Cyber criminals don't just want your data, they're after your money as well. As retail crime reaches an all-time high, Sophie Curtis discovers how hackers are getting their hands on your cash
You may think that shopping on your local high street or buying something online using 'Verified by Visa' is fairly safe, but as far as cyber criminals are concerned, every transaction you make is an opportunity to steal your money.
The British Retail Consortium published a report this week claiming that retail crime reached an all-time high during 2013-2014. Fraud (including cyber-enabled fraud) increased by 12 per cent during the year, and the BRC warned that this poses the single most significant threat to retail businesses over the next two years.
According to cyber security firm Sophos, there is a significant gap between the perceived level of security held by UK retailers and consumers, and the level of security that is physically in place at retail establishments across the nation.
The majority of retailers rely primarily on barebones protection, such as firewalls and antivirus, and 72 per cent admit they have not implemented basic encryption to safeguard their customers' data.
According to James Lyne, global head of research at Sophos, there is significant overconfidence and lack of awareness surrounding cyber security in the retail sector.
In order to drive home his point, he demonstrated five ways that hackers can steal money from shoppers, using a few hundred pounds worth of equipment that he bought on Amazon.
1. Traditional credit card cloning
The first method involved cloning a credit card by lifting the information from the magnetic stripe on the back.
Although most modern cards in the UK now use chip and pin, transactions in America are still carried out using the magstripe, so any transactions that are carried out in America, or use a payment processor in the United States, will use the magstripe.
Lyne showed how, by simply swiping a credit card through a magnetic stripe card reader/writer that he bought on Amazon for £30, he was able to copy the details and then write them onto another card, which he could then use to purchase goods.
"You can imagine if you had a miniature version of that device, you could capture thousands of swipes, replicate them onto some cards, and all of a sudden you’ve got a pretty substantial amount of money across a random base of customers that’s hard to correlate," he said.
2. Chip and PIN
Chip and pin machine
Chip and PIN cards are harder to clone, because unlike the magstripe, which hands over all its information as soon as you swipe it, it only allows you to ask it questions.
"So you can’t say 'What’s the PIN?' And read it. But you can say 'Here is what I think the PIN is and how you modify it, is that right?'," Lyne explained.
For Chip and PIN crime, cyber criminals will therefore generally carry out a two-pronged attack, which involves inserting a card reader into an ATM and installing a small camera above the number pad, so they can record the digits as they are being pressed.
Lyne said that, if a criminal succeeds in cloning and Chip and PIN card, it can be very difficult for retailers to detect. However, it is a lot more difficult and dangerous than cloning a magstripe, so it is less common that other types of fraud.
3. POS terminals
Checkout
For larger-scale cyber fraud, hackers have been known to target point of sale (POS) terminals in shops.
The best known example of this is the attack on the Target retail chain in the US, where malware was installed on the POS terminals, allowing criminals to siphon off card details.
Lyne showed how he could create a 'back door' into a computer running a POS system using a phishing attack, and then steal a copy of the computer's memory using a simple software tool.
Once he had a copy of the computer's memory, he could search through it for the transaction process executable file, and then extract a list of credit card numbers, with corresponding expiry dates and CVV numbers, that had been used on that terminal.
The list only went back as far as the computer's memory, but he said that it was very realistic for a cyber criminal to be able to gather a day’s worth of data in this way. The criminal could also sit in the background over an extended period of time and gather much more.
"What this is really taking advantage of is that lost boundary of a physical separate device, and the fact we’ve blurred it with something that does internet browsing, email and everything else at the same time," said Lyne.
You may think that shopping on your local high street or buying something online using 'Verified by Visa' is fairly safe, but as far as cyber criminals are concerned, every transaction you make is an opportunity to steal your money.
The British Retail Consortium published a report this week claiming that retail crime reached an all-time high during 2013-2014. Fraud (including cyber-enabled fraud) increased by 12 per cent during the year, and the BRC warned that this poses the single most significant threat to retail businesses over the next two years.
According to cyber security firm Sophos, there is a significant gap between the perceived level of security held by UK retailers and consumers, and the level of security that is physically in place at retail establishments across the nation.
The majority of retailers rely primarily on barebones protection, such as firewalls and antivirus, and 72 per cent admit they have not implemented basic encryption to safeguard their customers' data.
According to James Lyne, global head of research at Sophos, there is significant overconfidence and lack of awareness surrounding cyber security in the retail sector.
In order to drive home his point, he demonstrated five ways that hackers can steal money from shoppers, using a few hundred pounds worth of equipment that he bought on Amazon.
1. Traditional credit card cloning
The first method involved cloning a credit card by lifting the information from the magnetic stripe on the back.
Although most modern cards in the UK now use chip and pin, transactions in America are still carried out using the magstripe, so any transactions that are carried out in America, or use a payment processor in the United States, will use the magstripe.
Lyne showed how, by simply swiping a credit card through a magnetic stripe card reader/writer that he bought on Amazon for £30, he was able to copy the details and then write them onto another card, which he could then use to purchase goods.
"You can imagine if you had a miniature version of that device, you could capture thousands of swipes, replicate them onto some cards, and all of a sudden you’ve got a pretty substantial amount of money across a random base of customers that’s hard to correlate," he said.
2. Chip and PIN
Chip and pin machine
Chip and PIN cards are harder to clone, because unlike the magstripe, which hands over all its information as soon as you swipe it, it only allows you to ask it questions.
"So you can’t say 'What’s the PIN?' And read it. But you can say 'Here is what I think the PIN is and how you modify it, is that right?'," Lyne explained.
For Chip and PIN crime, cyber criminals will therefore generally carry out a two-pronged attack, which involves inserting a card reader into an ATM and installing a small camera above the number pad, so they can record the digits as they are being pressed.
Lyne said that, if a criminal succeeds in cloning and Chip and PIN card, it can be very difficult for retailers to detect. However, it is a lot more difficult and dangerous than cloning a magstripe, so it is less common that other types of fraud.
3. POS terminals
Checkout
For larger-scale cyber fraud, hackers have been known to target point of sale (POS) terminals in shops.
The best known example of this is the attack on the Target retail chain in the US, where malware was installed on the POS terminals, allowing criminals to siphon off card details.
Lyne showed how he could create a 'back door' into a computer running a POS system using a phishing attack, and then steal a copy of the computer's memory using a simple software tool.
Once he had a copy of the computer's memory, he could search through it for the transaction process executable file, and then extract a list of credit card numbers, with corresponding expiry dates and CVV numbers, that had been used on that terminal.
The list only went back as far as the computer's memory, but he said that it was very realistic for a cyber criminal to be able to gather a day’s worth of data in this way. The criminal could also sit in the background over an extended period of time and gather much more.
"What this is really taking advantage of is that lost boundary of a physical separate device, and the fact we’ve blurred it with something that does internet browsing, email and everything else at the same time," said Lyne.