Authors: Alexander Schellong, Jens Michael Marohn, Wolfgang Kiener
According to a recent survey conducted by Forrester, an independent research firm, 97% of respondents prioritize digital innovation and Cybersecurity in 2015. In a way this comes at no surprise to the readership of this blog as the spike of cyber incidents at major retailers in 2014 and 2015 showed that they are open for customers and cybercriminals at the same time. Stationary and online retailers are a sweet spot for the latter as billions of customer transactions including payment details are processed or stored in a retailer’s systems. Data is the new gold.
The retail sector is undergoing the biggest transformation in history. Consumer behavior is changing rapidly. Demographics (e.g. age, gender, family status, income, location) are no longer determining consumer behavior. Buying patterns are variable and may differ based on mood, meaning, situation, product or self-awareness. At the same time, eCommerce providers, eBusiness models and easy consumer access to market information erode the share of wallet of well established retailers with a strong brand, large store networks and an online presence. Every brick and mortar business model will be tested at one point in time by a digital alternative, either by going for a purely digital model or by digitally enabling an existing business model. Furthermore, research by Bain, a consulting firm, shows that retailers’ stock prices are driven by return on invested capital and growth rather than by margins. For example, with faster inventory turns and no physical store assets, Amazon’s return on invested capital is more than double the average for conventional retailers, resulting in a market valuation of $ 157 bn.
Overview of latest trends in future retail
According to McKinsey, a consulting firm, retail success today is all about taking advantage of technology, tools and talent to be relevant to the customers. Retailers experiment with emerging technologies (e.g. mobility, IoT, big data analytics, or social media) to enable digital integration and innovation in an interconnected world.
Technology already covers all steps of the customer shopping journey from orientation to customer care. It is being used to increase sales by offering more channels, conduct analytics, and optimize supply chains. However, technology without information security in mind can quickly become a factor of failure rather then success. In order to understand threat vectors, risk and identify countermeasures, we first need to understand the latest trends in stationary and online retail:
Reimagine once static environments such as a dressing room, shelves or walls with the help of digital technologies. The objective is to improve upsell potential, provide recommendations, add user feedback, or in general complement the shopping experience with an element of discovery and immersion.
Offer new point of sale (POS) locations. Of course, consumers shop virtually from their mobile phone, tablet or computer but other locations are explored and enabled as well. In a pilot, a Korean supermarket chain covered subway stations with images of supermarket shelves containing hundreds of items. Consumers wanting to do their grocery shopping could scan each product’s Quick Response (QR) code with their smartphone to add an item to their virtual shopping cart, which was then delivered to their home address. A similar project was launched by Carrefour, the French multinational retailer, that build a 200 meter long virtual shelve with over 1,000 product in Milan’s Loretto metro station. Other retailers or companies use short-term “pop-up” stores in unique, trendy or “odd” locations, to generate attention and sales.
Identify consumers and offer a personalized shopping experience. Upon entering a store through their wearable or mobile phone (e.g. via near field communication (NFC), Bluetooth), consumers receive individualized information based on the data stored on their device (e.g. a shopping list, calendar, health data), the existing consumer profile (e.g. past shopping history, consumer group) or sensors (e.g. cameras) on the retailer’s side. Price tags are digital and can be adjusted to offer individual discounts to add multiple impulse purchase moments.
Complementary third partner offerings will enhance consumer value/experience. To differentiate from competitors and address consumer’s urge for convenience or a product’s limitations, retailers will form new alliances with third parties. Online retailers increasingly add partners that offer a physical location. Moreover, stationary retailers integrate digital business partners (e.g. social networking services), providers of loyalty cards and other third party vendors that cover more elements of the value chain or tap into completely different ones.
Single customer profile across all channels. An idea dating back to Customer Relationship Management (CRM) that enables other concepts in this list as well. A single customer profile that is constantly refined with internal and external data (where available) allows e.g. weaving perks or personalized service into the transaction wherever it takes place.
Connect with the sales assistant. Whether in-store or online, sales personnel is enabled to do consultative and intimate selling by getting access to customer profiles and product information through various mobile devices.
