There is no one type of cyber criminal, just like there is no one kind of thief. Hacktivists tend to aspire to damage the reputations of organizations with which they personally disagree. State-sponsored hackers hunt for national security intelligence, insider information, and trade secrets. Malicious insiders — whether they’re commercial spies or simply disgruntled employees — steal, broadcast and sell employer secrets to disadvantage the business, make money, and empower competitors. Economically motivated hackers are a varied group in themselves: they look at companies and see a wealth of financially valuable data of all kinds. The motivations of cyber thieves span political activism, anger, geopolitical loyalties, and greed.
It’s just that — greed — that attracts cyber criminals to retailers. The nature of your business puts dollar signs in their eyes. No matter if you sell groceries or luxury goods, you’re unfortunately appealing prey, and this is unlikely to change. Your business is dependent upon processing a tremendous volume of personally identifiable information and payment card information. To hackers, it’s pure gold.
So who are the hackers that target you? What do they want and how do they go about getting it? While there is no single identifying mark that law enforcement officials, investigators, and retailers can use to recognize a retail-focused hacker from afar, they do share a handful of common characteristics.
First and foremost, they are after a specific target: payment card information. But this isn’t because they plan to go on a shopping spree with the card numbers they exfiltrate. Rather, they want to sell the numbers on the black market. A single payment card number is more valuable than any nugget of personally identifiable information, because a credit card number can be more easily converted into money. Using a social security number for financial gain is a multi-step operation that takes some know-how and more time.
They’re also opportunists. If a payment card hacker lands on a treasure trove of social security numbers and other types of personally identifiable information, they’ll try to sell that, too. And, if they happen upon a file revealing upcoming plans for a new collaboration with a fashion designer or a major merger with another brand, they’ll do their best to make money on that. They grab what they can when inside a retailer’s network and attempt to profit as much as possible from it. Why not? To them, it’s all free money.
These attackers are also very nimble. In the years I’ve been studying them, I’ve watched these hackers evolve at pace just ahead of the security technology meant to stop them. To demonstrate, a few years back, hackers would “sniff” credit card data traffic from unprotected retailer networks. Soon retailers got smart to this tactic and started encrypting the tunnels through which this data was being transmitted. But the hackers were only stymied temporarily. Soon they hopped over to attack point-of-sale machines and steal credit card numbers from memory. If they hit a closed door, it’s only a matter of time until they find a new one to push open.
Chip and pin cards may be the current so-called “gold” standard of security technology in the retail environment — they not only provide encryption of the cardholder data, but also require a second layer of authentication, the pin number, to enact a transaction. But they’re not a silver bullet. The problem is there is no silver bullet. When retailers invest in new security technology, if history is any indicator, hackers will respond to it innovatively and find a technique to get around it.
Geographically, retailer hackers have been known to live locally as well as on the other side of the world. It takes proximity, for example, to insert skimming hardware on to a POS machine. But the most sophisticated attacks, where intricate malware is inserted into a company’s internal corporate network, often hails from Eastern Europe or Russia.
But even the most advanced hackers still break-in in the simplest ways. Spearphishing, for example, is still a tactic of choice. Why? Because it still works, and it still works well. This is when an email appears to be from a friend or colleague, but isn’t. It contains malware that’s unleashed when the recipient mistakenly clicks on a link contained in the message. Other times, if a retailer’s own network appears too hard to penetrate, they’ll find the weakest link in its stable of third-party vendors that have access to the system and enter that way.
Greedy, opportunistic, nimble, omnipresent, patient, well-resourced and organized. All of these attributes aptly describe the adversary. The hackers that attack retailers need an organized network of buyers and middlemen to carry out and profit from their attacks. This means, stopping these attacks isn’t as easy as apprehending single individuals. It’s a matter of a system vs. a system, your network of security vs. their network of illicit activity.
The fact is, there is no way to stop them entirely, but you can deter them, detect them, and mitigate your losses. To do so, your security system must be on 24/7 across the company. It must include everyone from the sales associates to CEO. Any employee with a business-owned connected device, desktop or mobile should have restricted network credentials and be prohibited from using social networking and downloading apps; these are easy ways in for hackers. Think about technological solutions as only part of the problem — they’re not foolproof and can make you over-reliant on software. Hunt for weaknesses across your computer network, physical environment, and third-party vendors. Talk to outside experts that study these groups about the threats they’re seeing at other companies so you know what to look for. Most importantly, keep doing this again and again. Never stop. Never sit back, relax, and feel satisfied that you’re secure enough. Because it will be in that moment that you are your most vulnerable — and you can count on the hackers knowing it.
Erin Nealy Cox is executive managing director with Stroz Friedberg, a global investigations, intelligence and risk management firm. To learn more go to http://www.strozfriedberg.com/.