DBIR INDUSTRY SNAPSHOT:RETAIL TRADEA study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

DATA BREACH INVESTIGATIONS REPORTA study conducted by the Verizon RISK Team with cooperation from the Australian Federal Police,

Dutch National High Tech Crime Unit, Irish Reporting & Information Security Service, Police Central e-Crime Unit, and United States Secret Service.

1

Verizon’s annual Data Breach Investigations Report (DBIR)1 analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s stealing it, why they’re doing it, how the victims responded, and what might have been done to prevent it. This Industry Snapshot draws information from the DBIR data set, but gives highlights focused exclusively on approximately 330 confirmed data breaches over the last two years within the Retail Trade industry2.

As with the annual DBIRs, the findings in this Snapshot are arranged using the Vocabulary for Event Recording and Incident Sharing (VERIS)3 framework and based on breaches investigated by Verizon’s RISK Team or one of our partner organizations, which include the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit, and United States Secret Service. Also like the DBIRs, all incidents in this snapshot involved confirmed unauthorized access and exfiltration of non-public information rather than potential exposures and other data-at-risk events.

DBIR INDUSTRY SNAPSHOT: RETAIL TRADE

SUMMARY OF FINDINGSEvery year, the retail industry is plagued with a multitude of data breaches. In fact, for the past two years it has ranked second in percentage of incidents, coming in slightly behind the Accommodation and Food Services industry. The primary reason for this is that both industries share the same basic commonality and driver for breaches— the Point of Sale (POS) systems used to conduct daily business activities.

Obviously, retail would be impossible without these systems, but reliance upon them is also frequently their downfall. Like its cousin industry, the retail vertical is comprised of many small to medium businesses (mostly in the 11 to 100 range in our caseload). Companies of this size often lack the in-house resources and/or expertise to manage their own security. Consequently, they either rely on third-party vendors to do it (and those vendors frequently fail to do the job properly) or they simply use equipment “out of the box,” without fully considering the possible security outcomes of these actions.

Unfortunately, this often makes retailers prime targets for financially-motivated criminal groups exploiting weak, guessable, or default credentials via third-party remote access services to POS systems. This type of attack is opportunistic in nature, highly-scalable, can be conducted from a great distance, and presents a low risk for the criminal. But the good news is that by following a few relatively simple security practices, retailers will be in a much better position to avoid falling prey to these attacks.

1 To learn more about the DBIR series, visit verizon.com/enterprise/dbir.2 We use the North American Industry Classification System (NAICS) to classify victim organizations. Descriptions of this and other industry groups can be found at

census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012.3 For more information on VERIS or any of the classifications used in this report, see veriscommunity.net.

Retailers are often prime targets for criminal groups exploiting weak, guessable,

or default credentials via third-party remote access

services to POS systems.

2

VICTIM DEMOGRAPHICSThe most notable demographic characteristic of the retail victims in this snapshot relates to size. The vast majority of these breaches were relatively simple and perpetrated against smaller retailers representing “soft” targets of

opportunity rather than those specifically sought out by the attacker. And though technologically complex attacks do occur in this vertical, they are the exception rather than the rule.

It’s important to note that many of the victims were franchise stores of larger, “parent” retail chains. When franchises are involved in a breach, we often assign the number of employees based on that particular establishment rather than the overall size of the chain. There are several

reasons for this, but the primary one is that the franchisee typically owns and operates the establishment independently, with little or no IT and/or security oversight from the parent organization. In that sense, IT resources and operations more closely resemble a smaller business than a large multi-national organization.

Geographic location seems to have little impact on which retail organizations are victimized. With the rise and dominance of the Internet, the world economy has become increasingly reliant upon electronic communication and information. Therefore, it is hardly surprising that data breaches occur worldwide, and it is no different for retail victims in our data set, which hail from all areas of the globe.

THREAT AGENTSEntities that cause or contribute to an incident are referred to as threat agents. VERIS recognizes three main categories of agents: those originating outside the victim organization (external), those inside the victim organization (internal), and those involving any third party sharing a business relationship with the victim (partner).

