In the past several years, retail data breaches have become so commonplace that they’re hardly news anymore. From Target to TJ Maxx to Vera Bradley, nearly everyone has been affected by retail fraud and data breaches at this point.
As we buy our way through this season of gift-giving, we took a look at the retail industry’s current state of security based on the hundreds of thousands of authentications each week that Duo protects for our retail clients.
Our findings address all devices that employees use to log into applications using Duo’s two-factor authentication service, whether it’s point-of-sale systems or corporate laptops/workstations. There’s good news and bad news:
Mobile Devices
Retail industry mobile platform usage is nearly identical to the average usage that we see: 67% iOS and 32% Android. Only 8% of Android users are on Nexus devices and thus receive prompt monthly security updates from Google. The other 92% are at the mercy of their manufacturers and carriers to get updates of any type.
Web Browsers
Retail users access corporate resources with mobile browsers much more than average (Mobile Safari 56% more and Chrome Mobile 69% more than the average for each browser respectively). Phishing is much harder to detect while on a mobile device due to difficulty in inspecting link URLs. Often, the easiest way is to click the link, which is exactly what you don’t want users to do. Once in a web browser on a phone or small tablet, there isn’t much room to display the URL. Having the URL either be truncated or in small text makes it less likely that users will notice an unusual URL, at which point a sufficient well-made phishing site will trick even the most conscientious user.
Operating Systems
In terms of operating systems, retail is positioned a bit safer: 54% are still running Windows — compared to 65% on average.That 9% difference is distributed primarily to OS X/macOS and ChromeOS, which has 2% of the overall retail operating system share, compared to an average of 0.36%. Duo Labs is always a strong proponent for ChromeOS when all the user needs to do their job is a web browser (or Android apps, with the recent addition of the Play Store to ChromeOS).
Two-Factor Authentication Methods
More retail users authenticate with Duo Push (57% vs. 44% for the rest) and one-time passcodes (from a token or the Duo Mobile app) (35% vs 24%) at the welcome expense of phone calls (4% vs. 10%) and SMS passcodes (2.9% vs. 3.4%).
While SMS or phone calls are better than no two-factor authentication at all (and sometimes are the only option), there are known vulnerabilities in this model. Over the past year, we’ve seen a decline in overall SMS usage but not in phone-call-based authentication, and effectively no change in SMS after NIST’s call to stop using SMS. Duo Push and one-time passcodes provide stronger guarantees, so it is very encouraging to see higher adoption in retail.
Security Tips for the Retail Industry
Overall, and this may come as a surprise to you, security is not yet a solved problem. The retail industry is a particularly attractive target, and retail organizations need to take proactive measures to protect against security risks.
- Invest in phishing assessment and training, due to the increased difficulty in detecting phishing while on mobile and the seemingly more heavily email-based workflow (as suggested by the AppleMail stat). Duo offers a free phishing tool, Duo Insight, which we recommend, but we’re also biased.
- Ensure you deploy a comprehensive two-factor authentication solution, as required by PCI DSS 8.3. Duo both provides and encourages use of a broader Trusted Access solution to address security concerns such as out-of-date devices, vulnerable operating systems, and dangerous browser plugins.
- Embrace Apple Pay. Yes, this breaks the ability to track consumers by credit card number, but clearly, storing consumer card numbers has led to the huge impact of the monthly (if not weekly) breaches of retailers. Opt-in loyalty programs are another way to both use Apple Pay and keep track of customers.
- Similarly, retailers should delete customer data as soon as they no longer need it. See the previous point.
- Gas stations, vending machine operators, and similar type of companies that have remote and unattended terminals need to put stronger checks in place, such as weekly verification that the seals are intact (or actually inspecting for a skimming device).
Security Tips for Consumers
There are a few proactive measures that you can take to lower your risk of becoming a victim of fraud:
- Use contactless payments: Apple Pay and Android Pay use a more advanced communication method that protects your information. Note that Samsung Pay can operate by simulating a magnetic stripe, which only gives you the protections of a magnetic stripe and not this much more secure method.
- Use a credit card with a chip: Chip-skimming equipment is more expensive than magnetic-stripe skimmers. Ideally, your card supports Chip + PIN, rather than Chip + Signature, but few US issuers can/will set you up with a Chip + PIN card.
- Think about where you’re swiping your card. While skimmers can be just about anywhere, remote, unattended locations (gas stations, vending machines) are much easier targets for a non-insider attack.
- Be discreet with your card. If an attacker is behind you in line, a camera phone over your shoulder works fantastically to steal your card number without needing any complicated hardware to be pre-installed.
- Use a credit card instead of a debit card: If your debit card gets skimmed and exploited, the money’s immediately gone, among other downsides. If you use a credit card, there are more protections due to the structure of the system. Note that many debit cards can also be used as, for example, a Visa Check Card, so you don’t even need an actual credit card to take advantage of the consumer protections in the event of fraudulent use.
- Set up notifications for large (if not all) purchases: Most banks/issuers let you do this via push notification, SMS, or email. Catching the first of a series of fraudulent transaction let you deal with the issue immediately, instead of waiting until your issuer’s systems catch the shady behavior. If this option isn’t available, regularly monitor your banking statements and credit.
We all have to spend money (and if you don’t, I’d love to know your secret!), and electronic payment methods make this exceptionally convenient. There’s inherent risk from retailer’s computers, whether point-of-sale, corporate workstations, or servers, and we are, to some extent, at their mercy. The retail industry is far from secure—not that this particular description is unique to retail—but, fortunately, consumers can take some reasonable precautions to require that an attacker use more advanced techniques to compromise their accounts.