November is right around the corner, and so is the holiday shopping season. As consumers prepare to loosen their wallets, retailers are preparing to tighten their security. For many, this means restricting code changes to mission critical systems so that up-time is guaranteed during what is often their highest traffic period of the year. So for those looking to ensure all systems are go on Black Friday, crowdsourced security testing can be a great final check.
Crowdsourced Security as a Differentiator
More and more retailers are turning to multi-channel marketing and purchasing strategies that include online stores, marketplaces, and social, as well as physical avenues like catalog, phone, and “brick and mortar.” Delivering each of these points-of-purchase in a seamless fashion can be a game-changer for many, helping them capture more personas, segments, and geographies than ever before. This is often why delivering high quality customer experience is the #1 business initiative for most retailers.
However, while optimal for the customer journey, ongoing digital transformation also multiplies exposure and risk of compromise for retailers. A recent study found that 80-90% of logins to e-commerce sites are actually via credential-stuffing, or hackers using stolen data to game a simplified purchasing experience. It’s no secret that security risks abound for retailers, but compromised credit card information is only one side of the coin. Only 11% of consumers reportedly trust their retailer to respond appropriately to a cyber attack that exposes their personal information. With numbers like this, it’s clear why security has moved up on the list of buying requirements for many consumers.
And retailers are listening. Bugcrowd alone saw a 50% increase in crowdsourced security adoption for retail customers since this time last year. Looking over the past two years, Bugcrowd retail programs saw the highest submission volume, with one of the highest percentages of critical vulnerabilities and the second highest growth rate at 137% YoY. Of the submissions, nearly 20% were classified as critical (P1 or P2), paying out an average of nearly $1000 per submission. There’s plenty to keep the Crowd busy in retail programs, so let’s have a closer look at what they’ve found.
Many e-commerce and retail organizations have predominantly web-based and mobile app attack surface — two targets that are objectively “easier” for novice hackers to tackle when first starting out. With a lower barrier to entry, the retail industry sees a disproportionately high volume of submissions against these asset types versus other industries. Hardware targets, on the other hand, tend to receive fewer submissions, but far outweigh other asset types in percentage of high-impact findings for this industry.
Point-of-Sales (PoS) and other hardware assets are still one of the primary attack targets for several reasons:
- The development lifecycle for legacy IoT devices often lacked built-in considerations for security
- These devices are generally short on processing power and memory, meaning standard encryption protocols were frequently forgone
- PoS devices connected to the internet can be searched by hackers that know what to look for
- Many devices require manual updates, which often aren’t undertaken at scale, leaving vulnerable systems to act as a doorway to the rest of the network.
While hardware attacks are interesting, there’s no denying that exposure of digital data can be crippling for an organization’s brand, and financial state through compliance-based fines like GDPR. One of the top vulnerability types we see in the retail space come from “Insecure Direct Object Reference (IDOR).” Attacks on IDOR frequently occur in retail organizations where customer details like address and other personally identifiable information can be stored as part of an account profile. Stolen credit card info can be targeted to perform unauthorized transactions, but the loss of other personally identifiable information can be personally devastating to an individual’s privacy and identity.
Securing your Brand
We’ll never forget major data breaches like those that affected Target, T.J. Maxx, and Home Depot — but the truth is that cybersecurity threats have been a concern for retailers for a long time. With the evolution of mobile and cloud technology, data breaches have become an even bigger threat.
Bugcrowd programs contribute to helping organizations reduce risk and enhance security posture, so your customers feel confident in making purchases with you and trust your brand. Over the last two years, partnering retail brands have paid out nearly $700,000 to the Crowd. The number continues to trend upward as organizations face ever-expanding attack surfaces, participation in crowdsourced security programs increases, and security researchers with specialized skills become more readily available.
To learn more about our crowdsourced approach to security, and why leading brands like Etsy, TripAdvisor, Jet.com, Blend, and others trust Bugcrowd, visit www.bugcrowd.com/get-started
Download the full State of Retail Cybersecurity report today: https://www.bugcrowd.com/resources/reports/state-of-retail-cybersecurity-2019
