The 2018 holiday shopping season is predicted to generate almost $130 billion in online sales, which is bringing the attention of cybercriminals to e-commerce transactions and omnichannel interfaces. Both retailers and shoppers will become targets of opportunities for hackers seeking to take advantage of any stage where money (or, more importantly, banking credentials) changes hands electronically. This period has historically seen similar increases in attacks, such as during the infamous Target Black Friday breach in 2013, but the sheer amount of cash and financial data involved will likely spur attackers to make more concentrated efforts.
Perfect Storm of Social Engineering
Attack methods and channels vary, but the majority of attempts consistently involve phishing as it is the easiest and most cost-effective technique to deploy in volume. Sophisticated cybercriminals can augment this approach with research into their targets that significantly increases the credibility of the fabricated message to its intended victim. Attackers leverage the fast pace of holiday shopping to lower their target’s inhibitions, especially for last minute gift purchases.
Cybercriminals will employ strategies such as shadowing your purchasing journey to hijack it at a critical juncture, including sending an email as either the vendor or distributor asking for credit card numbers or login information. Some take advantage of payment portal websites or mobile applications to place their own malicious landing pages or apps to capture e-commerce traffic. These duplicates may be used as vehicles for malware such as a trojan virus that will give hackers deeper access.
Mobile as an Attack Vector
Mobile e-commerce provides a potentially lucrative channel for attackers to exploit as smartphones become the preferred online shopping tool while device security remains stagnant. Research has repeatedly shown that both professional and personal mobile security practices compound gaps already present in smartphone devices against malware infections. Other existing weaknesses in mobile phones offer hackers an easier time to leverage socially engineered attacks against targets.
Retailers occupy an even more vulnerable place as both potential victims and attack vectors. Client data collected through payment portals or other platforms can be even more valuable than their purchases since cybercriminals can either utilize this information themselves or sell it through the Dark Web. Once an attacker hacks into the vendor’s systems they will be able to position themselves to go after customers when the opportunity arises.
Customer Personal Information
The loss of customer personal information represents the greatest danger for most retailers as not only does it result in a loss of consumer and investor trust, which can bring very real financial penalties in declining stock prices and lost business, but it can also breach existing and emerging compliance laws. In the wake of successive network breaches and the EU’s GDPR, regulatory agencies have shown an increasingly stringent response to data leaks.
Non-public personal information (NPI) collected by organizations, especially personally identifiable information (PII) that can give access to bank credentials, has consequently taken on a greater importance in the eyes of government bodies and trade associations. Companies can be found liable for data breaches, either for creating the circumstances in which they occur or for not reporting them in time and be directly penalized. Even if third parties, such as outside contractors or trading partners, made the breach possible, it falls under the responsibility of the organization who had primary ownership of the data.
Review Your Network Security
Protecting yourself from hackers this and future holiday shopping seasons means not becoming an easy target. Cybercriminals rely on the volume of transactions happening, the faster pace of this retail cycle and the desperation of both retailers and shoppers to get past safeguards and common sense.
As a consumer, you must rely on being better safe than sorry and recognizing the red flags when they appear. As a retailer, you must ensure your system can handle the number of customers you will receive and that it can handle intrusion attempts.
Sign up for a Network Vulnerability Test to receive a penetration testing for your system and review how well it can hold up to attacks.