The Future Of Passwords In Retail

Once again, customers of major retailers continue to face password reset advisories following a series of cyber-attacks targeting the retail sector. Recent incidents have resulted in stolen customer data, suspended online services, and widespread operational disruptions including empty shelves and payment system failures.

In the latest cases, retailers have advised customers to change their passwords for "peace of mind," even when login credentials weren't directly compromised.

The attacks have caused significant supply chain disruptions, with some stores unable to process card payments and others experiencing stock shortages that persisted for weeks. And worst of all, it creates a huge breach of trust between the consumers and the retailers. 

In these cases, it’s suspected that the attacks started with hackers impersonating employees and convincing IT support to reset account passwords, which they exploited to move around the network.

The Password Problem

Ironically, these cyber attacks have occurred around World Password Day. Passwords are critical in retail security for keeping corporate and customer accounts protected. However, the nature of how we use passwords and manage passwords also creates challenges.

According to Google’s Threat Horizons Report, weak passwords are the most common entry point for attacks, accounting for almost half.

This is especially the case following the rise of cloud-based infrastructure, which has become useful for productivity and efficiency, but also enables attackers to access networks remotely if they’re not correctly secured. Something which the recent cyber attacks cost retailers millions.

The Evolution Of Authentication

There are steps retailers could and should take to help prevent cybersecurity incidents as a result of weak passwords. Ensuring accounts are secured with strong, unique passwords is a good first step, but it’s still possible for hackers to use phishing attacks or social engineering to steal or reset passwords.

This is why multi-factor authentication is recommended for all accounts. According to Microsoft, 99.9% of compromised accounts don't have MFA, leaving them vulnerable to phishing or brute-force attacks. While it isn’t infallible, enforcing MFA on employee accounts can go a long way to protecting against attacks.

Defences can also be improved with the use of passwordless authentication, be that passkeys, one-time codes or biometrics.

Biometrics - like face, iris or fingerprint authentication - is becoming an increasingly popular method of securing devices. And according to analysis by Juniper Research, it’s becoming an increasingly popular means of customers making transactions at PoS terminals in stores. Not only is it convenient for consumers, but the strong authentication it provides helps improve the customer experience, helping them stay secure and generating trust in the retailer.

If retailers are rolling out this technology to enhance customer experience, they should also consider using it to secure employee accounts - especially those with access to sensitive information – as an additional barrier to cyber-attacks. Because ultimately, it’s far more difficult to hack a biometric signal than it is to hack a password.

Practical Solutions

While much of the responsibility for securing transactions lies with retailers, there are also actions consumers can take to help protect themselves against cyber-attacks on retailers.

This begins with a strong, unique password for every account; the UK’s National Cyber Security Centre recommends using three random words, something which makes passwords far harder to breach with brute force. Users could also consider using a password manager to store their passwords for them, reducing the need to remember every single individual password and allowing those passwords to be more complex. Password managers can even generate a random combination of characters for extra-strong, complex passwords which are almost impossible to breach. It also helps to apply MFA to accounts whenever possible

Consumers can also help to reduce the chances of their banking information being stolen if a retailer they use does get breached by using a payment application or digital wallet to make purchases.

And although the use of payment applications is on the rise, many shoppers still stick with credit cards – so it’s imperative for retailers to ensure this information is handled safely and securely.
Conclusion

As retail and retail technology continues to evolve, the cyber-attacks targeting them are too. For now, passwords remain a critical vulnerability in retail technology, but there are strategies which can be deployed to reduce this risk. These range from applying MFA, to planning for a passwordless future, where the use of technologies like biometrics can help reduce the threat of malicious account access, data theft or fraud.

Cyber criminals know passwords are a weak-link they can exploit to conduct cyber-attacks - and retailers must take action to help prevent themselves from falling victim.

The recent damage and disruption of these attacks shows that even the most high-profile retailers aren’t immune to cyber-attacks or password breaches and it should act as a wake-up call for other retailers. Because the personal and financial data of potentially millions of customers that’s handled by retailers is a massive target for cyber criminals – and retailers have a duty to protect both this and their services from cyber-attacks.

Doriel Abrahams is Principal Technologist at Forter

Image: Ideogram

You Might Also Read: 

ChatGPT's Image Generation Could Be Driving Retail Fraud:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Insurers Are Now Covering AI Malfunction Losses
The Impact Of The Internet On Modern Society [extract] »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MetaFlows

MetaFlows

MetaFlows’ SaaS malware detection & prevention software passively analyzes the behavior and the content of Internet traffic.

Swiss Re

Swiss Re

Swiss Re Group is a leading wholesale provider of reinsurance, insurance and other insurance-based forms of risk transfer including cyber risk.

Cyber Affairs

Cyber Affairs

Cyber Affairs is the first Italian press agency entirely dedicated to cyber security.

Indeed

Indeed

Indeed is a worldwide employment-related search engine for job listings covering job types in all industries, including cybersecurity.

Jerusalem Venture Partners (JVP)

Jerusalem Venture Partners (JVP)

JVP’s Center of Excellence in Be’er Sheva aims to identify, nurture and build the next wave of cyber security and big data companies to emerge out of Israel.

Lumu Technologies

Lumu Technologies

Lumu is a cybersecurity company that illuminates threats and attacks affecting enterprises worldwide.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

Cohesity

Cohesity

Cohesity radically simplifies the way businesses back up, manage, protect, and extract value from their data—in the data center, at the edge, and in the cloud.

Protected Media

Protected Media

Protected Media’s advanced cybersecurity ad fraud solution guards you against current and emerging threats across Connected TV, Display and Video advertising.

MDSec

MDSec

MDSec is a consultancy with a passion for information security. Our consultants specialise in application, mobile and hardware security and targeted red team attacks.

Zorus

Zorus

Zorus provides best-in-class cybersecurity products to MSP partners to help them grow their business and protect their clients.

AccountabilIT

AccountabilIT

AccountabilIT is a full spectrum information technology services firm for enterprises with complex information technology needs seeking relief from those challenges.

NSW IT Support

NSW IT Support

NSW IT Support: Your exclusive hub for comprehensive Business IT services in Sydney. Our skilled team ensures seamless technology solutions nationwide, consistently delivering top-tier IT support.

CyberKinetics

CyberKinetics

CyberKinetics specializes in cloud-based services and solutions for federal agencies and commercial clients with compliance mandates.

Defend

Defend

DEFEND are 100% focused on providing managed cybersecurity solutions and services that make a real difference to the cyber resilience of your organisation.

Prismo Systems

Prismo Systems

Prismo provides a unified platform to secure software development across the entire SDLC and deployment on any cloud or on-premises infrastructure.