camera 813747

Craig Guillot | November 05, 2014 | National Retail Federation

Full Article:

Methods of deterrence for the LP threats retailers face

In the cat-and-mouse game of loss prevention, criminals are constantly seeking new ways to defraud retailers. A number of high-profile breaches have shown that big data can be accessed through small vulnerabilities in bricks-and-mortar locations. E-commerce security is often managed at the corporate level by complex software, but retailers aren’t always protected at the store level. Something as simple as an unsecured USB port or an unattended terminal can create a gaping opening in the system.

While retailers can never fully eliminate all threats, they can increase awareness to identify and decrease their vulnerabilities. Here are eight of the more unique threats that retailers face.

Wardriving is simply the act of driving around searching for unsecured Wi-Fi signals. In its most innocent form it’s a way to get free Internet access, but it’s also increasingly being used to penetrate retail systems. Savvy thieves use specialized equipment with long-range antennas, scanning for Wi-Fi signals from retailers and other businesses and going after the least-secure and easiest-to-crack networks.

Wardriving has figured in the loss of millions of credit card numbers at major retailers. Tim Gallagher, senior security analysis team engineer at network security service provider Nuspire Networks, says smaller retailers are especially vulnerable because they often use unsecured or poorly secured wireless networks.

Criminals “look for the path of least resistance,” he says. “It’s a game of averages. They know if they drive around enough with their laptop open and hit 30 stores per night, they’re going to find something that is open and unsecured.”

Physical server and handheld device access
Gallagher says some retailers don’t do enough to protect physical computer assets. Smaller stores often put terminals and servers in open areas or storage closets that aren’t carefully observed. Even big-box retailers can leave servers or terminals unattended in the back of stores.

Publicly accessible ports
Open and accessible Ethernet and USB ports can be an invitation for nefarious opportunists. Gallagher says he frequently sees unguarded Ethernet and data ports in the walls of many retail establishments.

HVAC systems and the ‘Internet of Things’
In today’s ever-connected environment, everything from light switches to thermostats can be controlled via the Internet. Chain retailers often use expanded connectivity to allow service providers to monitor HVAC, refrigeration and alarm systems from headquarters or remote locations. Gallagher says savvy opportunists can use those third-party applications as pathways to exploit the entire system.

“Sometimes the HVAC system may be using the same network environment that the retailer uses for their point of sale system. When you start plugging third-party applications into what should be a controlled environment, you can create different attack openings,” says Gallagher.

Information and counterfeit technicians
Seemingly benign information can offer stepping stones for big hack attacks. Gallagher says criminals can string together small pieces of information to find out about problems, then exploit them by disguising themselves as a technician. While front-line retail staff may have a good day-to-day understanding of retail operations, he says they’re not trained to know what information can create security vulnerabilities.

In one example, Gallagher says a malfunctioning receipt printer can open the door. Whether through a purchase or observation, the perpetrator learns the machine has a problem and returns later disguised as a technician. Shift workers, who know the machine is malfunctioning and are eager to have it repaired, grant the person access because they assume a manager called the company. Once the perpetrator has access, he can install malicious software or swipe sensitive data.

“It’s not too difficult as long as you … look respectable enough and have an understanding of the environment and equipment,” he says. “It’s very easy at the franchise level to just walk into a store and people low on the totem pole will let you look at a machine.”