By Aimee Chanthadavong
Retailers are growing on the radar of cybercriminals as they increase their presence online and on mobile device, according to the latest report by Trustwave.
The 2013 Trustwave Global Security report found for the first time the retail industry made up 45 per cent of Trustwave’s data breach investigations – a 15 per cent increase from 2011. This was mainly during by e-commerce attacks emerging as a growing trend surpassing the amount of point of sale attacks.
Marc Brown, Trustwave SpiderLabs APAC managing consultant, said most of the attacks against retailers was surprisingly simple.
“They used tried and tested techniques and didn't rely on any new or sophisticated attack vector. This seems counter intuitive, but the simple fact is that these old techniques continue to work, so the attackers have not needed to innovate,” he said.
“To stay ahead of current attackers, retailers should first focus on getting their security fundamentals right.”
Additionally, the report found revealed 50 per cent of business users are still using easily-guessed passwords—the most common being “Password1” because it often meets the minimum standard for acceptable passwords.
Brown suggests three simple things to prevent attackers which are using strong passwords, keeping web applications patched and up-to-date and performing regular security testing.
“It’s also very important for retailers to make use of service providers that are trustworthy. Almost all of the online retailers we worked with last year had outsourced their online presence to a third party on the assumption that the third-party understood and was actively working on security for their site,” he said.
“In most cases the retailer found that not only did their service provider not understand security, but they had waived any liability for security issues in their contract.”
The research also uncovered mobile malware increased 400 per cent, with malware found on Android devices growing from 50,000 to more than 200,000 samples.
“There is no doubt that mobile application security is a rapidly evolving space. Consumers do tend to place a high level of trust in their smart phones and tablets. The customer perception is that these devices are not susceptible to the same issues as a desktop or laptop PC,” Brown said.
“The reality is that attackers are moving into the mobile space, and that we will see compromises here in the future. The information security industry is placing a lot of focus on this though, and hopefully the attention that our industry places on this will be met with corresponding effort on the part of the manufacturers of mobile devices.
“Retailers moving into the mobile space should consider the mobile device as just another computer system with all of the same security risks. No assumptions about the ‘trustworthiness’ of mobile devices should be made during the development of mobile-enabled sales tools."