Hackers: The Mobile Threat to Back-to-School Shopping

Large-scale security breaches and theft of customer data from retailers continues unabated, while consumer fears continue – understandably – to increase. As mobile becomes the dominant online access channel, Susan Kuchinskas examines how merchants will meet the challenge during the back-to-school shopping season.

Security experts to retailers: Security breaches are inevitable, so get used to it – and plan ahead.

If 2014 seemed to be the Year of the Hacker, 2015 hasn't been so secure. One of the latest high-profile data thefts hit Carphone Warehouse mid-August, when crackers grabbed the encrypted credit card data from 2.4 million customers. The company's owner, Dixon Carphone, operates websites and customer service centers for OneStopPhoneShop.com, e2save.com and Mobiles.co.uk, among other business units.

In early August, Zimperium Mobile Security revealed a flaw in the Android operating system that could let hackers take control of a mobile device simply by sending a text message. Zimperium called the Stagefright bug "scarier than Heartbleed."

Zimperium provided Google with patches, and the software giant quickly released them to Android users via over-the-air updates. But, if this huge vulnerability has been lurking in the Android OS since almost its beginning, who knows what other loathsome mobile exploits could turn the back-to-school shopping season into tsuris for consumers and a black eye for retailers?

Changing the shopping paradigm

Mobile usage and m-commerce continue to grow. In the UK, 96 per cent of adults aged 16 to 24 go online via mobile device, according to the Office for National Statistics. In the US, 78 percent of the 1,000 parents shopping for the 2015 back-to-school season will use a smartphone for this shopping, according to a survey by Retale, a location-based mobile platform for coupons and deals. While the majority of those shoppers will do research such as price comparisons or searching for coupons and deals, 37 percent planned to buy directly from a mobile device.

For global retailers, securing m-commerce is even more critical. In China, m-commerce this year will account for close to half of all e-commerce sales, according to eMarketer. Criteo, a performance marketing platform, says that m-commerce accounts for more than 50 percent of all ecommerce transactions in Japan and South Korea, and more than 40 percent in the UK.

At the same time, the convenience of mobile commerce, including alerts on sales, pushed coupons and product comparisons, is reducing the seasonality of shopping for school essentials – while increasing m-commerce and the need to secure it. While back-to-school remains the second-largest U.S. shopping season, it now extends from mid-July until the end of August, according to Cardlytics, a marketing technology provider to financial institutions.

CIOs at retail organizations are struggling to balance security with innovation on limited budgets, according to a survey conducted in December 2014 by Forrester for the National Retail Federation. In the survey of 84 top retail CIOs, 97 percent identified cyber security as a top concern. Moreover, they're taking an omnichannel approach.

This reflects consumer behavior, with shoppers hopping among devices and channels on the path to purchase. According to Criteo, in 40 percent of all e-commerce purchases, consumers use multiple devices to visit the same retailer prior to purchase. Add to that cross-device shopping the increasing use of mobile devices by store personnel, retailers can't secure channel-by-channel, Forrester said.

So hackable

New mobile payment solutions are rolling out, even as the threats keep coming. In mid-August, Merchant Customer Exchange (MCX) released CurrentC, a mobile payments app. MCX was founded in August 2012 with funding from Walmart, Target and Best Buy. In a test run in July, the CurrentC application was successfully hacked, according to Bloomberg News. MCX executives and its press rep did not respond to interview requests.

Samsung Pay recently launched in South Korea, and it's expected to be available in the United States at the end of September. When Samsung unveiled the mobile payment system at a conference in March, an analysis by security provider Kaspersky Lab noted that Samsung Pay seemed to rely on magnetic secure transmission, allowing it to interface with magnetic stripe readers at points of sale. Kaspersky said that if it doesn't somehow integrate the more modern chip-and-pin technology, "They are simply forcing an outdated and insecure mode of payment into the future.” Samsung did not respond to a request for comment.

Cyber security as a business issue

"Traditionally, organizations have invested in technology to protect something. But the landscape, technology and attack surfaces keep changing. So does who is coming after you. “It's hard to keep up," says Kiran Mantha, national retail and distribution cyber risk leader at Deloitte & Touche. "That’s why organizations are trying to beef up their detection capability."

Merchants certainly are aware of the threat. The Retail Industry Leadership Association launched the Retail Cyber Intelligence Sharing Center (R-CISC) in 2014. The goal is to enable information-sharing among retailers, law enforcement, and security vendors.

A C-RISC portal became operational this spring, logging dozens of updates each day. Since then, says Brian Engle, executive director of R-CISC, "We've been building up the community and lifting membership among retail organizations." It's also opened membership to security solution vendors.

Deloitte's Mantha says, "External intelligence will play a crucial role in the war against cyber threats." However, the Deloitte report noted, "There are barriers to working with the government. For example, if a company reports a breach to regulators, it later might have to defend itself against legal action by that very entity."

Engle says that one of his organization's primary functions is to facilitate the trust necessary to make retailers willing to share information and also to trust the intel they get in return. "It's forming of that tightknit circle of trust not only in the technological sense but also a sense of who they are interacting with and what their degree of capability is."

R-CISC does this via online discussions, meetings and events, and other initiatives that foster personal interaction among security professionals within its more than 100 members, including many top retail brands. At the same time, it also has provisions to let members report threats or attacks anonymously so that they don't expose the internal workings of their companies.

The organization has defined parameters for liability and indemnification against harm that might be caused by acting on information shared by a member, but Engle acknowledges that this concern still affects what some companies are willing to share.

He notes that R-CISC is careful to avoid anti-trust concerns and the appearance of exposing sensitive data among members.

The bottom line, though, he says, is that sharing information about threats and attacks is important. "The ability to see the types of things that are happening in a broader perspective adds something to the arsenal of each individual organization that it would not be able to produce on their own."

Risky business

To better respond to today's high-risk environment, Deloitte recommends retailers better integrate the IT department with the executive team. When the CIO reports to the CEO, it's found, the company's executive team and board are better informed about cyber security.

Going back to the omnichannel theme, Mantha says, "Mobile is just another entry point." Retailers need to identify the "crown jewels" that must be protected at all costs, and then understand the risks. Once a threat is detected, they must have a response plan – and practice the response with simulations.

For every channel, including mobile, he says, "All the same security principles apply."

For all the latest mobile trends, check out The Open Mobile Summit 2015 on November, 9-10, San Francisco