Retail in Asia

In Trends

Taking Stock: Is your retail system secure?

Are you at information security risks? What types of data in your system are targeted by attackers?  How to prevent security compromises?

When it comes to combating cyber attack, it’s all about security control. Cybersecurity consultancy Trustwave in February published its Trustwave 2012 Global Security Report, which revealed the latest security issues and trends, attack methods, as well as findings from investigations they performed on data breaches in organisations around the world. Retail in Asia recently caught up with Marc Bown, Managing Consultant for Trustwave’s SpiderLabs in the Asia-Pacific region, to find out how data breach happens and how to protect Asian retailers from cyber attacks.

RIA: What type of data from Asian retailers is targeted by attackers? Why does it become target?

Marc Bown (MB): Accepting credit and debit cards (payment cards) is core to most retailers. This payment card data is the most attractive target for fraudsters.

Payment card data is the target of choice for fraudsters because it can be easily and anonymously monetised. There are well-established markets for stolen card information and the risk of being apprehended is comparatively low.

RIA: What information security risks are facing the retail industry nowadays?

MB: In securing this payment card information – as well as other forms of private information in their networks – retailers have to contend with the facts that they often have many physical locations that need to be secured and their workforces are not necessarily technology-savvy.

These two realities often mean that the systems in their remote locations are not maintained as well as they should be, while their remote staff do not know how to recognise the signs of compromise.

Unless a concerted effort has been made by the retail organisation to identify and secure sensitive data, these systems may suffer from security vulnerabilities that make it simple for attackers to gain access to, locate and steal this sensitive data.

Other security risks certainly exist for retailers, including denial-of-service attacks and virus outbreaks affecting system availability. However, in our experience, we have found that cardholder data theft is the most damaging.

RIA: Can you give us some examples about how attacks happen?

MB: The continuous availability of point-of-sale systems is one of the largest concerns for retailers.  If the point-of-sale system is not working, it is often not possible to process sales. As a result, it is not uncommon for retailers to enable remote access to each of their retail locations, so that IT staff can connect and diagnose problems should they occur.

Using remote access, an IT staff member can connect from their desk and "see the desktop" of the computers in the retail location. This means that IT staff can resolve many issues in minutes, whereas in the past these issues may have taken days to resolve because they required a technician to physically visit a site.

This remote access is as useful for an attacker as it is for a legitimate user. An attacker who can maneuver his way into the remote access software will be able to access the same systems and data as the legitimate IT staff.  

In most of the attacks that Trustwave reported on in 2011, the attacker was able to guess or brute force the password used to protect the remote access software. Once in, he gathers payment card data in one of two ways. In many older systems, payment card data is inadvertently stored in log files. The attacker simply finds these log files and takes a copy of them. If log files aren’t available, then the attacker often installs malicious software into the retail environment. This malicious software watches for payment card transactions as they are made, and makes a copy of the payment card data as it moves through the point-of-sale system.

These attacks are not technically sophisticated and are possible due to a lack of sufficient security controls around the remote access channels being used for support.

RIA: More than one-third of breached entities in F&B, retail and hospitality were franchised businesses, according to the Trustwave 2012 Global Security Report, can you explain the reasons

MB: Most of the franchisees that Trustwave worked with in 2011 considered themselves non-technical.  They had vendors install the systems that they needed to run their business, but they had little or no understanding about how this technology operated, or about how it was administered.

While some franchisees had systems that were administered by the franchise management company, it was often the case that the franchisee had sourced an alternate support provider. Sometimes this decision was driven by cost and other times by a desire to leverage a local provider.

However, universally the franchisees trusted their systems maintenance staff to do the right thing. Unfortunately, many of the organisations performing this maintenance had a poor understanding of how to properly secure an environment.

Franchises are attractive targets to attackers because attackers wish to obtain as much data as they can with the smallest amount of effort. An attacker who compromises one franchisee will make the assumption that other franchisees will have similarly configured systems. The attacker will then attempt to locate other franchisees in order to leverage the same attack against them.

RIA: Can you tell us more about your investigations regarding the e-commerce attacks in Asia?

MB: Many people believe that an attacker will first choose a target that they perceive to be of interest and then perform an exhaustive set of attacks against the target in an effort to gain entry. However, the reality is usually the opposite – a target usually becomes a victim, not because it is a company of interest, but because it has a security flaw that the attacker was targeting at that time.

Most attackers follow a similar process – they first identify a security flaw that they believe may lead to a large number of potential victims. They then work to develop a fast and efficient tool to leverage the flaw to gain access to victims’ sites. This tooling is then used on as many potential targets as the attacker can locate on the internet.

For most attackers, it’s a game of numbers, where they use automated, cost-effective techniques to search for potential victims and constantly gain access to their systems. Once they have access, they sort through information to find valuable information.

E-commerce sites are especially at risk through this approach. Attackers use search engines and other automated techniques to find potential security flaws they have the ability to leverage. Although many Asian e-commerce merchants are comparatively smaller than their overseas peers, this does not preclude them from becoming a target of interest to an attacker who can work in a cost-effective way by leveraging automated tools.

RIA: How can Asian retailers protect themselves from cyber attacks?

MB: Our experience shows that the majority of security compromises are completely preventable.  Worse, most compromises are not technologically advanced, and rely on a simple failure of some basic security control.

In particular, ensuring that the following security controls are in place will help Asian retailers avoid compromise:

  • Password controls.  It sounds simple, but many of the attacks that we witness relate to the use of a poor password to protect a sensitive asset. Ensure that passwords are long, that they are unique (i.e. not shared between sites or users), and that they are changed on a regular basis. If possible, augment internet-facing password controls with a second factor of authentication (e.g. a token code, certificate or biometric).
  • Remote access. Remote access is a business requirement for most organisations – especially in situations where an organisation has multiple or remote sites and where support staff need to be able to assist remotely. Ensure that a contemporary and secured remote access solution is being used, that password controls are appropriate and that the remote access solution is kept up-to-date.
  • Patch management. Missing patches make an attacker’s job easy. In many cases, attackers need only search the internet for pre-made tools that attack flaws relating to missing patches. This is especially important for satellite plants and offices where there may not be local IT staff to supervise patching.
  • Application security. Most organisations will have some type of application that has been developed specifically for them. It may be a web-based ordering platform for wholesalers, a point-of-sale system or something else. If a system has only a small number of end users, there is a significant chance that it has not been tested for security. Our experience is that if an application has not been tested for security flaws, it will have security flaws. Attackers have automated methods for identifying these applications and the security flaws contained within them.
  • Malware controls. Many of the compromises that we reviewed involved the attacker using malware of one form of another. Comprehensive malware controls are an important part of an organisation’s defense strategy. Though they are far from fool proof, and need to be used with other controls, they are still important to have.


Marc Bown is the SpiderLabs Managing Consultant for Trustwave in the Asia-Pacific region. Trustwave’s SpiderLabs team is responsible for the delivery of Penetration Testing, Application Security and Incident Response Services. Marc’s experience in both incident response and penetration testing gives him a unique, hands-on insight into the methods being used by cybercriminals to compromise computer systems and to steal the valuable data contained within these systems.

To download the Trustwave 2012 Global Security Report, click on the PDF attachment.

Taking Stock is Retail in Asia’s fortnightly column dedicated to showcasing opinions from experts in the retail industry.