Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/24/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Monday: What Retailers & Shoppers Should Watch For

Attackers have a variety of ways to commit fraud and may take advantage of busy time to sneak in a data breach.

While store managers and salespeople gear up for long lines, social engineering, and point-of-sale malware on Black Friday, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.

The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app -- or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money -- like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data -- are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.

As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in advice to members about holiday "hacking season": "Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches."

[Read about PoS malware and new ways to trick new payment technology in "Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too."]

Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers' priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.

"On a big shopping day," he says, "it's harder to zero in on fraudulent behavior and respond to it quickly."

Image Source: Kevin Marks via Flickr

According to the R-CISC: "Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it's impractical to block IP ranges based on geography, because online sales can be global."

Much of the fraud committed during the holiday season won't be dealt with until January 15, says Munshani.

Plus, Munshani says that attackers will steal "anything that can be monetized," which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where they're being shipped.

"Visibility into the supply chain can provide a competitive advantage," says Munshani. "If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat."

How are attackers likely to compromise retailers online this season?

 Via vulnerable web apps

"[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released a new report on retail security this week.

Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 

"Some of these retailers are brick and mortar," Yampolskiy says. "Doing good IT is not part of their core competence." That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.

SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells -- food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dick's Sporting Goods, Brookshire's (grocery store), Quizno's (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 

Via mobile devices

More and more consumers are doing their shopping from mobile devices. Adobe, in its Digital Index Online Shopping Predictions, predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.

The good news, according to Iovation VP of Product Scott Olson: "We still see fraud rates a little lower on mobile, because it's harder to automate on mobile."

Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  

Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.

Via online auctions 

There's also "triangulation fraud," which Olson says is "a very clever way to monetize stolen cards."

A triangulation fraudster sets up an online auction for an item they don't actually possess -- say, a high-end camera. When the auction ends, the attacker uses a stolen payment card to purchase that same camera from a store and has it shipped to the winning bidder.

The bidder gets their purchase. The attacker pockets the bidder's payment. (It doesn't matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone else's money. Their net gain is still $100.)

The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.

Via gift cards

Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.

Retailers can't do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.

"CashStar does seem to be pretty good at reducing fraud," says Alex Heid, chief of research at SecurityScorecard. "Chatter on the underground seems to confirm it," he says, referencing frustrations voiced on hacker forums.

 

Better defense

Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the "friction" that makes impatient consumers decide to take their business elsewhere.

He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/1/2015 | 8:21:17 AM
Re: Re
I'm just cheap and don't buy anything.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/1/2015 | 8:20:02 AM
Re: Black Monday DDoS
Of course, that's also when companies are most vigilant.

But what about another high-traffic day... say, two days before Christmas?  
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:21:46 PM
Re: Thanks for Sharing
Agree. Fraud is always going up, attacks are also concentrating vulnerable periods  such as Xbox attack on Christmas day. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:19:10 PM
Re: Via vulnerable web apps
I said it should. We may not be able to prove the correlation but companies not paying attention to revers social engineering attacks would most likely not pay attention the security.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:16:32 PM
Re: Re
Ok. Good deal, one day is a good strat. If we can do that rest of our lives then we are good to go. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:15:10 PM
Re: Reminder
Good suggestion, you may user your Apple Pay or Google wallet tough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/30/2015 | 12:14:11 PM
Black Monday DDoS
If you want to do DDoS attack Cyber Monday is best opportunity for worst damage. Companies that are relying on cyber Monday profits should keep that in mind.
Sagiss, LLC
100%
0%
Sagiss, LLC,
User Rank: Strategist
11/30/2015 | 11:44:14 AM
Thanks for Sharing
Thanks for sharing, Sara! It's definitely more important than ever that shoppers keep a wary eye out as online fraud usually spikes during the Holiday season. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2015 | 12:02:03 AM
Re: Via vulnerable web apps
On a related note, DEF CON every year hosts the social engineering capture-the-flag contest, wherein people socially engineer key data "flags" out of Fortune 500 companies; I wonder if the list of worse-performing companies in SECTF, social engineering-wise, correlates in any way to technical security.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/28/2015 | 9:36:42 PM
Via vulnerable web apps
Is there a list of the worst performers?
Page 1 / 2   >   >>
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20003
PUBLISHED: 2020-01-17
Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored XSS via the Debug-Log and Display-Log components. This could be exploited when an attacker sends an crafted string for FTP authentication.
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.