For the retail trade vertical, attacks were almost entirely the work of financially-motivated, organized criminal groups acting deliberately and maliciously to steal information. These groups are notorious for knocking over smaller, low-risk targets in droves to nab personal and payment data for various and sundry fraud schemes. Although it can be challenging to determine the true location of external adversaries, it is

Table 1. Organizational size (number of employees) by number of breaches in the Retail Trade industry

1 to 10 3011 to 100 264101 to 1,000 61,001 to 10,000 410,001 to 25,000 125,001 to 50,000 450,001 to 100,000 4Over 100,000 1Unknown 22

Figure 1. Threat agents by percent of breaches in the Retail Trade industry

External Internal Partner

96%

3% 1%

The vast majority of breaches were relatively simple, perpetrated against smaller retailers

representing “soft” targets of opportunity rather than those specifically sought out by the attacker.

Criminal organizations often bribe or coerce sales staff or cashiers to assist in theft by using a skimming device or installing it on the POS inside the establishment.

3

worth noting that the majority of attacks in this industry originated from Eastern Europe. This is hardly surprising, as many organized cybercriminal groups are known to operate out of that region.

Not to be forgotten, internal agents were active as well, but tied to a much smaller percentage of breaches. These often involve a criminal organization that bribes or coerces sales staff or cashiers to assist in the theft by using a skimming device or installing it on the POS inside the establishment. As is obvious with this scenario, more than one agent can contribute to a breach, which explains why occasionally the percentages add up to more than 100.

THREAT ACTIONSThreat actions describe what the threat agent did to cause or to contribute to the breach. In a relatively drastic departure from the norm, almost half of the breaches for this vertical comprised physical threat actions. This category encompasses deliberate attacks that employ physical actions and/or require proximity. Physical threats have historically been one of the least-prevalent and least-damaging actions within our dataset (though this is not so for all publicly-reported breaches, where stolen devices frequently put data at risk and thus trigger disclosure).

The very high percentage of physical attacks in this vertical is largely due to the installation of gas pump skimming devices by criminal groups. These skimmers, which fall under the “tampering” classification in Table 2, are placed inside the pumps between the card reader and the rest of the POS hardware. When credit or debit cards are entered at the pumps, the magnetic stripe data is “skimmed” as it passes to the POS application, and then stored for retrieval by the criminals who planted the device.

The lack of a gas station shouldn’t put other types of retailers at ease. Retailers of any sort almost certainly will have a POS system, and these devices are frequently tampered with as well. In many cases, criminals swap legitimate PIN entry devices and POS terminals with counterfeit replacements. These devices are identical in appearance to and designed to continue performing the intended functions of legitimate devices, but are also rigged to capture payment card data. They discreetly collect input from the swipe reader and/or the PIN entry keypad. This can be done with the assistance of an insider recruited for the purpose or, as we have seen in some cases, by individuals masquerading as POS vendors, claiming a need to upgrade systems.

Figure 2. Threat action categories by percent of breaches in the Retail Trade industry

2%Null

Misuse 2%

1%

Hacking 48%

Malware 24%

2%Social

Physical 48%

Error

The high percentage of physical attacks in the retail vertical is largely due to the installation of gas pump skimming devices.

4

As illustrated in Figure 2 and Table 2, hacking and malware also loom large in the retail industry, as they do in most others. These two threat categories go hand in glove for many successful attacks on retail companies. In these scenarios, the attacker typically scans large swaths of the Internet for potential victims, hacking into exposed systems (often via weak or stolen credentials), and installing some type of malware to capture data and/or fulfill other nefarious purposes. This type of indiscriminate, quick, and often completely automated attack is the favorite of the aforementioned Eastern European criminal groups. The story below illustrates just how easy and successful these types of attack can be.

A THREE-DAY WORK WEEKDuring our data collection for this report, we received a list from one of our law enforcement partners containing the dates and locations of a large number of incidents tied to a small organized criminal group operating out of Eastern Europe. It provided us the opportunity to study their behaviors and activities over about a six-month period. We found it fascinating and include it here in the hopes that it helps drive home notions like “industrialized,” “rapid,” “large-scale,” and “opportunistic,” which we reference frequently in this report.

Analysis of the data showed the attackers not only had no routine workweek, but they only worked an average of three days a week. During one particular three-day work week, they punched the clock on Saturday, Sunday, and Monday. They compromised 22 organizations across nine countries; Monday was the most productive, with 15 confirmed breaches registered that day (in purple). We would joke about “nice work if you can get it” but the jail time these guys are facing doesn’t make for very nice work at all.

