How to protect your store and your customers from hackers
By Phill Feltham
Jewellery companies across Canada—and the world—are targets of cyber attacks. Consequently, many companies in the trade are spending money on resources to take steps to protect their brand and their customers. Some companies, such as Pandora Jewelry, are mitigating damage from previous cyber attacks.
In December 2015, scammers sent out phony emails, disguised as a fictitious jewellery reseller, advertising Pandora products in an attempt to steal credit card and financial information from businesses and consumers.
“The e-mail appears to be from a fictitious jewellery reseller advertising a Pandora Jewelry sale,” explains Comodo Antispam Labs (CASL), in a blog.
“Pandora Jewelry typically allows its official resellers to promote the sale of their products via their own store websites and through e-mail promotions, which is why this phishing email can be so dangerous to unsuspecting victims.”
David Greenham, the senior manager of the Richter Advisory Group in Toronto, says that scammers were targeting consumers, not the jewellery retailer.
“Unfortunately, there was little that the jeweller could do, since it was a fraudulent website that was set up to appear to be selling Pandora jewellery.”
Phishing
The Pandora Jewelry scam is classified as phishing, a malware attack designed to capture credit card and financial information from businesses or consumers who try and make an online purchase.
Fatih Orhan, director of technology for Comodo and the Comodo Antispam Labs, says that phishing emails are one of the biggest threats for technology users because scammers abuse the trust built between consumers, businesses and brands.
Greenham says that jewellers can protect their customers and their reputation by placing a notice on their website that informs users that legitimate offers from their company would only come from a certain link (for example, the jeweller’s website).
Ransomware
Greenham says the main risks that impact jewellery retailers are credit card fraud and ransomware.
“The cyberattacks that are of concern to jewellers are the same as they would be for most other retailers. The attacks are typically driven by monetary gain, and thus the attacks are aimed at credit card data and extorting payments through ransomware.”
Ransomware attacks are anticipated to be among the top cybersecurity threats of 2016. Greenham defines a ransomware attack as “a type of malicious software that prevents or limits users from accessing their system, often by encrypting files on the system,” which, consequently, could cripple a jeweller’s inventory management system. The attack usually infects the victim’s PC when the user visits a malicious or compromised website.
“This type of malware forces its victims to pay a ransom through certain online payment methods in order to be granted access to their systems, or to get their data back,” says Greenham. “Depending on the sophistication of the attack, the software may also search out other vulnerable computers on the network to install itself on.“
Oftentimes, malicious software gains access to company computers via a phony link sent in a phish email. “Attackers commonly try to disguise malicious software as an invoice or other business document,” says Greenham. “Be careful of attachments that have an unexpected file extension (such as ‘exe’). If the jewellery retailer has valuable customer information (for example, related to financing or payment plans), the data may also be targeted by attackers intent on performing identity theft.”
David Greenham adds that employee awareness is key for attacks such as phishing, ransomware and other malware delivered through malicious email attachments or website links. “The goal is to ensure that employees do not open email attachments from unknown sources.”
Credit Card Fraud
“Cybersecurity threats impact jewellery retailers in much the same way as other retailers,” says Greenham. “However, given the luxury nature of these products, the clientele of jewellery and watch retailers could have higher credit limits on their credit cards, which could be more enticing to fraudsters. Similarly, hackers could target jewellery retailers with ransomware because of their perceived ‘deep pockets.’”
Darace Rose, a cybersecurity expert with GMJ Consulting, a cybersecurity firm, says that some companies have been devastated to the point where business had to discontinue due to fines and costs associated with paying for a breach.
“Credit card companies pass all costs associated with credit card fraud back to the retailer,” says Rose. “That means if a credit card was used to buy a $5,000 television, that loss is coming back to the retailer where the breach occurred.”
Besides large fines from credit card companies, a breach of sensitive information can have a monumental impact that damages the reputation of the retailer. Retailers could suffer a drop in sales because of a loss of trust from customers. This number can get very steep in a short amount of time.
“Also, retailers can be hit with a large cost to hire and work with computer forensic firms to diagnose how hackers infiltrated their system, how to plug that hole and to find out what information was accessed,” says Rose. “If the hole is not plugged with a defense in-depth strategy, the hackers will continually return.”
Posture
Rose says retailers should pay extra attention to their cybersecurity posture and ensure they have the right controls in place to protect themselves from the continuous onslaught of breach they may experience.
“Don’t put your head in the sand and pretend the problem doesn’t exist,” he says. “The threat is real and without taking the correct steps, retailers will find themselves in difficult situations that can be avoided.”
The Proactive Jeweller
Raymond Vankrimpen, a partner at Richter Advisory Group Inc. in Toronto, citing Verizon’s 2015 Data Breach Investigations Report, says that 88 per cent of existing cyberattacks impacting retailers fall into three attack patterns: denial of service (DOS), point-of-sale intrusions, and the previously discussed crimeware. Vankrimpen recommends the following solutions for denial of service and POS attacks.
Denial of Service
Botnets are used to compromise network and system availability. Hacktivists (hacker/activist) attack to prove a point. Organized crime organizations attack companies to request ransom or to cover their tracks on other hacking attempts.
Since many denial-of-service attacks expose operating systems vulnerability, patch servers promptly. Deploy or subscribe to an Anti-DOS service.
Additionally, deploy a defense in-depth architecture. This method allows servers to be effectively segregated behind firewalls on different network segments. Servers containing critical data will be protected by multiple firewalls deep within the network.
Point-of-Sale Intrusions
Cyberattackers penetrate systems remotely to obtain credit card and customer information, which can be used for false transactions or identity theft.
Restrict remote access by tightly controlling who has access to POS systems (for example, third-party companies). This method involves training staff to identify questionable attempts to access in-store POS systems.
In addition, change default settings to wireless networks, touch terminals, desktop servers, card signature and/or signatures capture—anything that connects or services the POS system. Also, prohibit employees from surfing the Internet on POS systems.
Greenham adds, “Merchants can protect their POS systems and devices from tampering by regularly inspecting the devices for signs of tampering or substitution, such as broken seals, extra cables or wires attached to the card readers.”
Other Security Solutions
Awareness, Greenham says, is the best defense to prevent the introduction of malicious software. “The human element is the weakest link, so it is important to educate employees to be extra-vigilant about the risks of email-borne attacks.”
Retailers, Rose says, can employ skilled computer security staffs who are becoming harder to find due to their high demand.
“The first step we undertake with any new client is to provide an assessment of the current landscape similar to a lay-of-the-land,” he says. “We will then build a strategy and work towards it.”
“Once this process is complete, a long-term program is required that has the right staff watching out for signs of security events and incidents on an hourly and daily basis,” continues Rose. “This is the only way to achieve security within your environment and to remain secure.”
Greenham adds that a defense in-depth approach could be taken to ensure that a back door is not opened through the introduction of malicious software. “Solutions such as antivirus/anti-malware, anti-spam, host-based intrusion detection systems (IDS) can help in this regard.”
Not all retailers can afford expensive in-house cybersecurity solutions. In this case, Vankrimpen recommends utilizing the services of a managed security service provider (MSSP). They work with multiple clients and maintain a strong contingent of qualified and experienced security experts. This is beneficial, Vankrimpen says, because information that is shared among multiple parties can help to identify patterns of attack, allowing defensive cyber security teams to stop attacks from further propagation.
“Cybersecurity is not a set-and-forget proposition,” adds Rose. “It takes continual effort and retailers cannot afford to neglect this aspect of their computer operations.”
