One thing you can be sure of: wherever money changes hands is a cybercriminal’s favorite haunt, and retail stores certainly fit that description. The modern snatch-and-grab attack surface of choice for retail hackers are the millions of smartphones carried by customers, point-of-sale (POS) devices and mobile retail apps used to transact with customers.
Cyber thieves are employing device, network and application (“DNA”) attacks to steal account and payment information, undermine customer privacy, and cause damage to retailers. These mobile threats include conventional cyberattacks such as email phishing, fake customer support phone calls and SMS messages with malware download links, as well as more advanced methods including Wi-Fi network spoofing, malware and “fake retail app” delivery, ransomware, and takeover of any devices (including IoT devices often found in retail) that are connected to the Internet.
Payment hijacking and retail malware
With mobile payments poised to reach $142 Billion in the US alone by 2019, PayPal, Samsung Pay, Apple Pay, Google Wallet, Amazon Pay and many others are competing with the major card services providers to handle retail POS transactions. Honoring mobile payment approaches in your own integrations can leave an insecure opening for cybercriminals if they can compromise a device in the payment chain.
To compete with online retailers and other stores, many companies are also delivering their own branded iPhone and Android apps to deliver a multichannel shopping and loyalty experience for customers. Apps themselves may be an attack surface for data theft and unwanted adware interference, enticing customers to download or log in to fake versions of retailer-branded apps, which can steal customer data and money.
All forms of mobile-based fraud are particularly damaging to retailers, as merchants are frequently held liable for security lapses, losing money and brand reputation due to cyberattacks.