How to reduce the risk of festive fraud

Retailers are gearing up for Christmas, but so are cybercriminals…

With Christmas around the corner, retailers are working hard to make sure their websites are prepared for the volume of traffic they expect to experience.

But the festive season is also a busy time for hackers, who will be targeting shops and shoppers in a bid to steal customer data whether online or in brick and mortar stores.

Advertisement - Article continues below

The bad news for retailers is that 64 per cent of consumers are unlikely to shop with a company that has experienced a financial information breach, according to a new survey from Gemalto, published this week.

With 59 per cent of consumers also saying they think threats to personal information increase during the festive season, and 20 per cent that they will become a victim this year, it's time for online retailers to prove them wrong.

This could, of course, be easier said than done. That same survey shows that confidence in the ability to protect data is fairly low, with only 25 per cent of people saying their data security is taken seriously.

The Accenture UK Holiday Shopping Survey suggests that these fears won't stop the seasonal sales though, with 53 per cent of respondents saying they will do the majority of their Christmas shopping online despite 39 per cent being concerned about privacy or security issues.

Advertisement - Article continues below
Advertisement - Article continues below

But with 45 million attacks on online retailers detected by the ThreatMetrix Digital Identity Network in the last quarter, retail is clearly in the cross hairs of the bad guys, and more so at this time of year than any other.

So what can online retailers do to mitigate the fraud and breach risk, and raise consumer confidence in their ability to secure these seasonal transactions?


Well, for a start, they could get to grips with where the real risk sits. Looking at the ThreatMetrix numbers, it would appear that the vast majority (some 78 per cent) of transactional attack attempts took place during account logins, with payments themselves a distant second (21 per cent) and account creations (one per cent) hardly registering on the radar.

This is hardly surprising as payments security is, generally speaking, tied down pretty tight, and compliance requirements for the payment industry are set pretty high.

Advertisement - Article continues below

It does suggest that logins remain a weak spot, however, and more focus on user authentication would be a good idea. Unfortunately, this goes against the grain in the retail sector where a 'get them in the doors and through the checkout' mentality has moved to clicks from brick-and-mortar stores. This mindset has to change, and an understanding that online footfall will decline if security isn't seen to be taken seriously must be adopted.

Hacker accounts

Retailers can also invest in behavioral analytics, looking out for dormant or never used accounts that become active in the seasonal period. Sleeper accounts are a mainstay of the cybercriminal arsenal, as are long forgotten genuine accounts that get hijacked courtesy of the stupidly guessable passwords that tend to 'protect' them. Simply adding an additional layer of authentication required for any such accounts springing to seasonal life could prevent fraud.

Mobile devices

Advertisement - Article continues below

Talking of layers, Whitehat Security research suggests that insufficient transport layer protection is the most commonly occurring (64 per cent) critical vulnerability class for retail. And with stats showing the seasonal shopping trend has shifted to mobile devices, it's more important than ever that mobile applications take the appropriate measures to authenticate and encrypt sensitive network traffic.

Advertisement - Article continues below

Point of sale

Although the ThreatMetrix figures mentioned earlier showed that payments were not the point where most transactional attacks are attempted, that doesn't mean you can afford to ignore the threat. The emergence of sophisticated Point of Sale (PoS) malware such as ModPos proves this point nicely.

Speaking to IT Security Thing Mark Bower from the Enterprise Data Security arm of HPE Security summed PoS systems up as being "the weak link in the chain" because "a checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data." So ensure yours ARE patched, updated and malware checked!

Sticking with PoS threats, the recent breach of point of sale systems in some Hilton hotels points us in another direction: the supply chain. The Hilton Worldwide breach appears to have targeted PoS terminals within franchised restaurants, bars and shops in hotel properties. No matter how well you lock down your in-house security, if you ignore third party suppliers you are asking for trouble. It's not an easy dilemma to solve, but at the very least you should be checking that your suppliers meet your own standards of security compliance. 

Advertisement - Article continues below

Never be too focused on sales

Also filed under 'asking for trouble' at this time of year is the fact that many retail organisations go into a tunnel vision mode whereby sales are everything. This is understandable at the busiest time of year, a time when sales figures can literally make or break the business. However, when those organisations stop updating payment and order fulfillment systems lest such maintenance interrupts or slows down the sales loop, they really are asking for trouble.

In the rush to ensure that 'everything works fine' for the big sales push, enforcing a configuration and update freeze may seem like a good idea but it could also open the door to the bad guys. The takeaway has to be that, at this time of year the same as any other, don't let your convenience trump the security of your customers... 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



Researchers detail Tetrade family of Brazilian banking trojans

16 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

The rise of containers

9 Jul 2020