This month is National Cybersecurity Awareness Month — a public/private initiative led by the U.S. Department of Homeland Security. This year, the program will spotlight “personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace,” organizers said.
For retailers and brands, the month-look program serves as a reminder that online shopping sees a robust uptick during the holidays — which heightens the risk of cyberattacks. In response, Kim DeCarlis, chief marketing officer for PerimeterX, just released a report citing various types of breaches and other security issues as well as tips for retailers to combat attacks.
One of the more common attacks is “carding” – with credit cards or gift cards. With credit cards, DeCarlis described carding as a “brute force attack on a retailer’s web site using stolen credit cards. Due to the massive number of breached records over the years, large databases of stolen credit cards are available for sale on the Internet.”
She said attackers use malicious bots to “test stolen credit card data on a retailer’s web site. To verify the cards work, attackers typically make a low-cost purchase, and only if successful do they place bigger orders and receive products or services using the fraudulent cards.”
Mitigating the risk requires being able to spot these purchasing trends to reveal possible fraud. It requires the right technology and a systemic approach.
With gift cards, the chief marketing officer said fraud occurs “when attackers guess the card number or use numbers purchased off the dark web, and then steal the balance of a gift card.”
“As with credit card fraud, purchases of very small amounts followed by purchases of larger amounts could indicate gift card fraud,” DeCarlis added.
Account takeover is also another form of cyber fraud, and DeCarlis said this occurs when “someone gains unauthorized access to an online account.”
“Botnet operators use automated tools and a botnet of compromised PCs, smartphones or IoT devices to test password and user credentials across thousands of sites to see which ones work,” she explained. “Even if your credentials aren’t compromised, retailers who allow social login — such as Facebook and Google — for fast checkout are at risk if those particular accounts are compromised.”
To address this, DeCarlis said retailers and brands need to turn their attention to “behavioral anomalies and characteristics.”
“The determination of whether specific behavior is human or bot must be made quickly on the first access and request, rather than over a series of pages,” DeCarlis explained. “If the attack starts with a request to the login page, any delay in determination will occur after the actual attempt has been made.”
Other forms of attack and fraud include account abuse, “scraping” and “form-jacketing.” Think of the latter as hijacking valuable data, but doing it during normal purchases — similar to card skimming at a gas station, DeCarlis said.
With scraping, “rich content” has a significant role in driving shoppers to a web site. “However content scrapers can steal your content — including pricing, tax your web infrastructure and reduce your SEO ranking,” the cmo said. “Since pricing can be a large competitive advantage and plays a massive role in attracting customers and repeat business, your site is vulnerable to scraping of pricing, product information, inventory and customer reviews.”
In response, DeCarlis said retailers need to protect pricing and online catalogues “in real-time with solutions that recognize legitimate search engine bots while blocking or serving dated information to malicious price scraping bots that intend to steal your data.”