Robot sales assistant. Some retailers have started testing the robots to assist in customer interaction. Current generation robots are equipped with sensors, scanners, tablet like screens and mobility to guide customers through a store.
Create and dominate an ecosystem. Consider Apple or Nestle’s Nespresso. Both companies lock-in consumers, heavily invest in branding and have multiple direct and indirect consumer relationships. In addition, non-core activities are sourced to a partner network e.g. phone production to Foxconn or coffee machines to OEM producer Eugster/Frismag.
Shop ahead. Customers can pre-order to get special treatment in the queue or make appointments in real-time.
Check out and pay everywhere. Customers can make a payment in another channel or have multiple points of payments in a store.
Pick-up and return 24×7. Customers can pick up or return their purchases from the store or a number of locations within or outside of regular business hours. This could be vending machines, kiosks or gas stations of partners.
Low to zero inventories. A concept deriving from “just in time” commonly applied in manufacturing and applied to retail. The idea is to pass on savings to consumers of having a central inventory hub or on-demand production facility. Especially the later could be a retailer’s attempt to provide localization or personalization to their offerings to meet changing consumer expectations.
Turn data and cloud based products/services into revenue. Retailers can now build very detailed customer profiles and patterns using Big Data analytics. That data could be useful in other settings and in combinations with other data sets out of scope to retailers. Accordingly, retailers could start selling their data to other companies. Furthermore, retailers can offer virtual product or services through third party white labeling or in-house activities.
These innovations allow not only better customer experience but also more efficient operations and increasing revenue. They result in a changing threat landscape and leave retail firms more open to attacks targeting the entire ecosystem. Threat agents (e.g. cyber criminals and hacktivists) get greater possibilities of stealing personal data (PII) and payment card information (PCI), or harming retail organizations and their customers. Likewise, corporations (competitors) or nation states may consider business interruptive cyber activities because of economic or political motivations. Retailers continue to be concerned about fraud and theft in cyber space committed by their internal employees and third party providers who know how to by-pass processes and controls. Next to business interruption and fraud the biggest cyber risk retailers are confronted with data loss which causes reputational and financial damage including recovery and outage costs, fines and penalties from payment card companies and government regulators as well as increased card processing fees. The biggest retail attacks such as Target, Sony, and eBay reveal six key threats:
Customized malware on Point of Sales and consumer systems. Cyber criminals move undetected throughout victims’ environment and install malware in order to gather personal and cardholder data. The complexity of this threat will increase with the boost to mobile payments and digital wallets.
Vulnerable legacy system and unpatched systems. The vast majority of the incidents involve exploitation of vulnerabilities that have been known for several months and years. With the increasing interconnectivity and the opening of the ecosystem it is likely that legacy and unpatched systems will be more and more exposed to threat agents.
Misconfigured systems. Many incidents involve the exploitation of configuration weaknesses in systems that should have been avoided by appropriate quality assurance controls.
Poor Identity and Access Management (IAM). Following the best practices, multi-factor authentication for internet facing systems is mandatory but the majority of incidents in retail utilize weak credentials and insufficient permission controls, especially for third party providers.
Denial of Service (DOS) attacks. Threat agents are getting more sophisticated, learning to distract retailer’s cyber defense with DDoS attacks while stealing personal and cardholder data. On the other hand hacktivists just want to bring down normal business operations and harm an organization’s reputation.
Poor incident detection and remediation capabilities. Organizations require several months to discover a breach; furthermore, most of the breaches are discovered far too late by external parties such as law enforcement, banks, card providers, and payment aggregator which give cyber criminals all the time to succeed.
The following high-level examples of two of the above retail trends will provide the basis for Cyber risk analysis.
From Static to Intelligent: The fitting room
The fitting room of the future offers customers virtual assistants; sensors that measure the body or a virtual mirror that to try on alternative styles. Friends could be invited to join the selection process remotely (e.g. think Nike run cheers on Facebook). Styles and offers inside the fitting room or by store personnel will be recommended based on a customers existing profile with the retailer, known shopping and other behaviors of the customer and those like the customer. In fact, the intelligent fitting room could just be the outlet of an online retailer similar to a photo booth in subway station. No personnel. No storage. Not even physical products. The fulfillment will be handled in a central hub.
