It’s no secret that technology is changing the retail landscape, and with that change retailers are being forced to adapt their business strategy accordingly. Today’s technologies help retailers create efficiencies, save money, and provide a better experience for their most important audience — customers.
To enhance the customer experience (CX), retailers strive for a seamless omnichannel approach. Some of the most popular emerging omnichannel components today include mobile applications, customer loyalty programs and NFC scanning technology. These technologies work to provide consumers with instant gratification and convenience; however, with these benefits also comes risk embedded within the behind-the-scenes software. Let’s explore:
Today’s retailers can no longer rely on brick-and-mortar alone. Many have made the shift to providing online products and services, but consumers want even more at their literal fingertips. Successful retailers have a frictionless mobile application to accompany their business strategy, and many have made it a focal point, with 84% prioritizing their mobile customer experience.
Consumers place a high level of trust in mobile applications and the vendors that are developing them. The truth is that these platforms face the same threats as any other, and today’s cybercriminals are taking full advantage, with the retail sector being one of the top industries to suffer breach incidents. For this reason, it’s critical that retailers deploy secure mobile applications.
To mitigate this risk, retailers should implement application security practices when creating or updating mobile apps. This can be done by training developers and security teams as well as using vetted code for common tasks. Additionally, retailers can ensure more secure mobile apps by ensuring application security checks are integrated and automated into every phase of the software development life cycle (SDLC) or DevOps program. With testing tools integrated into all development stages, powered by automation to ensure constant security, vulnerabilities can be identified and remediated more effectively.
Additionally, app developers should scrutinize off-the-shelf frameworks and open source components. These third-party components can provide cybercriminals with loopholes that can put an entire system at risk. It’s a top best practice to make a list of trusted software frameworks that developers should stick to, saving themselves from damage down the road.
Loyalty programs have become another hot commodity, with consumers racking up points or rewards as they shop at their favorite retailers. In the past year alone, retailers like Target, Macy’s, Starbucks, Lululemon and J.Crew have created or enhanced loyalty programs, and shoppers approve of the trend, with 87% reporting that they want brands to have loyalty programs.
While the aim of these programs is to encourage repeat customers, retailers need to collect Personally Identifiable Information (PII) for customization, making them an adversary’s gold mine. While many shoppers don’t think twice about providing a low level of PII data to gain access to certain perks, they should understand that they are leaving sensitive information in the hands of someone else to protect. Making matters worse, consumers tend to not check their loyalty rewards as often as they might examine other accounts, meaning vigilance is low.
From the retailer’s perspective, it’s imperative to implement multi-factor authentication for any suspicious transactions — such as a customer repeatedly forgetting their email or adding a new international address. Additionally, retailers can enforce passive authentication methods that don’t affect the customer experience. For example, on the backend, they can determine if a customer is using a device typically associated with the account — without the shopper realizing the measure is being taken. The verification of a user’s identity can help prevent malicious cybercriminals from taking advantage of a user’s personal information and rewards.
NFC Scanning Technology
An increasing number of retailers have implemented NFC (Near Field Communications) technology to streamline purchases, aid customers in finding physical store locations, simplify social networking and more — all in a quick scan. But this “tap and go” technology can easily be exploited by cybercriminals if proper precautions aren’t taken by retailers.
Many assume NFC only works at short ranges — usually within four centimeters of a smartphone to barcode. For this reason, NFC has typically been disregarded as a potential for data exfiltration scenarios. But recent research found that NFC can be abused to transmit information at a much longer range than expected, reaching as far as 100 meters in a line of sight.
Additionally, further research found that adversaries can manipulate NFC technology to send malicious links and pop-ups to users in place of what they’re expecting to be a safe landing page redirect. This is yet another example of issues that can occur when convenience is prioritized in technology without security being weighted equally.
With greater awareness of the threat, retailers can take better precautions when rolling out NFC scanning technology, starting from the software development phase and carrying it through to testing and implementation.
Like all organizations that develop software and applications, retailers need to be taking precautions to safeguard their customers through all platforms. Through increased training and awareness, as well as working closely with developers, retailers can continue enhancing the customer experience through innovative, secure applications.
Matt Rose, Global Director of Application Security Strategy, joined Checkmarx in 2014 and has over two decades of software development, sales engineering management and consulting experience. In his role, he advises organizations’ software security and DevOps strategies and enables them to deploy Checkmarx’s solutions to protect their most critical application and software assets from today’s threat landscape. Rose has been invited to deliver talks at leading industry events including OWASP’s AppSec USA, IDG’s CSO50 Conference, ISSA and ISACA, and has been quoted in numerous news outlets such as TechTarget’s SearchSecurity, Dark Reading, and TechRepublic.