Rank Variety Category Breaches1 Tampering Physical 48%

2 Exploitation of default or guessable credentials Hacking 31%

3 Unknown MalwareHacking

Social

9%2%1%

4 Brute force and dictionary attacks Hacking 8%

5 Backdoor (allows remote access/control) Malware 5%

6 Exploitation of backdoor or command and control channel Hacking 5%

7 SQL Injection Hacking 5%

8 Keylogger/Form-grabber/Spyware (capture data from user activity) Malware 4%

9 Disable or interfere with security controls Malware 3%

10 Capture data resident on systems (e.g. cash, disk) Malware 2%

Table 2. Threat action varieties by percent of breaches in the Retail Trade industry

Saturday Sunday Monday

5

The tactics described above are especially effective against smaller, softer targets but less successful against larger retailers (i.e., those with more than 1,000 employees). Of course, this is due to the tighter controls typically in place in larger organizations. Larger retailers and those with an online presence (unsurprisingly) suffer a higher proportion of attacks against their public-facing web applications. Thus, SQL injection, while comparatively low in the big picture, is a serious and long-recurring issue for online retailers.

COMPROMISED ASSETSTo get a sense for what threat agents are targeting, and thus what’s most in need of protecting, it’s important to analyze the types of information assets affected by data breaches. Predictably, gas pump terminals and POS systems (both servers and terminals) are clearly linked to the majority of data breaches in the retail industry.

Gas pump skimmers are notoriously easy to install, facilitating the simple and frequent theft of magnetic stripe data on payment cards. The deed can be done in less than a minute, and most clerks are unable to discern the difference between a normal customer filling up a tank and a criminal trying to make some bank.

Although standards have been developed in the last few years to restrict the storing of credit card data on POS devices, the data does still have to pass through them. If the attackers exploit weak credentials and place a keylogger on that system, then all restrictions against unencrypted storage of payment card information are rendered moot. As mentioned previously, the high number of targets mixed with weak defenses creates a concoction irresistible to criminals seeking to quench their thirst for easy money. Many smaller retailers lack the expertise or resources to manage their own POS infrastructure, and therefore rely on third-party vendors to do it for them. This requires that some sort of remote access and administrative service be enabled on these systems. The victim assumes that vendors know their trade and implement appropriate security measures, but experience shows this trust is often misplaced.

*Assets involved in less than 1% of breaches are not shown

Type Category

Pay at the pump terminal User devices

POS server (store controller) Servers

POS terminal User devices

Desktop/Workstation User devices

Database server Servers

Web/application server Servers

Unknown Unknown

Payment card (credit, debit, etc.) Offline data

Pin entry device/Card reader Offline data

Figure 3. Compromised assets by percent of breaches in the Retail Trade industry*

46%

36%

22%

7%

5%

5%

2%

1%

1%

6

And while gas pump terminals and POS systems are the most frequently hit, they are not the only assets affected by breaches in retail establishments. As the chart above illustrates, desktops are occasionally involved in attacks as well. It is not uncommon for an employee to click on a malicious e-mail attachment or visit a questionable site on a company desktop, consequently infecting the system with malware enabling an attacker to gain access to other devices within the network. Also, desktops equipped with card reader hardware and applications can be tampered with in order to skim payment card data. In many cases, skimming is perpetrated by an employee trusted with handling transactions, but can also be conducted without the employee’s knowledge or complicity.

Web and database servers appear in Figure 3 as well, owing to online retailers that fail to shore up security weaknesses—particularly input validation—in web applications. Our caseload data indicates this is especially true for retailers in the Asia-Pacific region, where, in recent years, we have observed SQL injection and other web attacks grow more than in other parts of the world.

TIMELINE OF EVENTSResponse time is a good indicator of the maturity of an organization’s security program. No one wants to be the victim of a breach, but if that unfortunate event arises, it’s certainly better to know sooner rather than later, to limit exposure and take proper corrective measures. Among the major phases we consider in an event scenario are:

• Initial Attack to Initial Compromise. The time spanning from the first malicious action taken against the victim until an information asset is negatively affected.

• Initial Compromise to Discovery. The time spanning from when the first asset is negatively affected until the victim learns of the incident.

