The birth of e-commerce dates to August 11, 1994 — the date when what was likely the first secure transaction over the World Wide Web occurred in Nashua, N.H.
Someone purchased Sting’s Ten Summoner’s Tales CD from Noteworthy Music’s website.
While this transaction wasn't scalable, it leveraged the Pretty Good Privacy (PGP) algorithm and demonstrated the Internet was open for business. It would take several years before a critical mass of sales was reached, but the doors of e-commerce were officially open.
What About Security?
Fast forward to today, and it's clear e-commerce is here. Online US retail sales exceeded $263 billion in 2013 and are expected to exceed $300 billion this year.
While the security of transactions and payment databases is a significant online concern, it's no different in the offline world. Brick and mortar retailers have struggled to maintain the privacy of their customers’ information over the last year, not always successfully.
There have been numerous security breaches reported among well recognized retailers like Target, Neiman Marcus, Michael’s, Home Depot, Kmart, Dairy Queen and Staples. In these cases, the data breaches happened through the point of sale (PoS) system inside physical stores.
The flurry of problems kicked off with Target last holiday season when cybercriminals stole data on up to 70 million individuals. They have continued all year, with several — Dairy Queen, Kmart and Staples — all in the past month.
The emerging consensus is that these are being caused by one variation or another of the Backoff PoS malware. The US Computer Emergency Readiness Team issued an alert about it in late July and issued a second as a Homeland Security Advisory less than a month later.
Don't Ignore the Problem
As the alert makes clear, at least seven PoS vendors know their systems can be penetrated with this malware. And that should have sent a loud warning through the offices of every retailer, large and small. By now, each retailer should have done several things:
- Contacted its PoS provider to find out exactly how it is responding to Backoff and other malware.
- Turned to their own IT departments to determine which of the remote desktop systems — Apple Remote Desktop, Chrome Remote Desktop, LogMeIn, Microsoft Remote Desktop and Splashtop — they are using.
- Contact each remote desktop vendor to determine what steps are being taken to thwart malware.
- Contact their anti-virus and network security firm(s) to get their perspective on management and prevention of intrusions.
While these are the basics, there’s much more for retailers to do to actively manage Backoff, its variations and other malware.
It's worth reiterating as it is clear retailers are still experiencing breaches. This is likely going to have an adverse impact on the holiday shopping season. According to a recent CreditCards.com survey of 865 adults with credit and/or debit cards in early Oct.:
- 45 percent of respondents with credit or debit cards said they would definitely or probably avoid one of their regular stores over the holidays if that retailer had experienced a data breach
- 29 percent said they probably would not shop at such stores and 16 percent said they definitely would not return to a retailer if the store had been hacked
- Only 12.5 percent said they are more likely to shop with credit cards this season
The bigger question to be asked here is this: If retailers can’t keep the systems they have run for decades free from malware and protect their customers’ personal information, how are consumers supposed to trust them?
What Lies Ahead
If cybercriminals are one step ahead of 98 percent of retailers and are actively targeting systems that offer the greatest reward — physical stores, where the majority of sales still occur — then what happens next? What happens when they turn their attention to e-commerce and mobile commerce?
This new world of retail requires companies to be far more technology-centric and intelligent than they have been in the past.
While the warning flares have been going off for several years now, 2014 is when brick and mortar retailers should be getting the message given the rash of episodes this year.
While I am not optimistic that the number of breaches will decline anytime soon, at least the National Retail Federation is moving forward with its creation of the Retail Cyber Intelligence Sharing Center (R-CISC), to help retailers more effectively manage security issues.