The Future Of Passwords In Retail

Uploaded on 2025-05-26 in TECHNOLOGY--Resilience, FREE TO VIEW

Once again, customers of major retailers continue to face password reset advisories following a series of cyber-attacks targeting the retail sector. Recent incidents have resulted in stolen customer data, suspended online services, and widespread operational disruptions including empty shelves and payment system failures.

In the latest cases, retailers have advised customers to change their passwords for "peace of mind," even when login credentials weren't directly compromised.

The attacks have caused significant supply chain disruptions, with some stores unable to process card payments and others experiencing stock shortages that persisted for weeks. And worst of all, it creates a huge breach of trust between the consumers and the retailers. 

In these cases, it’s suspected that the attacks started with hackers impersonating employees and convincing IT support to reset account passwords, which they exploited to move around the network.

The Password Problem

Ironically, these cyber attacks have occurred around World Password Day. Passwords are critical in retail security for keeping corporate and customer accounts protected. However, the nature of how we use passwords and manage passwords also creates challenges.

According to Google’s Threat Horizons Report, weak passwords are the most common entry point for attacks, accounting for almost half.

This is especially the case following the rise of cloud-based infrastructure, which has become useful for productivity and efficiency, but also enables attackers to access networks remotely if they’re not correctly secured. Something which the recent cyber attacks cost retailers millions.

The Evolution Of Authentication

There are steps retailers could and should take to help prevent cybersecurity incidents as a result of weak passwords. Ensuring accounts are secured with strong, unique passwords is a good first step, but it’s still possible for hackers to use phishing attacks or social engineering to steal or reset passwords.

This is why multi-factor authentication is recommended for all accounts. According to Microsoft, 99.9% of compromised accounts don't have MFA, leaving them vulnerable to phishing or brute-force attacks. While it isn’t infallible, enforcing MFA on employee accounts can go a long way to protecting against attacks.

Defences can also be improved with the use of passwordless authentication, be that passkeys, one-time codes or biometrics.

Biometrics - like face, iris or fingerprint authentication - is becoming an increasingly popular method of securing devices. And according to analysis by Juniper Research, it’s becoming an increasingly popular means of customers making transactions at PoS terminals in stores. Not only is it convenient for consumers, but the strong authentication it provides helps improve the customer experience, helping them stay secure and generating trust in the retailer.

If retailers are rolling out this technology to enhance customer experience, they should also consider using it to secure employee accounts - especially those with access to sensitive information – as an additional barrier to cyber-attacks. Because ultimately, it’s far more difficult to hack a biometric signal than it is to hack a password.

Practical Solutions

While much of the responsibility for securing transactions lies with retailers, there are also actions consumers can take to help protect themselves against cyber-attacks on retailers.

This begins with a strong, unique password for every account; the UK’s National Cyber Security Centre recommends using three random words, something which makes passwords far harder to breach with brute force. Users could also consider using a password manager to store their passwords for them, reducing the need to remember every single individual password and allowing those passwords to be more complex. Password managers can even generate a random combination of characters for extra-strong, complex passwords which are almost impossible to breach. It also helps to apply MFA to accounts whenever possible

Consumers can also help to reduce the chances of their banking information being stolen if a retailer they use does get breached by using a payment application or digital wallet to make purchases.

And although the use of payment applications is on the rise, many shoppers still stick with credit cards – so it’s imperative for retailers to ensure this information is handled safely and securely.
Conclusion

As retail and retail technology continues to evolve, the cyber-attacks targeting them are too. For now, passwords remain a critical vulnerability in retail technology, but there are strategies which can be deployed to reduce this risk. These range from applying MFA, to planning for a passwordless future, where the use of technologies like biometrics can help reduce the threat of malicious account access, data theft or fraud.

Cyber criminals know passwords are a weak-link they can exploit to conduct cyber-attacks - and retailers must take action to help prevent themselves from falling victim.

The recent damage and disruption of these attacks shows that even the most high-profile retailers aren’t immune to cyber-attacks or password breaches and it should act as a wake-up call for other retailers. Because the personal and financial data of potentially millions of customers that’s handled by retailers is a massive target for cyber criminals – and retailers have a duty to protect both this and their services from cyber-attacks.

Doriel Abrahams is Principal Technologist at Forter

Image: Ideogram

You Might Also Read: 

ChatGPT's Image Generation Could Be Driving Retail Fraud:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Insurers Are Now Covering AI Malfunction Losses
The Impact Of The Internet On Modern Society [extract] »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

TZ-CERT

TZ-CERT

TZ-CERT is the National Computer Emergence Response Team of Tanzania.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

Digital Detective

Digital Detective

Digital Detective offer a range of products and services for digital forensic analysis and advanced data recovery.

PhishLine

PhishLine

PhishLine helps Information Security Professionals meet and overcome the increasing challenges associated with social engineering and phishing.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

Zighra

Zighra

Zighra is a leading provider of On-Device AI solutions for continuous authentication and fraud detection on mobile and web applications.

German Israeli Partnership Accelerator (GIPA)

German Israeli Partnership Accelerator (GIPA)

GIPA is based on two pillars: it is an incubator aimed at young academics and a program to transfer cybersecurity expertise to corporate partners.

Heidrick & Struggles International

Heidrick & Struggles International

Heidrick & Struggles is a premier provider of leadership consulting and senior-level executive search services for roles including Information & Technology Officers and Cybersecurity.

972VC

972VC

972VC was created to help entrepreneurs find potential funding for their startups. Your guide to the Israeli startup funding ecosystem.

Stanley Reid & Company (SRC)

Stanley Reid & Company (SRC)

Stanley Reid & Co is an Executive and Technical Search Firm serving the commercial market and the US Intelligence & Defense community. Our areas of expertise include Cybersecurity.

Protected Media

Protected Media

Protected Media’s advanced cybersecurity ad fraud solution guards you against current and emerging threats across Connected TV, Display and Video advertising.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

WillCo Tech

WillCo Tech

WillCo Tech works to enhance national security and force readiness for military and commercial enterprises with a suite of software capabilities surrounding the human element of cybersecurity.

CyberSG TIG Centre

CyberSG TIG Centre

CyberSG TIG Centre aims to propel Singapore as the world’s premier cybersecurity innovation hub for economic growth.

Blackwire Labs

Blackwire Labs

Blackwire.ai is the first multidisciplinary cybersecurity advisor, powered by AI and trained by cybersecurity experts to enhance your team's capabilities and improve resilience.