How to reduce the risk of festive fraud

With Christmas around the corner, retailers are working hard to make sure their websites are prepared for the volume of traffic they expect to experience.

But the festive season is also a busy time for hackers, who will be targeting shops and shoppers in a bid to steal customer data whether online or in brick and mortar stores.

The bad news for retailers is that 64 per cent of consumers are unlikely to shop with a company that has experienced a financial information breach, according to a new survey from Gemalto, published this week.

With 59 per cent of consumers also saying they think threats to personal information increase during the festive season, and 20 per cent that they will become a victim this year, it's time for online retailers to prove them wrong.

This could, of course, be easier said than done. That same survey shows that confidence in the ability to protect data is fairly low, with only 25 per cent of people saying their data security is taken seriously.

The Accenture UK Holiday Shopping Survey suggests that these fears won't stop the seasonal sales though, with 53 per cent of respondents saying they will do the majority of their Christmas shopping online despite 39 per cent being concerned about privacy or security issues.

But with 45 million attacks on online retailers detected by the ThreatMetrix Digital Identity Network in the last quarter, retail is clearly in the cross hairs of the bad guys, and more so at this time of year than any other.

So what can online retailers do to mitigate the fraud and breach risk, and raise consumer confidence in their ability to secure these seasonal transactions?

Logins

Well, for a start, they could get to grips with where the real risk sits. Looking at the ThreatMetrix numbers, it would appear that the vast majority (some 78 per cent) of transactional attack attempts took place during account logins, with payments themselves a distant second (21 per cent) and account creations (one per cent) hardly registering on the radar.

This is hardly surprising as payments security is, generally speaking, tied down pretty tight, and compliance requirements for the payment industry are set pretty high.

It does suggest that logins remain a weak spot, however, and more focus on user authentication would be a good idea. Unfortunately, this goes against the grain in the retail sector where a 'get them in the doors and through the checkout' mentality has moved to clicks from brick-and-mortar stores. This mindset has to change, and an understanding that online footfall will decline if security isn't seen to be taken seriously must be adopted.

Hacker accounts

Retailers can also invest in behavioral analytics, looking out for dormant or never used accounts that become active in the seasonal period. Sleeper accounts are a mainstay of the cybercriminal arsenal, as are long forgotten genuine accounts that get hijacked courtesy of the stupidly guessable passwords that tend to 'protect' them. Simply adding an additional layer of authentication required for any such accounts springing to seasonal life could prevent fraud.

Mobile devices

Talking of layers, Whitehat Security research suggests that insufficient transport layer protection is the most commonly occurring (64 per cent) critical vulnerability class for retail. And with stats showing the seasonal shopping trend has shifted to mobile devices, it's more important than ever that mobile applications take the appropriate measures to authenticate and encrypt sensitive network traffic.

Point of sale

Although the ThreatMetrix figures mentioned earlier showed that payments were not the point where most transactional attacks are attempted, that doesn't mean you can afford to ignore the threat. The emergence of sophisticated Point of Sale (PoS) malware such as ModPos proves this point nicely.

Speaking to IT Security Thing Mark Bower from the Enterprise Data Security arm of HPE Security summed PoS systems up as being "the weak link in the chain" because "a checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data." So ensure yours ARE patched, updated and malware checked!

Sticking with PoS threats, the recent breach of point of sale systems in some Hilton hotels points us in another direction: the supply chain. The Hilton Worldwide breach appears to have targeted PoS terminals within franchised restaurants, bars and shops in hotel properties. No matter how well you lock down your in-house security, if you ignore third party suppliers you are asking for trouble. It's not an easy dilemma to solve, but at the very least you should be checking that your suppliers meet your own standards of security compliance.

Never be too focused on sales

Also filed under 'asking for trouble' at this time of year is the fact that many retail organisations go into a tunnel vision mode whereby sales are everything. This is understandable at the busiest time of year, a time when sales figures can literally make or break the business. However, when those organisations stop updating payment and order fulfillment systems lest such maintenance interrupts or slows down the sales loop, they really are asking for trouble.

In the rush to ensure that 'everything works fine' for the big sales push, enforcing a configuration and update freeze may seem like a good idea but it could also open the door to the bad guys. The takeaway has to be that, at this time of year the same as any other, don't let your convenience trump the security of your customers...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.