Cyber Monday: What Retailers & Shoppers Should Watch For

  /     /     /  
Publicated : 22/11/2024   Category : security


Cyber Monday: What Retailers & Shoppers Should Watch For


Attackers have a variety of ways to commit fraud and may take advantage of busy time to sneak in a data breach.



While store managers and salespeople gear up for long lines, social engineering, and
point-of-sale malware on Black Friday
, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.
The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app -- or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money -- like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data -- are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.
As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in
advice to members about holiday hacking season
: Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.
[Read about PoS malware and new ways to trick new payment technology in
Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too
.]
Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.
On a big shopping day, he says, its harder to zero in on fraudulent behavior and respond to it quickly.
According to the R-CISC: Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and its impractical to block IP ranges based on geography, because online sales can be global.
Much of the fraud committed during the holiday season wont be dealt with until January 15, says Munshani.
Plus, Munshani says that attackers will steal anything that can be monetized, which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where theyre being shipped.
Visibility into the supply chain can provide a competitive advantage, says Munshani. If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat.
How are attackers likely to compromise retailers online this season?
 
Via vulnerable web apps
[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong, says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released
a new report
on retail security this week.
Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 
Some of these retailers are brick and mortar, Yampolskiy says. Doing good IT is not part of their core competence. That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.
SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells -- food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dicks Sporting Goods, Brookshires (grocery store), Quiznos (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 
Via mobile devices
More and more consumers are doing their shopping from mobile devices. Adobe, in its
Digital Index Online Shopping Predictions,
predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.
The good news, according to Iovation VP of Product Scott Olson: We still see fraud rates a little lower on mobile, because its harder to automate on mobile.
Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  
Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.
Via online auctions
 
Theres also triangulation fraud, which Olson says is a very clever way to monetize stolen cards.
A triangulation fraudster sets up an online auction for an item they dont actually possess -- say, a high-end camera. When the auction ends, the attacker uses a
stolen
payment card to purchase that same camera from a store and has it shipped to the winning bidder.
The bidder gets their purchase. The attacker pockets the bidders payment. (It doesnt matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone elses money. Their net gain is still $100.)
The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.
Via gift cards
Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.
Retailers cant do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.
CashStar does seem to be pretty good at reducing fraud, says Alex Heid, chief of research at SecurityScorecard. Chatter on the underground seems to confirm it, he says, referencing frustrations voiced on hacker forums.
 
Better defense
Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the friction that makes impatient consumers decide to take their business elsewhere.
He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyber Monday: What Retailers & Shoppers Should Watch For