What lessons have we learned from last year’s massive cyber-attack on Target where hackers seized the personal and bank card information of more than 110 million customers? Well, according to Cisco Systems, the global networking and technology giant, the answer is not a lot. Yes there has been a scramble to come up with some sort of workable solution to the problems posed by hacking, but cyber-criminals have unfortunately moved on. It would appear that hackers remain one step ahead of business enterprises and are now focusing their attention on online transactions; particularly those conducted using smartphones and other mobile devices. Does that mean that the battle against cyber-criminality is already lost? Well, not according to online security experts: what’s important is that businesses and individuals continue to be vigilant and take every possible precaution to ensure that they minimise their vulnerability.
The sheer scale of the cyber-attack on Target forced retailers to reassess their security needs. Because the attack was directed at in-store transactions, security resources were understandably diverted to physical systems like registers and card readers. However, Cisco believes that what is potentially an even greater risk are the threats to online transactions. Currently mobile malware only accounts for a relatively small number of data breaches: according to Cisco only 1.2 per cent of all web malware is malicious software targeting mobile devices. However, it argues that these figures are likely to escalate dramatically over the next year or two. Cisco’s researchers wrote in the firm’s latest annual security report:
“Although not a significant percentage, it is still worth noting because mobile malware is clearly an emerging—and logical—area of exploration for malware developers.”
Cisco’s concerns are shared by McAfee. In its Labs Threats report for the fourth quarter of 2013 McAfee highlighted the fact that the number of security threats targeting Google’s Android operating system had nearly tripled – up to 3.7 million between 2012 and 2013.
So should retailers really be worried by this growing online threat? Well Cisco certainly believes they should. Shoppers have embraced mobile transactions and businesses have done their best to accommodate them by making it easy to buy goods and services via mobile devices. Online shopping is becoming increasingly lucrative: according to IBM Analytics mobile shopping accounted for 17 per cent of all online sales on Cyber Monday – up by 55.4 per cent from 2012. The problem is
as soon as big companies start paying attention, so do cyber-criminals. Mobile transactions are capable of generating a significant amount of money, but unfortunately mobile security measures are still in the early stages of development and struggle to cope with the increasing threat.
Many security experts believe the problem is exacerbated by consumer vulnerability. Consumers are often unaware when they’re being targeted by malicious apps and malware on their phones. Links are often truncated for small screens, so often consumers fail to notice that the address they have been directed to isn’t what it claims to be. With phones attacks happen because customers actively download a programme that looks legitimate but has hidden features that infiltrate phones to collect information. This kind of mobile malware is particularly problematic for Android phones; Cisco reported that 99 per cent of the malware it discovered for smartphones in 2013 targeted Google’s mobile operating system. However, other users are not exempt from the threat either: they can be attacked by clicking on errant links in social media or having their information intercepted if they use unsecured WiFi networks to shop.
So how can businesses address this growing threat? Well, according to Cisco the answer is by educating consumers about mobile security risks and building in stronger mobile security protocols in store apps and other mobile commerce platforms, such as biometric solutions. Paul Donfried, chief technology officer of the security technology firm LaserLock, told the Washington Post that building secure solutions through voice recognition or fingerprint scanning could help cut down on fraudulent or even accidental purchases, but stressed that it was equally important to ensure that customers should be able to verify their identities without having to jump through too many hoops to prove who they are:
“If authentication technology can be simple enough to use and non-invasive, our customers see this as a good thing – because it makes it clear to them that someone’s looking out to protect their identity.”
If you need help understanding your current security posture, please contact Krypsys on 0845 474 3031 for information on security reviews, penetration testing and web security solutions.