Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/26/2014
12:05 PM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Dangers Of Shopping Are Evolving

Point-of-sale malware is making brick-and-mortar shopping more dangerous. Online, attackers are beginning to value user accounts with payment information attached more than credit card details themselves.

Holiday shopping is dangerous. You could be tackled by other shoppers as you reach for the latest video game. You might go blind staring at your computer screen as you spend hours looking for a gift that is not only perfect, but will also arrive on your doorstep in time for you to smack a bow on it. There are other dangers, though -- and the risks are changing.

Shopping at brick-and-mortar stores is not necessarily any safer than shopping online anymore. In fact, Don Jackson, director of threat intelligence for PhishLabs, told Dark Reading this week that he would rather hand his credit card data to a Web form than to a salesperson.

Why the shift in threat posture? One reason for that is the spate of point-of-sale malware that has made headlines all year. Another is that retailers often work harder to secure their e-commerce sites than their brick-and-mortar shops.

That's not to say that e-commerce sites aren't without their risks. Yet, the kinds of risks are changing. Attackers are moving away from carding and starting to favor account takeover, as new research shows.

"This year, we have determined fraudsters are leveraging more sophisticated attack vectors, focusing increasingly on account takeover, as opposed to the common tactic of credit card cycling," says Ryan Wilk, director of customer success at NuData Security, in a report released Tuesday. "This shows us that thieves are beginning to value user accounts with payment information attached more than credit card details themselves. This puts additional burden on the e-commerce organization to protect their communities."

Researchers at ThreatMatrix are finding the same pattern. In a report last week, Alisdair Faulkner, chief products officer for ThreatMatrix said, "In addition to payment fraud this holiday shopping season, our biggest concern is the spike in the number of account takeovers we are seeing on retail websites. ThreatMetrix data shows an upswing in account takeover activity in the wake of recent massive data breaches -- and most retailers will be caught unprepared.

“Previously, guest checkouts represented the highest risk, but due to the prevalence of data breaches and the convenience of storing credit cards to make mobile purchases easier, fraudsters have found it just as easy to use a stolen username and password as it is to use compromised credit card information that has a shorter life span before being shut down."

The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases. Iovation predicted this week that about 40% of all retail transactions made between Black Friday and Cyber Monday this year will be made from mobile phones and tablets. This segment has been steadily increasing for years. Just five years ago, Iovation found that only 3% of the online retail transactions between Black Friday and Cyber Monday came from mobile devices.

Are you planning to get sore feet trudging around the shopping mall this season, or get sore fingers trolling the Internet? Do security risks affect your decision? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:37:18 AM
Re: So what is the correct approach?
@mejiac  Thanks! As far as Apple and Google getting into the mobile payment realm... well I think they're both just trying to get a piece of a business that's growing just fine without them.

Still, Apple Pay is supposed to add stronger multi-factor authentication to every purchase -- that's the good news. The maybe-not-such-good news is that the Apple Pay infrastructure makes you rely on Apple for the lion's share of your payment security -- moreso even than your bank. 

We wrote about it in September:  http://www.darkreading.com/apple-pay-ups-payment-security-but-pos-threats-remain/d/d-id/1315608
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
12/1/2014 | 9:24:28 AM
Re: Glad to have an excuse to miss Black Friday
@David  Generally I hate shopping too, and do a lot online. But honestly, I miss some of the hustle and bustle, and the pretty lights and Christmas music playing, so I'll venture out into the fray just for the experience. I've even found the one cash register in the Times Square Toys R Us that never seems to have a line.  :)

But, I do feel it's a risk management issue. One of my favorite ways to shop is at the outdoor holiday markets they set up in some of the public parks in Manhattan. I worry about carrying cash, because those markets are a pickpocket's dream. But all the stalls in the market are small businesses using very small mobile credit card processing technology. I doubt that security is a big priority for them.

I HOPE that the wireless network for the merchants is separate from the free public wireless available in the park... but I think I ought to check on that.  :)  

 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
12/1/2014 | 9:20:17 AM
Re: Glad to have an excuse to miss Black Friday
But Amazon has gotten way too expensive. The same toy I got at Toysrus on sale for $55 this Thursday is being sold on Amazon for $130! So, happy Amazoning :-)
mejiac
50%
50%
mejiac,
User Rank: Apprentice
11/30/2014 | 12:08:30 PM
So what is the correct approach?
Great article Sarah!

"The "convenience of storing credit cards to make mobile purchases easier" that Faulkner mentions becomes a greater concern as more shoppers use mobile devices to make purchases."

If this is the case, then how come companies like Apple and Google are pushing for the use of more mobil based payment?

I agree that things are more riskier, and the thread of identity theft is greater than ever before.

I for one keep a close eye on all my transactions, and only utilize credit cards that have fraud protection policies.

I see this as something that is inevitable, and thus we need to be more cautiuous, since it's not a matter of if it'll happen or not, is more about "when?"

What does the community think?
Nemos
50%
50%
Nemos,
User Rank: Apprentice
11/30/2014 | 5:07:38 AM
Re: Glad to have an excuse to miss Black Friday
You dont feel safe while shopping in the mall ? , for most of the people is a joy procedure (especially for women's and kids). In addition you can try the small shops around the corner instead of the malls.
David F. Carr
100%
0%
David F. Carr,
User Rank: Strategist
11/26/2014 | 12:24:00 PM
Glad to have an excuse to miss Black Friday
I hate shopping, so if I'm incrementally safer doing it on Amazon than at the mall, hooray!
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3896
PUBLISHED: 2019-06-19
A double-free can happen in idr_remove_all() in lib/idr.c in the Linux kernel 2.6 branch. An unprivileged local attacker can use this flaw for a privilege escalation or for a system crash and a denial of service (DoS).
CVE-2019-3954
PUBLISHED: 2019-06-19
Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 allows a remote, unauthenticated attacker to execute arbitrary code by sending a crafted IOCTL 81024 RPC call.
CVE-2019-10085
PUBLISHED: 2019-06-19
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
CVE-2019-11038
PUBLISHED: 2019-06-19
When using gdImageCreateFromXbm() function of gd extension in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been ...
CVE-2019-11039
PUBLISHED: 2019-06-19
Function iconv_mime_decode_headers() in versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may lead to information disclosure or crash.