The most important endpoint of modern business is the mobile endpoint. It’s largely been the fundamental baseline for technical innovation in business, helping to introduce a level of agility heretofore unseen in the corporate environment. As such, it is also one of the most dangerous attack vectors and highly vulnerable to security breaches. It’s that double edged sword which defines so much of the digital risk that businesses now face.
Mobile devices are doubtlessly driving digital transformation in countless sectors. Retail is just one - particularly pressing example. The transformations have been profound and the mobile device affects retail at every level. Customers use retail apps to buy merchandise, accumulate loyalty points, and engage with retail brands. Frontline staff use them to assist customers and check stock on the go. Warehouse workers use handheld scanners to manage inventory and log shipments, IT staff use them to manage their helpdesk and troubleshoot problems quickly and corporate executives rely on them to coordinate global business events.
This industry is also increasingly adopting commercial off-the-shelf (COTS) devices over specialised equipment. This shift is driven by cost efficiency, as COTS devices are generally cheaper and more versatile, capable of performing multiple functions. They integrate more easily with existing systems, keeping up with rapid technological advancements and enhancing operational efficiency. Additionally, COTS devices offer scalability due to their widespread availability and affordability, enabling retailers to streamline operations and remain competitive in a dynamic market.
Yet, as is always the case with rapidly expanding and high-demand technologies, the mobile device has surely opened the sector to all manner of risks.
It’s a sharp irony of modern digital transformation that technical innovation often actually makes us less secure. However, due to a variety of factors, such as the lack of industry standards or security expertise in a given sector, this often becomes the case. Perhaps the biggest factor is the mere expansion of the attack surface, especially if new technology is introduced without careful management and oversight.
Threats to the mobile device in retail
Retail threats from mobile devices emanate from their dual-use function as both personal and corporate devices. In essence, the threats that confront those devices rely on the personal liberty that mobile devices afford their users and the network connections that those devices maintain.
That “personal” quality provides an easy entry point for attackers, who can easily hop from a weak vector in an employee’s mobile device to their employer’s treasure trove of access and data.
There are a number of threats that are common wherever mobile devices are used. Perhaps the most widespread are phishing and social engineering attacks. Malicious entities can target retail staff with wide-net phishing attacks which coax unsuspecting users into clicking on malicious links or carrying out other potentially destructive actions without their knowledge. Similarly, spear-phishing attacks will take the form of personal messages to staff from supposed colleagues, managers or executives. Using the authority or their assumed identity, the malicious actor will try to trick their victim into seemingly legitimate actions, which ultimately helps the perpetrators pull off their attack.
Furthermore, there are plenty of malicious applications and less-than-trustworthy app stores. These will often act as trojan horses. Once downloaded to an employee’s phone - often in the guise of lifestyle apps - they will try to gain access permissions and collect all the data they can. A retail employee must only walk into the shop or office they work at to turn their personal infected mobile device into a corporate espionage device.
Similarly, unsecured Wi-Fi networks pose a threat in many retail stores. Without the proper steps taken to secure them, they can be the source of serious risk to mobile devices. One of the principal problems is that mobile devices often connect to them automatically if it’s a known network name, which can become a real problem if Wi-Fi is insecure.
Perhaps most pressing of all these potential points of risk are those around Point-of-Sale (POS) software. Mobile devices are increasingly being used to run POS capabilities in retail settings. This often makes the mobile device the site of the most crucial transaction in the entire industry - the actual exchange of goods for currency. The reliance on mobile devices to carry out these functions exposes that transaction to a number of risks like malware, tampering, device vulnerabilities, application exploits and network attacks which give attackers access to compromise that transaction directly.
Applications like SoftPOS have proved remarkably popular in recent years. Tap on Phone is also a mobile application that lets merchants use NFC readers on their COTS smartphones to make payments for goods and services. It proved a huge boon to retailers who no longer have to buy specialised equipment to transact with their customers. In so doing, it lowered the bar to entry for many, especially small business owners and creators, while offering better service to customers.
Despite the annual certifications these apps must obtain, these are also susceptible to runtime attacks. Attackers can use malware to infiltrate the mobile app, reverse the app and exfiltrate IP, data and cryptographic keys when there is insufficient code and runtime protection.
The risks go further than the potential for malicious compromise, though. Vendors who take card payments are governed by stringent security standards, including PCI DSS, MPoC and EMVCo. Failure to meet those standards risks penalties from those bodies, including being restricted from accepting payments through the world’s largest payment providers.
Rewards always come with risks
This gets to the core of the problem. Too often, mobile devices are assumed to be inherently secure without considering how they can become a serious risk.
Mobile devices have primarily been designed as open environments which privilege user freedom and agility. Unfortunately, the blend of personal and professional is the point at which risk is introduced and thus, it is also the point which must be policed. All this is to say that mobile protection must begin with the device. Integrating Mobile Threat Defense Solutions (MTD) with mobile device management (MDM), can go a long way to achieving this goal. MTD identifies and mitigates malicious activity on mobile devices - even when they’re not connected to the network. Meanwhile, MDM provides a top-down management capability to provision mobile devices within a given organisation, enforce security policies, and shut down mobile connections when security risks arise.
The rise of mobile devices in retail has doubtlessly had a transformative effect. In as much as the mobile device provides specific benefits to the sector, it also introduces specific risks. Yet, whatever the specificities of this particular sector - it is a microcosmic example of the larger effects that the mobile endpoint has had on businesses in every sector. According to one report, 59% of C-suite leaders admit that their business is either partially or fully reliant on mobile devices. Unfortunately, that same report shows that only 28% of Chief Information Security Officers say their organisation lacks a strategy for mobile devices. Rewards must be taken with full respect to the risks involved. Failing to do so risks damaging the potentially transformative benefits that mobile devices offer the retail space, and everywhere else.