70% of Retail Apps Vulnerable to Cyber Attacks, Says Study

According to research released by software analysis company CAST, 70 percent of retail applications are vulnerable to input validation attacks such as SQL injection and Heartbleed.

retail apps

Photo: Tyler Olson / Shutterstock

Financial services were a close second with 69 percent vulnerability. These results are surprising because almost 80 percent of attacks on retail industries are related to input validation.

With an alarming rate of attacks on the retail industry, proper methods should have been taken to prevent age-old hacking techniques. The vulnerability is mainly attributed to poor code quality.

The research group was led by Lev Lesokhin, the executive vice president at CAST.

“So long as IT organisations sacrifice software quality and security for the sake of meeting unrealistic schedules, we can expect to see more high-profile attacks leading to the exposure and exploitation of sensitive customer data,” said Lesokhin.

“Businesses handling customer financial information have a responsibility to improve software quality and reduce the operational risk of their applications –not only to protect their businesses, but ultimately their customers.”

The security problems related to the retail sector are mainly due to the lack of secure application development practices, disputes between brands, and a lack of oversight by people who develop and install these applications.

Another report from Verizon Enterprise revealed that input validation vulnerabilities were used in almost 80 percent of the attacks against the retail industry. The largest casualty was perhaps eBay, which led to a breach of more than 145 million records.

The National Retail Foundation supports data security for retail outlets, and it blames the financial service industry for vulnerabilities. The NRF says in an article that banks use outdated magnetic strips which require retailers to hold a lot of data.

Meanwhile, US-CERT has again updated their advisory about Backoff, which is the malware behind the attack on major retail stores. This recent attack is estimated to have affected almost 1,000 businesses.

According to Brian Krebs, the credit card data of Dairy Queen has also been breached.

Although there has been no concrete evidence, the website said that they were contacted by the fraud detection department of a credit union, regarding fraudulent transactions being made through cards used at Dairy Queen. Despite the brand not confirming any stolen data, there could still be a possible data breach.

“According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014,” as reported by Krebs on Security.

According to the research done by CAST, government IT departments had the highest percentage of applications (61 percent) with no input validation violations. Independent software contractors came in last with just 12 percent of applications without violations. The financial sector had the highest number (224) of input validation violations for each application.

CAST found that there is a correlation between the robustness of an application and its security. “Some security experts argue software security is different from software quality and should be treated separately,” explained Dr. Bill Curtis, the CRASH Report author. “The CRASH Report data proves this is false. Badly-constructed software won’t just cause systems to crash, corrupt data, and make recovery difficult, but also leaves numerous security holes.”

Lesokhin explained the problem using the Hammurabi passage, “If a builder builds a house for someone, and does not construct it properly and the house falls in and kills its owner, then that builder shall be put to death.”

He feels that the poor construction of applications is due to management problems within IT.

CAST mainly works with enterprise departments, but Lesokhin believes that this problem is present in big application development houses as well.

He said that clean code would solve many issues, as it leads to higher security. There are many reasons why applications don’t have clean code. In the finance sector, there is pressure to market the applications quickly. However, in the retail sector, companies try to spend less on secure software development.

Will the coming applications be more secure? He wonders if the regular news of data breaches has made companies believe that things will never get better so there is no point in trying, making it a case of learned helplessness. However, security is not very difficult to achieve. If vendors put more focus on clean code development, such incidents can be avoided in the future.