manipulate data transmitted over a distance:
- Corruption: They use a third device to intercept a connection between two other electronic devices, which destroys the information being sent.
- Eavesdropping: Cybercriminals pick up on private information by recording communications between two devices. Using this technique can give someone access to credit cards and other payment information.
- Modification: The hacker manipulates the data before it reaches its intended source—meaning they can alter important details or inject malware or other harmful components.
3. RAM scraping
RAM scraping is a procedure hackers use to enter point-of-sale software. Every card transaction leaves data in the retailer's terminal system. This information lasts temporarily as a part of the machine's RAM, but threat actors can implant POS malware that reads this input before it disappears. By scraping this information, they obtain all the items stored on a card's tracks—such as the account number, CVN, and expiration date.
The massive Target breach of 2013 is one example of RAM scraping in action. Text strings containing credit card information can remain in a retailer's database for seconds, minutes, or hours. The longer it stays, the more chances hackers have for grabbing it before it goes.
4. Card readers
The magnetic strips on credit and debit cards make them frequent targets for cybersecurity attacks. Hackers don't always need to force their way into online accounts—they can glean data from a single card swipe. Card data, which includes PINs and card numbers, remains encrypted until the moment of the swipe. Skilled criminals can take this opportunity to snatch the information and use it for themselves or sell it to others.
Many retailers and card companies have switched to chips instead of magnetic strips. Chips create a unique code that is only used for a single purchase. This form of EMV technology—which stands for Europay, Mastercard, and Visa—makes it harder to duplicate information and use it for subsequent transactions.
5. Web skimming
Web skimmers had quite a year in 2019, helped along by the criminal groups known collectively as Magecart, which were responsible for developing a slew of new techniques for stealing from online retailers and consumers alike.
Web skimmers sneak malware into website codes to glean personal information from customers. All e-commerce sites have a payment page for completing purchases, most of which are securely encrypted. However, those without airtight security are prime targets for web skimmers. This malware is hard to detect—especially for small businesses without advanced tech—and it can affect hundreds of customers at a time, making it a favorite among threat actors.
Skimmers enter sites through a third party, such as plug-in or an e-commerce page. These entryways are easier to get through because they often contain weaker code structure. (First-party entry commonly happens only to those small sites without strong cybersecurity measures in place.) Once the script infects the webpage, it funnels passwords, social security numbers, and credit card numbers back to the cybercriminals' servers.
6. Social engineering
Social engineering might sound like a term too vague to be real, but this tactic is one of the oldest in the criminal book, useful for preying on emotions. In the pre-Internet days, someone might dress up as an employee of a department store and pretend to work there to access private information. They might ask other employees for information, knowing that some harried workers will readily supply it so they can return to their tasks. Others might loiter in front of a store and scam people out of cash using the old shoeshine technique.
Online, social engineering looks a bit different for retailers and shoppers. Websites might sell counterfeit goods at too-good-to-be-true prices, then snatch the personal information of customers while they're at it. Watering hole attack strategies target hundreds of users at a time by analyzing their Internet browsing habits then laying siege at sites known to attract particular user groups, such as mommy blogs, gamers, or foodies. Phishing emails might pose as favorite retailers asking for account updates, while delivering malware or ransomware instead.
Beating web threats
With so many ways to steal information, it's plain to see why retail cybercriminals often see success during the holidays and otherwise. Although retail hacking runs rampant during high shopping seasons, it doesn't have to deter shoppers from completing their last-minute purchases. The onus is on businesses to secure their data and build trust with their consumers and partners.
Though no system is entirely unhackable, businesses should follow standard cybersecurity procedures and aim for the best defenses possible. Prioritizing user safety will allow them to build trustworthy relationships with their shoppers.