• Discovery to Containment/Restoration. The time spanning from when the victim learns of the incident until data is no longer actively exposed.

For a more complete accounting of incident scenario phases, please refer to the DBIR.

Unfortunately, the initial compromise occurs quite rapidly in most Retail Trade incidents. In over two-thirds of all cases, mere minutes—or even seconds—elapse before the victim’s systems are infiltrated, and the exfiltration of sensitive data typically occurs relatively quickly after that. These findings are largely related to the mode of attack and the uniformity of the two most popular targets: gas pump terminals and POS systems. It just doesn’t take long to install a skimmer on an outdoor pump or pop weak passwords on POS devices that, for the most part, all process and store the same kind of data in similar ways.

A high number of targets mixed with weak defenses creates a concoction irresistible to criminals.

In over two-thirds of cases, mere minutes—or even seconds—elapse before the victim’s systems are infiltrated.

7

In this industry, with its large number of automated and opportunistic attacks, it is highly common that perpetrators have often been and gone before anyone realizes there’s a problem. Conversely, more than half of all breaches go on for months before the victim learns that they’ve been compromised (though gas pump skimmers tend to be more in the days/weeks range). What’s more, they almost never detect the breach themselves; they are typically notified of their predicament by law enforcement or by payment card brands that have detected the incident through fraud analysis.

To add insult to injury, it often takes weeks or more before the breach is successfully contained. Once organizations realize that they’ve been victimized, it’s crucial they mount a swift and competent response. For many resource-challenged small-to-medium businesses, this means enlisting the support of external parties and/or law enforcement to stop the bleeding and get things on the mend.

Figure 4. Timespan of events by percent of breaches in the Retail Trade industry

MinutesSeconds

28%

0%

0%

Initial Attack to Initial Compromise

Initial Compromise to Discovery

Discovery to Containment/Restoration

Hours

42%

0%

1%

Days

16%

1%

10%

Weeks

8%

6%

37%

Months

4%

38%

41%

Years

3%

53%

11%

0%

2%

1%

In this industry, with its large number of automated and opportunistic attacks, perpetrators have often been and gone

before anyone realizes there’s a problem.

8

RECOMMENDATIONS FOR THE RETAIL TRADE INDUSTRYBecause our dataset and, therefore our findings, evolve over time and encompass victims of different types, sizes, and geographic locations, creating a single list of recommendations that work equally and effectively for all organizations is unrealistic. Our basic advice—beyond covering the security essentials—is to adopt a common sense, evidence-based approach to managing security. Learn what threats and failures most often affect organizations like yours, and then make sure your security posture puts you in a position to thwart them.

Given the rather uniform nature of breaches within the retail industry, however, it’s relatively straightforward to sift through the evidence to derive a short list of recommendations. In fact, for this vertical in particular, the old adage that “an ounce of prevention is worth a pound of cure” is more than apt. For owners of these establishments—especially the smaller ones—it may be tempting to think “that’ll never happen to me” when it comes to having your (and your customers’) information stolen. But the fact remains that smaller companies litter our breach data set every year (which isn’t to say that larger ones are off the hook; they’re in there too). The good news is that most can be prevented with some small and relatively easy steps. The following few tips are based on our research into hundreds of security breaches affecting companies in this industry.

• Change administrative passwords on all POS systems. Hackers constantly scan the Internet for easily guessable passwords.

• Implement a firewall or access control list on remote access/administration services. If hackers can’t reach your system, they can’t easily steal from it.

• Avoid using POS systems to browse the web. Or anything else on the Internet for that matter.• Make sure your POS is a PCI DSS compliant application. Ask your POS vendor for additional information

on this topic.• Make gas pump terminals tamper-evident. And inspect them regularly for signs of foul play.• Protect public-facing web assets. They’re great for attracting customers, but they’re also a magnet for

criminal attention.

If a third-party vendor manages your POS systems, we recommend asking them to confirm that these things have been done. If possible, work this into the contract. Following these simple practices will help save a lot of wasted money, time, and other troubles for your business and your customers.

Learn what threats and failures most often affect organizations like yours, and then make sure your security posture puts you in a position to thwart them.

To learn more about the findings in this report and our retail-centric security solutions, contact your account manager or visit verizon.com/enterprise/retail.

verizon.com/enterprise© 2012 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. MC15435 10/12.