The holiday shopping season is nearly here and that means an opportunity for major e-commerce sales for retailers, but also an increased risk of cyberattacks. Criminals are expected to try and hijack customer and employee accounts, break into online platforms through code vulnerabilities and launch distributed denial-of-service attacks against shopping websites.
It’s always best to take preventive measures to reduce the chance of security compromises and limit the impact of potential breaches, but companies also should be prepared to respond to such incidents when they happen—after all, there’s no perfect security.
“Make sure that at least three months of all logs are readily available and 1 year of logs [are] available offline,” said Reno Zenere, a security consultant for incident response with SpiderLabs at Trustwave. “In order to understand how a breach occurred, the logs are the main source of information to see if a foreign IP address logged into the administrative portion of the website or if there was some type of XSS or SQL injection attacks.”
Retailers also must have an incident response plan in place and practice it in advance. Such a plan should involve outside legal counsel, law enforcement agencies and third-party forensics specialists who can be quickly called to assist in case of an incident.
“It is very difficult to respond to a breach technologically as well as notifying customers, card brands, banks, internal employees and legal if there is no plan in place,” Zenere said. “Think of this as creating a fire escape plan and then performing fire drills.”
The leading threat during the shopping season is likely to be account takeover, according to Don Duncan, sales engineer at behavioral analytics firm NuData Security, a Mastercard company.
“This attack takes advantage of those security systems that rely on static information; if the answers provided by the fraudster are correct, there is no reason for a company to decline a transaction,” Duncan said. “During peak shopping seasons, companies tend to change their rules to lower friction, reduce the number of customer insults and increase conversions—and that’s just what cybercriminals are waiting for. Hackers use these seasonal security changes to hide among the crowd, take advantage of companies’ eagerness to sell, and leave them with exorbitant losses.”
Several major data breaches over the past few years have provided cybercriminals with access to personal data and login credentials for hundreds of millions of people. That information could be used to impersonate customers and bypass basic security and anti-fraud checks. That’s why it’s also important to monitor for unusual user behavior patterns and not only for payment card transactions.
In many cases hackers have no intention to use compromised accounts for direct purchase fraud, said Ryan Wilk, VP of customer success at NuData. “Instead, they are looking to steal stored value such as rewards dollars, points, software keys or tickets out of accounts, never actually processing a payment card event. If retailers are only monitoring the outcome of purchases and transactions, they are leaving themselves open to a whole world of risk they have no visibility into.”
Account takeovers can extend beyond customers and can also affect a retailer’s customer support staff, developers, administrators, hosting providers, third-party technology integrators and other partners who might have various levels of access to the e-commerce platform. It’s very important for two-factor authentication to be enforced at least for such higher-risk user accounts, if not for all customers.
Retailers could use publicly available data from third-party breaches to search for accounts exposed on other websites in their own customer databases. It has become common practice for some internet companies to force users whose email addresses appear in third-party data leaks to change their passwords as a precaution. That’s because many users reuse their passwords on multiple websites.
“Two-factor authentication (2FA) for admin accounts and strong password policy for user accounts are must-have security controls,” said Ilia Kolochenko, CEO of web security firm High-Tech Bridge.
According to him, the shopping season shouldn’t necessarily bring substantial changes to the security approach that online retailers should have at all times when it comes to their web properties. This includes having an inventory of all e-commerce applications, including subdomains, web services and APIs and making sure that assets that don’t need to be publicly accessible are properly firewalled.
“Some free tools can quickly evaluate the quality and reliability of your SSL encryption, web server and content security policy (CSP) hardening and detect cyber- or typo-squatted domains usurping your digital identity or brand,” Kolochenko said. “If you have any mobile applications, you can and should test them as well.”
Special attention should be given to the third-party plug-ins and frameworks used by commercial or open-source e-commerce platforms. Retailers should make sure all these components, as well as the platforms themselves, are up to date and that any newly found vulnerabilities are patched in a timely manner.
“Running outdated versions of popular web frameworks makes it extremely easy for an attacker to look up known vulnerabilities and then use those to exploit the merchant,” Trustwave’s Zenere said. “This includes simple cross-site scripting (XSS) and SQL injections, which, according to the Trustwave Global Security Report (GSR), accounts for about 23 percent of all attacks.”
Penetration testing and code audits should be performed regularly and file integrity monitoring tools should be used to quickly discover unauthorized modifications of web server files. Running a web application firewall is also recommended to block automated attacks and probing attempts that can consume server resources, even when they’re not successful.
The holiday shopping seasons are usually accompanied by significant spikes in the number of visitors, so online retailers should prepare their infrastructure to scale to accommodate the excess traffic. They should also keep in mind that some of that traffic could be malicious and a result of DDoS attacks, so the infrastructure should be protected by a DDoS mitigation service.
Companies also should regularly test that their backup and data recovery processes work as expected so they can recover from a data loss incident within a time frame that is acceptable to them.
It’s good practice for retailers to maintain a web page with recommendations for users on how to identify phishing attempts and other common scams that attempt to abuse their brands with fake email messages or typo-squatted domain names. Marketing communication with customers in preparation for and during the shopping season should include links to this page.