As seen on The Startup/Medium.com
Cyber criminals are updating the classic Willie Sutton maxim that the reason he robbed banks was because “that’s where the money is.”
Yes, there’s still plenty of money in banks. But many billions of dollars — Deloitte estimates $182 billion to $196 billion — will be transacted online during the holiday season that is now upon us. That would be a 25% to 35% increase in holiday e-commerce since last year. And it could exceed that estimate, given the resurgence of a worldwide pandemic and constant exhortations to avoid congregating anywhere, which would include places like retail stores.
So, no surprise, online thieves are primed to exploit that vast attack surface. And retailers and consumers can’t say they haven’t been warned. Because there are plenty of headlines from past years about cybercrime spiking during the holidays.
But those warnings may not be getting through. RiskIQ reported recentlythat in a survey it conducted of online shoppers, 64% of respondents said they were unaware of the credit-card-skimming threats from Magecart, an umbrella term referring to multiple groups that use the same methods to breach websites — mostly those built on the Magento e-commerce platform — to inject card-skimming scripts on checkout pages. That allows them to steal the data customers enter into the fields on the page, such as their credit card numbers.
The good news, however, is that there’s plenty of good advice this year on how to avoid being among the victims.
The federal Cybersecurity & Infrastructure Security Agency (CISA) has a tip sheet to help consumers do their online shopping safely, and the FBI has a list of ways to avoid internet scams and fraud.
Most of that advice comes down to the basics — the digital equivalent of avoiding most of the risk of contracting COVID-19 by wearing a mask, social distancing, keeping your hands clean, and not touching your face.
In other words, it doesn’t require living in a hermetically sealed bubble and avoiding e-commerce altogether. While nothing online is entirely risk-free, both merchants and consumers can manage that risk by following the advice that security experts have been dishing out for years.
First some advice for retailers.
Third-party reality check: Start with awareness that you are likely an expanded attack surface, thanks to your relationships with third parties.
Recall seven years ago, right at this time of year, when mega-retailer Target discovered a breach that compromised the credit/debit card data and/or personal information of up to 110 million customers. The entry point for hackers? A third-party HVAC vender to its point-of-sale (PoS) payment card readers.
Since then, the risks have only expanded. According to Source Defense, the average e-commerce website uses “40 to 60 third-party tools, with retailers saying they plan to add an average of 3 to 5 new third-party technologies to their sites annually.”
And third parties have outside relationships as well, which increases the number of attack points exponentially. A single retailer could be “sharing confidential and sensitive information with a staggering 583 outside parties on average,” Source Defense said.
Practice least privilege: While it may be the season of “peace on earth and good will …” behaving like a Grinch is both smart and necessary in some areas. In the e-commerce world, it should be the season of zero trust. Make sure third (and fourth and fifth) parties have access only to what they need to perform a necessary function. That means blocking access to customers’ personal and payment information.
Along the same line, monitor authentication failures to make sure a customer is really a customer, since account takeover attacks remain a constant threat. Digital Commerce reported earlier this year that “in 2019 retailers were on the receiving end of more than 10 billion credential validation attempts, the most of any industry, from bots looking to take over accounts and commit fraud.”
Keep up to date: Some retailers go into “change freeze” mode during the frenetic holiday season, which means they install only the most critical security patches. But this puts them at greater risk. Cyberthreats are always evolving, and failing to patch a vulnerability — especially one that is publicly known — is a bit like leaving the door to your headquarters open every night.
Emile Monette, director of value chain security at Synopsys calls it “internal due diligence.” He recommends that retailers “inventory both internal and third-party risk, and include security requirements in your supplier contracts to protect theirs and their customers’ data.”
And at brick-and-mortar locations, “keep your system and point-of-sale operating systems patched and at a minimum PCI-DSS compliant,” he said.
Train workers: Most employees are loyal and want to protect the organization. So give them the tools to do that — teach them how to recognize the latest phishing scams (which have improved significantly) and what kinds of information cyber crooks are after. Give them a way to report suspicious emails or calls.
