Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:00 PM
Connect Directly

Cyber Monday: What Retailers & Shoppers Should Watch For

Attackers have a variety of ways to commit fraud and may take advantage of busy time to sneak in a data breach.

While store managers and salespeople gear up for long lines, social engineering, and point-of-sale malware on Black Friday, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.

The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app -- or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money -- like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data -- are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.

As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in advice to members about holiday "hacking season": "Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches."

[Read about PoS malware and new ways to trick new payment technology in "Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too."]

Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers' priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.

"On a big shopping day," he says, "it's harder to zero in on fraudulent behavior and respond to it quickly."

According to the R-CISC: "Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it's impractical to block IP ranges based on geography, because online sales can be global."

Much of the fraud committed during the holiday season won't be dealt with until January 15, says Munshani.

Plus, Munshani says that attackers will steal "anything that can be monetized," which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where they're being shipped.

"Visibility into the supply chain can provide a competitive advantage," says Munshani. "If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat."

How are attackers likely to compromise retailers online this season?

 Via vulnerable web apps

"[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released a new report on retail security this week.

Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 

"Some of these retailers are brick and mortar," Yampolskiy says. "Doing good IT is not part of their core competence." That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.

SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells -- food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dick's Sporting Goods, Brookshire's (grocery store), Quizno's (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 

Via mobile devices

More and more consumers are doing their shopping from mobile devices. Adobe, in its Digital Index Online Shopping Predictions, predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.

The good news, according to Iovation VP of Product Scott Olson: "We still see fraud rates a little lower on mobile, because it's harder to automate on mobile."

Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  

Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.

Via online auctions 

There's also "triangulation fraud," which Olson says is "a very clever way to monetize stolen cards."

A triangulation fraudster sets up an online auction for an item they don't actually possess -- say, a high-end camera. When the auction ends, the attacker uses a stolen payment card to purchase that same camera from a store and has it shipped to the winning bidder.

The bidder gets their purchase. The attacker pockets the bidder's payment. (It doesn't matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone else's money. Their net gain is still $100.)

The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.

Via gift cards

Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.

Retailers can't do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.

"CashStar does seem to be pretty good at reducing fraud," says Alex Heid, chief of research at SecurityScorecard. "Chatter on the underground seems to confirm it," he says, referencing frustrations voiced on hacker forums.


Better defense

Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the "friction" that makes impatient consumers decide to take their business elsewhere.

He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Apprentice
11/27/2015 | 11:25:45 AM
I kept my credit card away for this black friday again !
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
11/25/2015 | 11:13:00 PM
Thanks for this reminder, Sara -- if only to caution readers like me to not use our credit cards on Friday!  ;)
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...