COVID-19: Implications for cyber security in retail COVID-19: Implications for cyber security in retail COVID-19: Implications for cyber security in retail

Retail businesses are vulnerable to a range of cyber security threats during this new way of working.

The impacts of Coronavirus (COVID-19) on the retail sector has accelerated the changes that we already were seeing in this sector. When physical stores closed, there was a swift adoption to online options, and contactless payments and deliveries which in turn has driven an increase in cyber security risks and fraud that retailers need to be aware of.

These new ways of working, along with the increased adoption of cloud and software-as-a-service means retailers will also need to consider:

• cloud security impacts
• identity and access management risks
• testing/penetration testing of new services
• architectural review of new cloud based infrastructure.

With the increase in demand in such a short time, additional and/or local supplier options are also being pursued which means third party risk can also increase. And as consumers are embracing more digital interactions with retailers, they too are at increased risk of social engineering and retail-based scams.

We highlight some key insights into cyber security impacts in the retail sector and actions to consider to protect your retail business and your consumers.

More and more organisations are going contactless, and this isn’t just about payment platforms with tap and go/tap and pay, we’re now also seeing delivery options moving towards a contactless model – and both of these can increase fraudulent activity in the form of:

• more payments of less than $100 with stolen cards as a PIN isn’t needed
• delivery theft or loss where goods are just dropped off at a door, or unsigned for delivery tracking.

Fraud in these areas had already been increasing:

• Lost/stolen card fraud increased 10 percent in 2018 to $55.5 million.¹
• In 2019 the Ombudsman issued a report regarding complaints in relation to Australia Post with customers alleging they had not tried to deliver their parcels to their houses, and merely dropped them at the nearest post office for pick-up, to claims parcels had been stolen when left at delivery addresses and compensation had been refused.²
• In 2019 researchers Leigh-Anne Galloway and Tim Yunusov found a flaw in Visa contactless cards that would allow hackers to bypass contactless payment limits on their cards.³
• 90 percent of the retail domains are not be compliant with PCI DSS standards.⁴

With more consumers social distancing and physical stores closed the need to operate via ecommerce has become paramount. Customers are spending on average 10-30 percent more online with ecommerce consumer sales increasing 28 percent during the coronavirus pandemic.⁵ This is driving more online capabilities for retailers, but is also highlighting the issues that arise when operations are moved online. Retailers need to build security into their design from the outset to protect their brand, reputation and customers. Consider the following:

• Has your online environment been security tested? Has a penetration test been performed to ensure that there are no vulnerabilities before going online?
• Have you ensured that you are running the right encryption standard, that you are defaulting to HTTPS and handling your customers data safely?
• Ensure that you publish your privacy and data handling policy on your website, this will give your customers clarity of how you handle their data.
• If you’re considering moving to a public cloud platform be aware that your organisation is responsible for the security of what you build on the cloud. As a simple analogy consider this – the cloud provider looks after the road. What you do with your car on the road is up to you.

In particular, your organisation should have the capacity to handle sudden increases in traffic whether it be from a sales/marketing campaign or in the event of a cyber security attack to avoid denial of service (DoS) attacks or distributed denial of service (DDoS) attacks. Link 11 (European Cyber Resilience Company), reported in an increase in the DDoS attacks of 30 percent during the early stages of the pandemic (17 February – 9 March).⁶

It's important to consider your suppliers and other third parties’ cyber security as well. A third party risk assessment should be undertaken before giving any third parties access to your business networks. It is also important to verify the access they give their third parties, how they handle customer data, what cyber security protocols they have in place and their organisation’s security policies. For example, a larger retailer had a credit and debit card breach after hackers were able to break into the company’s network using network credentials from a refrigeration and HVAC systems vendor. This allowed hackers to install malware on the retailers POS systems, which in return allowed the collection of data relating to approximately 40 million customers.

Attackers are using the coronavirus as a way to target more consumers, in fact the Australian Competition and Consumer Commission’s Scamwatch received more than 100 reports of scams about COVID-19 in the last three months, and the volumes continue to rise.⁷ Coupled with the fact that consumers shopping online more, are also signing up to newsletters, eDMs and getting notifications of shipping details which can make them more susceptible to email phishing scams that could masquerade as your business. There have been well-publicised scams using FedEx, Australia Post and other well-known delivery service providers encouraging users to click on links to track their parcel, but the link causes malware to download.

It’s important to protect your business and brand, as well as your customers, from being attacked. To help, ensure that your email communications are clear, well-written, well-branded and consistent so consumers can easily identify authentic messages from your business versus a scam.

Some of the increases in fraudulent activities include:

• payment fraud increasing due to the drive towards contactless payment
• cards being stolen from mailboxes
• fraudulent accounts set up to obtain false cards
• accounts registered to vacant/open for inspection properties
• deliveries sent to vacant homes with no need to sign.

Retailers need to consider how to protect their customer’s identity. While creating logins for users to access newsletters and track the progress of their order is commonplace. It’s important for retailers to minimise the risk of compromise and customer data breaches, specifically, retailers are vulnerable to credential stuffing, the automated use of collected surnames and passwords to gain fraudulent access to user accounts. Some ways to protect your customer data includes:

• strong password creation (and multi-factor authentication if possible)
• careful handling of customer data
• implement strong certificates on websites
• secure code development
• penetration tests of your ecommerce sites
• PCI-DSS practices for handling credit card data (or using payment gateways instead to take away the burden of handling and storing credit card data).

The age of your customers may affect how at risk they are of security compromises. Older customers may not have a complete understanding of how to use security tools and multi-factor authentication. It’s worth considering how you could offer them additional support. This age group are also often using older banking methods and are more likely to default to cash rather than cashless options. This puts them at greater risk of compromise because they are often unaccustomed to new payment methods and ecommerce.

A younger customer is often more tech savvy but does not have the ability to obtain credit, therefore they are more reliant on payments methods such as Visa Debit, Paypal, Mastercard Debit etc. But this generational group are more susceptible to social media based phishing attacks. It’s important to note:

• over 5 percent of phishing attacks are associated with social media ⁸
• Facebook is related to 18 percent of all phishing attempts ⁹
• human error is responsible for 95 percent of cyber incidents.¹⁰

As retail businesses start to navigate through the immediate impacts of coronavirus and towards the new normal, these security risks will need to be understood and planned for.