Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/24/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Monday: What Retailers & Shoppers Should Watch For

Attackers have a variety of ways to commit fraud and may take advantage of busy time to sneak in a data breach.

While store managers and salespeople gear up for long lines, social engineering, and point-of-sale malware on Black Friday, CIOs and development teams gear up for fraudulent online purchases and Web-based data breaches on Cyber Monday.

The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app -- or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money -- like shipping fraud or chargebacks for fradulent purchases made with stolen credit cards or gift cards bought with stolen credit card data -- are secondary. Data breaches of customer payment card records or other information fall to the bottom of the priority list.

As the Retail Cyber-Intelligence Sharing Center (R-CISC) explained in advice to members about holiday "hacking season": "Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches."

[Read about PoS malware and new ways to trick new payment technology in "Black Friday: Brick-and-Mortar Retailers Have Cyber Threats Too."]

Suni Munshani, CEO of Protegrity, says attackers know all this well and can take advantage of retailers' priorities as well as the fact that shopping patterns are different during the holiday season than they are the rest of the way.

"On a big shopping day," he says, "it's harder to zero in on fraudulent behavior and respond to it quickly."

Image Source: Kevin Marks via Flickr

According to the R-CISC: "Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it's impractical to block IP ranges based on geography, because online sales can be global."

Much of the fraud committed during the holiday season won't be dealt with until January 15, says Munshani.

Plus, Munshani says that attackers will steal "anything that can be monetized," which extends beyond cardholder data. Attackers may also grab information about what items stores are planning to order and where they're being shipped.

"Visibility into the supply chain can provide a competitive advantage," says Munshani. "If I wanted to leverage that data in the financial markets, I could leverage that in a heartbeat."

How are attackers likely to compromise retailers online this season?

 Via vulnerable web apps

"[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, which released a new report on retail security this week.

Yampolskiy says that even the top-performing retailers they studied were often vulnerable to POODLE and FREAK. Plus, 100 percent of retailers were found with Web application vulnerabilities or server misconfigurations. They were particularly prone to troubles in their content management systems (CMS). 

"Some of these retailers are brick and mortar," Yampolskiy says. "Doing good IT is not part of their core competence." That said, some of the top-performing retailers online are ones that are primarily brick-and-mortar businesses.

SecurityScorecard did not find any correlation between security practices and what kinds of goods a business sells -- food, furniture, or footballs. The top performers, according to SecurityScorecard are: Guess (clothing), Dick's Sporting Goods, Brookshire's (grocery store), Quizno's (fast food franchise), DyersOnline.com (Automotive supplies), Moen (housewares), American Greetings (greeting cards), and BackCountry.com (clothing). 

Via mobile devices

More and more consumers are doing their shopping from mobile devices. Adobe, in its Digital Index Online Shopping Predictions, predicted that on Thanksgiving Day, mobile devices will for the first time overtake desktops as the top device for online shopping. Iovation predicts that between Black Friday to Cyber Monday, 48% of all retail transactions will be made from mobile phones and tablets. This is higher than the overall percentage through the year thusfar, which is 41%, according to Iovation.

The good news, according to Iovation VP of Product Scott Olson: "We still see fraud rates a little lower on mobile, because it's harder to automate on mobile."

Yet, according to a study by Bluebox, released today, there are plenty of security vulnerabilities lurking within the top three one-click purchase apps from merchants and the top two peer-to-peer payment apps used to send monetary gifts to family and friends.  

Bluebox researchers found that all of those apps were vulnerable to tampering that would allow funds to be rerouted to accounts controlled by attackers and that none of the apps encrypted data written to disk.

Via online auctions 

There's also "triangulation fraud," which Olson says is "a very clever way to monetize stolen cards."

A triangulation fraudster sets up an online auction for an item they don't actually possess -- say, a high-end camera. When the auction ends, the attacker uses a stolen payment card to purchase that same camera from a store and has it shipped to the winning bidder.

The bidder gets their purchase. The attacker pockets the bidder's payment. (It doesn't matter to the attacker if the bidder paid $100 for an item that cost $500 at the store, because the attacker paid that $500 with someone else's money. Their net gain is still $100.)

The fraud is for the unlucky cardholder, their bank, and the retailer to sort out.

Via gift cards

Another popular way for attackers to monetize stolen payment card data is through online gift card purchases.

Retailers can't do without the revenue made from gift cards, so they have attempted to outsource the headache and the liability for gift card fraud by outsourcing it to third-party fulfillment services like CashStar. According to SecurityScorecard, the practice seems to be effective.

"CashStar does seem to be pretty good at reducing fraud," says Alex Heid, chief of research at SecurityScorecard. "Chatter on the underground seems to confirm it," he says, referencing frustrations voiced on hacker forums.

 

Better defense

Munshani says that retailers and security companies have already made huge advancements in Web security measures, to improve authorization and reduce fraud without increasing the "friction" that makes impatient consumers decide to take their business elsewhere.

He recommends systems that request second factors of authentication only when a site user or payment accountholder exhibits anomalous behavior. For example, he says, when a user connects from an unfamiliar device, issue a second factor, like a SMS verification code. When a purchase is made for a large amount or from a region an accountholder is not usually traveling in, send a message to confirm purchase.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
CharlineSau
50%
50%
CharlineSau,
User Rank: Apprentice
11/27/2015 | 11:25:45 AM
Re
I kept my credit card away for this black friday again !
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/25/2015 | 11:13:00 PM
Reminder
Thanks for this reminder, Sara -- if only to caution readers like me to not use our credit cards on Friday!  ;)
<<   <   Page 2 / 2
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5226
PUBLISHED: 2020-01-24
Cross-site scripting in SimpleSAMLphp before version 1.18.4. The www/erroreport.php script allows error reports to be submitted and sent to the system administrator. Starting with SimpleSAMLphp 1.18.0, a new SimpleSAML\Utils\EMail class was introduced to handle sending emails, implemented as a wrapp...
CVE-2019-1517
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1518
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1519
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.
CVE-2019-1520
PUBLISHED: 2020-01-24
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.