Vulnerabilities / Threats

11/24/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Monday: What Retailers & Shoppers Should Watch For

Attackers have a variety of ways to commit fraud and may take advantage of busy time to sneak in a data breach.

While store managers and salespeople gear up for long lines, social engineering, and point-of-sale malware on Black Friday, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.

The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app -- or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money -- like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data -- are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.

As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in advice to members about holiday "hacking season": "Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches."

[Read about PoS malware and new ways to trick new payment technology in "Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too."]

Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers' priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.

"On a big shopping day," he says, "it's harder to zero in on fraudulent behavior and respond to it quickly."

Image Source: Kevin Marks via Flickr

According to the R-CISC: "Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it's impractical to block IP ranges based on geography, because online sales can be global."

Much of the fraud committed during the holiday season won't be dealt with until January 15, says Munshani.

Plus, Munshani says that attackers will steal "anything that can be monetized," which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where they're being shipped.

"Visibility into the supply chain can provide a competitive advantage," says Munshani. "If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat."

How are attackers likely to compromise retailers online this season?

 Via vulnerable web apps

"[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released a new report on retail security this week.

Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 

"Some of these retailers are brick and mortar," Yampolskiy says. "Doing good IT is not part of their core competence." That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.

SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells -- food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dick's Sporting Goods, Brookshire's (grocery store), Quizno's (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 

Via mobile devices

More and more consumers are doing their shopping from mobile devices. Adobe, in its Digital Index Online Shopping Predictions, predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.

The good news, according to Iovation VP of Product Scott Olson: "We still see fraud rates a little lower on mobile, because it's harder to automate on mobile."

Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  

Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.

Via online auctions 

There's also "triangulation fraud," which Olson says is "a very clever way to monetize stolen cards."

A triangulation fraudster sets up an online auction for an item they don't actually possess -- say, a high-end camera. When the auction ends, the attacker uses a stolen payment card to purchase that same camera from a store and has it shipped to the winning bidder.

The bidder gets their purchase. The attacker pockets the bidder's payment. (It doesn't matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone else's money. Their net gain is still $100.)

The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.

Via gift cards

Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.

Retailers can't do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.

"CashStar does seem to be pretty good at reducing fraud," says Alex Heid, chief of research at SecurityScorecard. "Chatter on the underground seems to confirm it," he says, referencing frustrations voiced on hacker forums.

 

Better defense

Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the "friction" that makes impatient consumers decide to take their business elsewhere.

He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/1/2015 | 8:21:17 AM
Re: Re
I'm just cheap and don't buy anything.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/1/2015 | 8:20:02 AM
Re: Black Monday DDoS
Of course, that's also when companies are most vigilant.

But what about another high-traffic day... say, two days before Christmas?  
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:21:46 PM
Re: Thanks for Sharing
Agree. Fraud is always going up, attacks are also concentrating vulnerable periods  such as Xbox attack on Christmas day. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:19:10 PM
Re: Via vulnerable web apps
I said it should. We may not be able to prove the correlation but companies not paying attention to revers social engineering attacks would most likely not pay attention the security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:16:32 PM
Re: Re
Ok. Good deal, one day is a good strat. If we can do that rest of our lives then we are good to go. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:15:10 PM
Re: Reminder
Good suggestion, you may user your Apple Pay or Google wallet tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:14:11 PM
Black Monday DDoS
If you want to do DDoS attack Cyber Monday is best opportunity for worst damage. Companies that are relying on cyber Monday profits should keep that in mind.
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
11/30/2015 | 11:44:14 AM
Thanks for Sharing
Thanks for sharing, Sara! It's definitely more important than ever that shoppers keep a wary eye out as online fraud usually spikes during the Holiday season. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2015 | 12:02:03 AM
Re: Via vulnerable web apps
On a related note, DEF CON every year hosts the social engineering capture-the-flag contest, wherein people socially engineer key data "flags" out of Fortune 500 companies; I wonder if the list of worse-performing companies in SECTF, social engineering-wise, correlates in any way to technical security.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/28/2015 | 9:36:42 PM
Via vulnerable web apps
Is there a list of the worst performers?
Page 1 / 2   >   >>
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.