i3 - September/October 2016 - 27

TAKING IT HOME

RETAIL
VULNERABILITIES
Hexis Cyber Solutions, Inc., a Maryland and Silicon Valley
cybersecurity technology provider, lists eight situations
that put retailers in danger of cyber attacks. Most of them
are inherent in normal retail operations.

1
ANTIQUATED
TECHNOLOGY:
Aging information
technology systems
pose several
problems to retailers, especially for
dealers with multiple
locations where
physical hardware
has been updated
via a mash-up of
new and old devices.
These set-ups often
leave openings for
malicious intrusions.

2
BRING YOUR OWN
DEVICE (BYOD)
INFECTION:
By allowing store
managers or staff
to access a system
via non-corporate
devices, retailers
enable unprotected
wireless devices into
their networks. It's
convenient, but it
raises dangers from
malware as well as
abuse by untrustworthy employees.

3
QUICK RESPONSE
CODES: The QR
codes used for
inventory tracking
and other management purposes can
be manipulated by
hackers, who use the
codes as a door into a
retailer's network.

4
"TAP-TO-PAY" OR
"MOBILE WALLETS"
(USING NEAR FIELD
COMMUNICATIONS
OR NFC): By allowing smartphone
payments, retailers
enable open access
to the system,
making it possible to
inject a virus into a
retailer's network if
a customer's phone
has been hacked.

5
POINT-OF-SALE
ACCESS:
Many POS terminals
can be easily hacked,
although end-to-end
encryption for credit
card transactions can
minimize the risk.

6
BEACON TRACKING:
Beacons that track
customers' movements through a store
to gather behavioral
analytics also offer
another route for
hackers to access the
store's network.

7
HACKER CUSTOMERS:
Malicious customers
can access a retailer's
network via a USB
device or Ethernet to
copy and siphon data.

8
MULTICHANNEL
RETAILING:
By offering
brick-and-mortar,
e-commerce and catalog sales, retailers
create more opportunities for hackers
to tap into the system
since customer data
is spread across
multiple sites.

HEXIS CYBER SOLUTIONS recommends that retailers conduct
"complete 360 [examinations] of networks and endpoints," verify
threats that must be handled immediately and establish "policies
and tools to ensure quick, continuous response" to cyber-attacks.

The extensive research about retail cybersecurity issues does not
focus on consumer electronics or technology dealers specifically, although the studies acknowledge that these categories of
products are particularly vulnerable to invasions. For example,
technology dealers often sell connected devices that open more
opportunities for cybercriminals to reach into customers' lives.
Whether it's ransomware tapping into smart TVs (for a shakedown until a customer pays for access to his own device) or
smart home devices (such as door locks or utility meters with
accompanying credit information), cybercriminals are prowling for ways to attack digital customers. Wearables and health
monitoring devices also offer gateways into a cornucopia of personal information, such as medical records, movement patterns
(such as time away from home or travel routes) and other data
that is useful to evil-doers.
The problem is becoming so rampant that the Federal Trade
Commission (FTC) is seeking explanations of how "ransomware
extortionists gain access to consumer and business computers" and what companies should be doing "to reduce the risk of
ransomware or to decrease its impact." An even more fundamental issue on the FTC's agenda is if your digital files can be
lost forever, whether or not you pay the ransom.
"Cybersecurity vulnerabilities are already present within the
connected home and could potentially impact further market
penetration of connected home products and solutions," according to Cybersecurity and the Connected Home, a new report from
the Continental Automated Buildings Association (CABA) and
its Connected Home Council (CHC).
CABA members who supported the research (including CTA
and the Custom Electronic Design & Installation Association
plus major vendors) sought to identify the impact of "consumer
skepticism and perceived risks." More significantly the study's
goal was "to understand the implications of this disruptive trend
on their end customers, their value proposition, and, ultimately,
their businesses," according to the report.
"Designing for security is important to achieving cybersecurity compliance and avoiding costly consequences. Therefore,
connected home vendors and service providers should start by
creating products that are secure by design and default. Privacy
also should be fully incorporated at the early stages. However,
products and services will only be as secure as that of partners that
they are working in conjunction with," the report concludes.
CTA has two Working Groups - "Residential Network
Administration" and "Home Networking Security and Privacy"
- which are seeking to establish guidelines and best practices for
these categories, says Mike Bergman, CTA's senior director of
Technology & Standards.
Such relationships are at the core of the defensive barriers and
strategies that Deloitte's Mantha urges. Citing the digital identity
challenges in the Internet of Things environment, he emphasizes
the need to link every element from the consumer through the
retailer to the back-end system via a strong "trust chain."
■
SEPTEMBER/OCTOBER 2016

27
i3 - September/October 2016

Table of Contents for the Digital Edition of i3 - September/October 2016
