Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/23/2020
09:00 AM
Sunil Potti
Sunil Potti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Retailers Can Fight Fraud and Abuse This Holiday Season

Online shopping will be more popular than ever with consumers... and with malicious actors too.

The pandemic has had a significant impact on retailers across the spectrum from apparel brands to grocery stores to big-box retailers. While each category of retail has faced its own specific challenges, there has been one common theme across industry: increased demand and traffic across online platforms. 

As retailers rush to meet these online demands, many have had to fast-track their digital roadmaps and establish new protocols to launch omnichannel services like BOPIS (buy online and pick-up in-store) and curbside pickup. 

Related Content:

The Night Before 'Breachmas'

The Changing Face of Threat Intelligence

New on The Edge: An Inside Look at an Account Takeover

Many retailers know that when it comes to reliability, just a second in lag time can mean the difference between a sale and an abandoned cart. Research shows that nearly 90% of consumers would leave a website and 30% of shoppers would think twice about being a return customer if a website was too slow. But these sudden increased shifts to online shopping have also brought attention to new surface areas that retailers must secure. 

Case in point: Since March 2020, our security service reCAPTCHA, which protects websites from fraud and abuse, has seen a 40% increase in usage. Businesses and services that previously saw most of their users in-person have shifted to online-first or online-only models. This increased demand for online services and transactions can expose businesses to various forms of online fraud and abuse. In fact, 8% of online business revenue today is lost to fraud and account takeovers. And there's no busier online shopping time than the holiday season. 

It's never been more crucial for retailers to protect their customers as they use their online services. Despite traditionally being an in-store holiday, Black Friday topped Cyber Monday in 2019 as the busiest day for online purchases with 93.2 million shoppers compared with 83.3 million. This year, many retailers have decided to close their doors on Thanksgiving and are rolling out online promotions and deals throughout November and December, to keep shoppers and employees safe. We're planning for a "peak on peak" online holiday shopping season for 2020.   

As shoppers seek to take advantage of the hottest bargains and retailers prepare for a predominantly online holiday shopping season, cybercriminals are looking to do the same with vulnerable IT systems and websites. There are several automated threats businesses must be on the lookout for to protect from brand damage and negative impacts to the bottom line. For example, attackers could use leaked credentials to hijack user accounts and stolen credit cards to make fraudulent purchases.

Elevated basket abandonment, a higher proportion of failed payment authorizations, and disproportionate use of the payment step are all possible signs of card cracking. Or denial of inventory attacks, which involves attackers taking ecommerce items out of circulation by adding many of them to a cart/basket, but never actually proceeding to checkout — which creates stock-outs, preventing legitimate buyers from making a purchase.

Just like phishing and malware target employees, users are also under attack. Imagine if infected URLs are being shared on websites or social channels to take customers to malicious pages to steal payment info or account credentials. Retailers need access to tools to prevent this kind of activity and, at the same time, need to be able to warn users before they visit sites that are known to be unsafe. 

These are just a few tricks bad actors might have at the ready this holiday season. So, how can security teams detect these emerging attack methods and reduce their customers' and business' chance of compromise or revenue loss?

One way is to deploy CAPTCHA systems on sites to prevent fraudulent activity, spam and abuse. The CAPTCHA system should leverage machine-learning and advanced risk analysis to help customers tell humans and bots apart. The CAPTCHA system should also have accurate detections to minimize false positives and offer risk scores with reason codes for security teams to take action within the context of a company's website.

For example, if the CAPTCHA system shows a low score, next steps can be to require two-factor authentication or email verification in order to allow a user to continue. Moreover, the CAPTCHA system should have enterprise-level service level agreements and terms of service.  We also recommend using an API of constantly updated lists of unsafe Web resources, which retailers can use to keep risky URLs off their sites and protect users.

This year has been one of frantic and unexpected change, but there's no reason to be caught offguard this holiday season. Security must continue to be a top business priority as attackers will always look for ways to disrupt or damage businesses during the pandemic, during the holidays and beyond. Achieving a sustainable security posture is essential to a successful business transformation. Now is the time for retailers to be proactive about securing online environments to make this new normal, a safer normal, so they can deliver holiday cheer. 

 

Sunil Potti is General Manager and Vice President of Cloud Security at Google Cloud. In his role, he focuses on bringing the best of Google Security's practices to the GCP platform and its enterprise customers. Prior to Google Cloud, Sunil served as the Chief Product & ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.