Figure one shows a high-level overview of the intelligent fitting room features, data sources and data flow. The retailer’s master-database has also a connection to suppliers, production, marketing/CRM and storage databases. It might include data retrieved from third parties via web API (e.g. trend databases, fashion blogs, etc.).
Figure two provides a more detailed view of the data flow and IT environment. The connection from fitting room to retailers database is established via Wi-Fi or cable to the store IT (e.g. that is also tied into cash registers, ERP). The fitting room is equipped with multiple sensors to enhance the customer experience. Clothes can be scanned by a fitting room device via NFC or code-scanner / camera. Alternatively an app on the smartphone or watch of the consumer can take over this task and pass it on to the fitting room via e.g. Wi-Fi or Bluetooth. After scanning a connection to the retailers database can be established via app on mobile phone or direct via Bluetooth or Wi-Fi. To get any special offers, the customer has to be identified either by app on mobile phone or by fitting room device or both. All data from and to fitting room device is routed via Store-IT to the retailer’s databases.
The personalized shopping experience
In this scenario the customer is identified as he enters a retailer’s shop.
Consumer will be identified by sensors like cameras, NFC-Tagged Customer-Cards, NFC enabled wearables, Bluetooth, via mobile phone app or at self-registration-terminals. The shopping basket or cart is technically enabled as well e.g. with an infotainment or automatic item check out system. Price tags in the store can be adjusted through the stores IT-system, potentially in real-time to provide special pricing to an individual based on current promotions or past shopping behaviors. Customer service personnel receive customer specific information during buying or service conversations to increase cross- or upsell potential on their terminals. Customers data is transmitted from databases to the store and the store IT.
Considering the two scenarios, the following table provides an overview of the potential threats, threat agents, countermeasures, threat impact, severity, likelihood and risk. Red means high while green means low.
Take for example digital price tags. If the prices are changeable according to the customer they need to be verified at the time of check-out. Attackers would want to set the price to a very low. The result could be loss in revenue. The attacker could modify the application on his mobile, fake/spoof a customer promotion information (the ratio of the rebate) or manipulate the data sent from the in store -IT to price tags. That’s why retailers have to investigate the price tags and how they get their price information and what will be the mechanism to change the price. To harden them against attacks, the following countermeasures should be considered:
Digital price tags and underlying systems are security certified (e.g. common criteria)
Price information and system is encrypted
Independent multifactor verification of price changes
Additional price verification at the terminal
No data storage inside the price tag
Random checks of price tags against internal reference database
Monitoring of customer check out against price anomalies (e.g. a large number of items resulting into a low price)
Note that both scenarios heavily rely on the consumer’s mobile device or wearable to change the shopping experience. This puts responsibility on retailers to work together with the producers of the end-user devices to ensure security standards and a secure end-user product lifecycle. At the same time companies like Apple, Samsung, Huawei, HTC or Microsoft carry greater responsibility that their devices do not become a key root cause for security incidents that put both retailers and consumers at risk despite as more models with various operating systems are used beyond the planned support period. Manufacturers need to establish proper patch-management, disabling and other security measures on the “smart devices”. Consider that the “Stagefright” vulnerability that allows an attacker to access your microphone and camera by sending an MSS with an embedded malicious video on Android devices. Older devices will not have the benefit of a patch.
Collaboration is important elsewhere.
Nearly a third of all breaches in the retail sector began with a compromise at a third-party vendor. Organizations can take steps in securing their own networks, but ignoring risks posed by third-party partners can leave them exposed and vulnerable to breaches.
Furthermore, within an industry and beyond (e.g. banking would come to mind) information sharing is a key aspect of Cyber defense and managing Cyber risks. Several large US retailers now participate in the Retail Cyber Intelligence Sharing Center (R-ISAC), to share intelligence about cybersecurity with each other and with security analysts and agencies. Among those companies participating with and supportive of the R-CISC are American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe’s Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company.