Divide and defend: Network segmentation could be viewed as another component of least privilege. Isolate critical zones and protect them with more rigorous access controls so that if crooks get in, they can’t get everywhere.
Response readiness: It’s inevitable that some attackers will get through. So be ready to respond quickly if they do. “Have an emergency response procedure documented and exercised,” said Adam Brown, security solutions manager at Synopsys. “As we saw with the recent Manchester United FC attack, having a strong emergency response enables an organization to stop attacks early and limit damage.”
Avoid IoT overload: The Internet of Things offers a tantalizing array of devices to enhance both security and convenience for merchants, from monitoring PoS terminals for anomalous behavior to tracking inventory to monitoring fitting rooms. But, as Michael Borohovski, director of software engineering at Synopsys, notes, “it also means that attackers have a lot more surface area to attack. Fitting-room devices can be hacked. Store networks, which once were relatively unimportant, and PoS systems that could run without a connection, are now high-value targets.”
He recommends that “for every IoT device you think you need, evaluate what value it really provides. If it doesn’t need to be internet-connected, pick one that isn’t.”
And if a retailer does need one that is connected, “ask questions about security,” Borohovski said.
“Don’t just buy the cheapest option, and make sure you’re happy with their answers to the security questions you ask. Do they have a privacy policy? An incident response policy? Have they had it tested for security by a reputable third party? Can they provide you with any certifications or reports or other attestations?”
For consumers, the overall advice also boils down to being aware of a sad reality: Cyber criminals will try to take advantage of both your holiday spirit and your generosity. Which doesn’t mean you can’t practice those virtues. But it’s crucial not to trust anyone or anything you don’t know or can’t verify.
And in that vein:
Secure your digital doors and windows: The CISA tip sheet includes the basics, like avoiding public Wi-Fi, using rigorous passwords, and keeping device software up to date, enabling automatic updates when they’re offered so you don’t have to keep track.
Brown urges consumers to go beyond even strong passwords. “If you give yourself one Christmas present this year, let it be a reputable password manager and let it generate passwords for you,” he said.
“When sites get breached, often it’s possible for attackers to work out your password if poor password encryption is used, which is still too common. If you’ve used that password elsewhere, you can consider that site breached too. Generated passwords per site get rid of that problem.”
Borohovski adds that “consumers should be wary of anything internet-connected entering their homes. As you add more, you have more surface area, exposing you to more threats.”
Phishing, phishing and more phishing: This is probably the greatest risk to consumers, because all the updates, complex passwords and other authentication methods in the world won’t protect you if you get tricked into voluntarily giving your information away or clicking a malicious link.
As is the case with life in general, and especially online, if something looks too good to be true, it almost certainly is. And there’s an almost endless variety of scams, from “once-in-a-lifetime” deals to charity pleas.
So the advice from Monette should be familiar but it bears repeating. “Don’t click on anything in emails — links, promo codes or anything else — unless you’re confident of where it came from,” he said.
“If you’re unsure if an email is legitimate, type the URL of the retailer or other company into your web browser or do a web search to find the company as opposed to clicking the link. Also check the sender’s actual email address.”
In other words, only shop from trusted, reliable sources. It’s almost always better to go to a retailer’s website than to click a link that “promises” to take you there.
Thomas Richards, principal consultant at Synopsys, said that along with phishing scams, “consumers should be wary of flash sales/deals on websites that are not the original retailer. I’ve personally had ads show up on my Facebook feed for Lego sets that were 75% off MSRP from vendors that tried really hard to make them look like the actual Lego website.”
Monitor your accounts: You won’t always know right away if your payment cards or your bank account gets compromised. So check your accounts frequently for any purchase you don’t recognize, no matter how seemingly insignificant. Hackers often make a small purchase that they hope you won’t notice, and if it goes through, they go for the motherlode.
Bottom line: Take all this good advice seriously. Make it “the most wonderful time of the year” for yourself, not the crooks.The Startup
WRITTEN BY
Taylor Armerding
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
