IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

How to reduce the risk of festive fraud

Retailers are gearing up for Christmas, but so are cybercriminals…

With Christmas around the corner, retailers are working hard to make sure their websites are prepared for the volume of traffic they expect to experience.

But the festive season is also a busy time for hackers, who will be targeting shops and shoppers in a bid to steal customer data whether online or in brick and mortar stores.

The bad news for retailers is that 64 per cent of consumers are unlikely to shop with a company that has experienced a financial information breach, according to a new survey from Gemalto, published this week.

With 59 per cent of consumers also saying they think threats to personal information increase during the festive season, and 20 per cent that they will become a victim this year, it's time for online retailers to prove them wrong.

This could, of course, be easier said than done. That same survey shows that confidence in the ability to protect data is fairly low, with only 25 per cent of people saying their data security is taken seriously.

The Accenture UK Holiday Shopping Survey suggests that these fears won't stop the seasonal sales though, with 53 per cent of respondents saying they will do the majority of their Christmas shopping online despite 39 per cent being concerned about privacy or security issues.

But with 45 million attacks on online retailers detected by the ThreatMetrix Digital Identity Network in the last quarter, retail is clearly in the cross hairs of the bad guys, and more so at this time of year than any other.

So what can online retailers do to mitigate the fraud and breach risk, and raise consumer confidence in their ability to secure these seasonal transactions?

Logins

Well, for a start, they could get to grips with where the real risk sits. Looking at the ThreatMetrix numbers, it would appear that the vast majority (some 78 per cent) of transactional attack attempts took place during account logins, with payments themselves a distant second (21 per cent) and account creations (one per cent) hardly registering on the radar.

This is hardly surprising as payments security is, generally speaking, tied down pretty tight, and compliance requirements for the payment industry are set pretty high.

It does suggest that logins remain a weak spot, however, and more focus on user authentication would be a good idea. Unfortunately, this goes against the grain in the retail sector where a 'get them in the doors and through the checkout' mentality has moved to clicks from brick-and-mortar stores. This mindset has to change, and an understanding that online footfall will decline if security isn't seen to be taken seriously must be adopted.

Hacker accounts

Retailers can also invest in behavioral analytics, looking out for dormant or never used accounts that become active in the seasonal period. Sleeper accounts are a mainstay of the cybercriminal arsenal, as are long forgotten genuine accounts that get hijacked courtesy of the stupidly guessable passwords that tend to 'protect' them. Simply adding an additional layer of authentication required for any such accounts springing to seasonal life could prevent fraud.

Mobile devices

Talking of layers, Whitehat Security research suggests that insufficient transport layer protection is the most commonly occurring (64 per cent) critical vulnerability class for retail. And with stats showing the seasonal shopping trend has shifted to mobile devices, it's more important than ever that mobile applications take the appropriate measures to authenticate and encrypt sensitive network traffic.

Point of sale

Although the ThreatMetrix figures mentioned earlier showed that payments were not the point where most transactional attacks are attempted, that doesn't mean you can afford to ignore the threat. The emergence of sophisticated Point of Sale (PoS) malware such as ModPos proves this point nicely.

Speaking to IT Security Thing Mark Bower from the Enterprise Data Security arm of HPE Security summed PoS systems up as being "the weak link in the chain" because "a checkout terminal in constant use is usually less frequently patched and updated, and is thus vulnerable to all manner of malware compromising the system to gain access to cardholder data." So ensure yours ARE patched, updated and malware checked!

Sticking with PoS threats, the recent breach of point of sale systems in some Hilton hotels points us in another direction: the supply chain. The Hilton Worldwide breach appears to have targeted PoS terminals within franchised restaurants, bars and shops in hotel properties. No matter how well you lock down your in-house security, if you ignore third party suppliers you are asking for trouble. It's not an easy dilemma to solve, but at the very least you should be checking that your suppliers meet your own standards of security compliance. 

Never be too focused on sales

Also filed under 'asking for trouble' at this time of year is the fact that many retail organisations go into a tunnel vision mode whereby sales are everything. This is understandable at the busiest time of year, a time when sales figures can literally make or break the business. However, when those organisations stop updating payment and order fulfillment systems lest such maintenance interrupts or slows down the sales loop, they really are asking for trouble.

In the rush to ensure that 'everything works fine' for the big sales push, enforcing a configuration and update freeze may seem like a good idea but it could also open the door to the bad guys. The takeaway has to be that, at this time of year the same as any other, don't let your convenience trump the security of your customers... 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

CronRat Magecart malware uses 31st February date to remain undetected
malware

CronRat Magecart malware uses 31st February date to remain undetected

26 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022