The Future Of Passwords In Retail

Once again, customers of major retailers continue to face password reset advisories following a series of cyber-attacks targeting the retail sector. Recent incidents have resulted in stolen customer data, suspended online services, and widespread operational disruptions including empty shelves and payment system failures.

In the latest cases, retailers have advised customers to change their passwords for "peace of mind," even when login credentials weren't directly compromised.

The attacks have caused significant supply chain disruptions, with some stores unable to process card payments and others experiencing stock shortages that persisted for weeks. And worst of all, it creates a huge breach of trust between the consumers and the retailers. 

In these cases, it’s suspected that the attacks started with hackers impersonating employees and convincing IT support to reset account passwords, which they exploited to move around the network.

The Password Problem

Ironically, these cyber attacks have occurred around World Password Day. Passwords are critical in retail security for keeping corporate and customer accounts protected. However, the nature of how we use passwords and manage passwords also creates challenges.

According to Google’s Threat Horizons Report, weak passwords are the most common entry point for attacks, accounting for almost half.

This is especially the case following the rise of cloud-based infrastructure, which has become useful for productivity and efficiency, but also enables attackers to access networks remotely if they’re not correctly secured. Something which the recent cyber attacks cost retailers millions.

The Evolution Of Authentication

There are steps retailers could and should take to help prevent cybersecurity incidents as a result of weak passwords. Ensuring accounts are secured with strong, unique passwords is a good first step, but it’s still possible for hackers to use phishing attacks or social engineering to steal or reset passwords.

This is why multi-factor authentication is recommended for all accounts. According to Microsoft, 99.9% of compromised accounts don't have MFA, leaving them vulnerable to phishing or brute-force attacks. While it isn’t infallible, enforcing MFA on employee accounts can go a long way to protecting against attacks.

Defences can also be improved with the use of passwordless authentication, be that passkeys, one-time codes or biometrics.

Biometrics - like face, iris or fingerprint authentication - is becoming an increasingly popular method of securing devices. And according to analysis by Juniper Research, it’s becoming an increasingly popular means of customers making transactions at PoS terminals in stores. Not only is it convenient for consumers, but the strong authentication it provides helps improve the customer experience, helping them stay secure and generating trust in the retailer.

If retailers are rolling out this technology to enhance customer experience, they should also consider using it to secure employee accounts - especially those with access to sensitive information – as an additional barrier to cyber-attacks. Because ultimately, it’s far more difficult to hack a biometric signal than it is to hack a password.

Practical Solutions

While much of the responsibility for securing transactions lies with retailers, there are also actions consumers can take to help protect themselves against cyber-attacks on retailers.

This begins with a strong, unique password for every account; the UK’s National Cyber Security Centre recommends using three random words, something which makes passwords far harder to breach with brute force. Users could also consider using a password manager to store their passwords for them, reducing the need to remember every single individual password and allowing those passwords to be more complex. Password managers can even generate a random combination of characters for extra-strong, complex passwords which are almost impossible to breach. It also helps to apply MFA to accounts whenever possible

Consumers can also help to reduce the chances of their banking information being stolen if a retailer they use does get breached by using a payment application or digital wallet to make purchases.

And although the use of payment applications is on the rise, many shoppers still stick with credit cards – so it’s imperative for retailers to ensure this information is handled safely and securely.
Conclusion

As retail and retail technology continues to evolve, the cyber-attacks targeting them are too. For now, passwords remain a critical vulnerability in retail technology, but there are strategies which can be deployed to reduce this risk. These range from applying MFA, to planning for a passwordless future, where the use of technologies like biometrics can help reduce the threat of malicious account access, data theft or fraud.

Cyber criminals know passwords are a weak-link they can exploit to conduct cyber-attacks - and retailers must take action to help prevent themselves from falling victim.

The recent damage and disruption of these attacks shows that even the most high-profile retailers aren’t immune to cyber-attacks or password breaches and it should act as a wake-up call for other retailers. Because the personal and financial data of potentially millions of customers that’s handled by retailers is a massive target for cyber criminals – and retailers have a duty to protect both this and their services from cyber-attacks.

Doriel Abrahams is Principal Technologist at Forter

Image: Ideogram

You Might Also Read: 

ChatGPT's Image Generation Could Be Driving Retail Fraud:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Insurers Are Now Covering AI Malfunction Losses
The Impact Of The Internet On Modern Society [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Spiceworks

Spiceworks

Spiceworks provide a range of free apps for IT professionals including network inventory, network monitor, and help desk.

CompliancePoint

CompliancePoint

We design and implement strategies, processes & procedures to mitigate risk, reach compliance goals, protect data assets, and meet industry standards.

Cipher Tooth

Cipher Tooth

CipherTooth is a superior system for delivering secure content over the Internet.

Black Kite

Black Kite

Black Kite (formerly NormShield) provides comprehensive Security-as-a-Service solutions focused on cyber threat intelligence, vulnerability management and continuous perimeter monitoring.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Vention

Vention

Vention (formerly iTechArt) is the partner of forward-thinking tech leaders around the globe.

Madrona Venture Group

Madrona Venture Group

Madrona Venture Group invests in seed and early-stage technology companies in areas including cybersecurity.

SHe CISO Exec

SHe CISO Exec

SHe CISO Exec is a sustainable global training and mentoring platform in information security and leadership.

Scarlett Cybersecurity

Scarlett Cybersecurity

Scarlett Cybersecurity provide cybersecurity services to US private and public organizations with specific emphasis on compliance and cybersecurity incident prevention, detection, and response.

Police CyberAlarm

Police CyberAlarm

Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.

Bigbee Technology

Bigbee Technology

Bigbee Technology are an IT solutions company based in Dar es Salaam founded by a group of professionals from around the globe.

Stripe OLT

Stripe OLT

At Stripe OLT, we provide complete business technology solutions - Our team has an unrivalled reputation as a Microsoft Gold Partner, specialising in secure, cloud-first technology.

South West Cyber Resilience Centre (SWCRC)

South West Cyber Resilience Centre (SWCRC)

The South West Cyber Resilience Centre (SWCRC) is led by serving police officers, as part of a not-for-profit partnership with business and academia.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

Cassini

Cassini

Cassini Cyber Threat Intelligence (CTI) helps protect your organisation from cyber attacks using threat intelligence from trusted New Zealand agencies.