I was shoppping with my daughter the other night for indoor soccer socks at a major sporting goods retailer here in Massachusetts. As we rolled up to the register with bright pink and purple options, I noticed something at checkout - the retailer was not ready for chip and pin credit cards.
As I swiped my chip and pin credit card, I got to thinking...there are cyber risks everywhere, during every transaction, before and after every transaction, at any store, any company, coffee shop, airplane, airport, organization you visit...but back to the example here.
We've all heard it this time of year - you better get ready for Black Friday. In my opinion, one of the worst days to go shopping in general, especially on a turkey hangover, on a day off from work. I won't ever unerstand why this is a tradition, but its a tradition retailers bank on every year to entice buyers to buy large quantities of presents for the holidays.
There's also Cyber Monday too, a trumped-up date by e-tailers that tries to be way cooler than Black Friday by offering all sorts of deals for online shopping. However, this has become a haven for cyber theft as consumers plop down credit cards for holiday gifts en masse, only to have their credentials stolen. It happens every year.
The retail industry might have a number of problems when it comes to securing transactions and to securing customer data, evidenced by the multitude of data breaches we've read about over the years. That is nothing new.
And the industry has taken many steps toward better securing their infrastructure - in fact knowing security folks at some of the large retailers, many of them based in the midwest U.S., they are actually leading the charge in collaborative efforts to share information on threats and potential viruses they might face based on experience. Its actually what every industry should start doing.
First, a few key statistics you might want to chew on:
- Retailers watched as attackers exploited over 61M records in 2014, a 43% increase from the prior year.
- Of the retail breaches last year, brute force attacks and stolen credit card credentials comprised 91% of attacks at POS terminals.
So far in 2015, and this could be good news, Privacy Rights Clearinghouse has only tracked retail data breaches with small or unknown numbers of records compromised. But the year isn't over, and I'm convinced there are still many retailers who haven't fully implemented chip and pin readers - not that its a magic bullet either. There is still a possible major breach that is likely to occur as the volumes of shoppers hit stores on Friday, November 27, and web sites on Monday, November 30 this year.
OK, so to round this out - the reason I predict we will see a flurry of breach-releated activity - it might not be reported immediately either - goes back to my checkout experience at this particular retail location.
I asked the assistant manager at checkout, "I see you actually have chip and pin credit card readers, why aren't they set up to take payments?" He answered me, saying "We have had those in place for about nine months now. We just still use the swipe method." Which does nothing from a security standpoint, and renders the chip and pin pretty much useless.
So I replied, "You must be gearing up to have them functional for the holiday season, probably starting Black Friday, right?" To which he replied, "No sir, its actually been decided that we absolutely DO NOT WANT the chip and pin readers up and running by Black Friday, because management doesn't want to slow down sales."
I replied, "So that means management hasn't been able to train enough IT, security and support folks on how to troubleshoot the chip and pin readers?" "Exactly, because if the store is packed and the reader jams, we'll get backed up and we'll lose customers if they have to wait too long."
So there you have it folks - an example of a blatant lack of security prioritization, frought with peril; instead focused on sales to beat last year's number in the face of a growing threatscape. Unfortunatley I think that this specific retailer is alone, so stay tuned to see where the industry lands as of December 1, to see if the breach trend continues upward.