The holiday cheers extends to everyone including criminal hackers. It’s the season when people are busy swiping their credit cards and/or going online shopping, perfect for opportunistic attacks on unsuspecting consumers and weak IT security systems.
The tech world was recently abuzz when UK researchers revealed in their study that it only takes six seconds for thieves to guess someone’s Visa credit card details and use that data to make transactions online. This fraudulent ploy is called distributed guessing attack, which relies on bots to crack the code for a Visa card’s expiration date and CVV (Card Verification Value) as part of e-commerce sites’ verification process.
The bots can make a number of different guesses across online shops, no thanks to how the security info is configured. The expiration date is usually 60 months after the card is issued, and the CVV three-digit combination cannot possibly generate more than 1,000 results. Add to it the sad fact that Visa’s IT services currently do not have any means to detect such attacks on their system, thereby putting many customers’ credit card security at risk.
E-Commerce and Mobile Shopping
It’s understandable that online businesses and retailers would want to take advantage of the huge sales that usually come around the holidays, what with approximately 29% of customers making purchases on the web. Adobe’s 2016 Digital Shopping Insights Predictions says online holiday sales this year will reach a whopping $91 billion mark.
In the United States, big e-commerce players such as Amazon, Best Buy, Target, Walmart, and several others all had holiday deals to offer not only via their physical stores but also through their websites, beginning Thanksgiving Day and continuing towards Black Friday and Cyber Monday. Christmas Day is expected to post the biggest mobile retail sales at 66 percent.
Balancing Sales with Security
While the prospect of making more money during the holidays is good, it does not come without a corresponding rise in cyber security threats. Crooks will take advantage of high traffic volume to attack retailer sites that have poor IT infrastructure.
The distributed guessing attack described above is a case in point. Websites that want to make online purchases easy for shoppers may be making their credit card verification process way too simple at the expense/risk of customers falling victim to scams.
Here are three of the most common types of holiday online scams:
Phishing
Consumers are keen on tracking every holiday sale to make the most out of the gift giving season, which makes them highly vulnerable to scams even if they are too good to be true. It’s worth nothing that it’s not always their fault. Scammers are now adept at making legitimate looking emails that an average person wouldn’t be able to tell the difference. Combined with social engineering, phishing can be very effective in extracting financial information.
Point-of-Sale (POS) Hacks
‘Tis the season to go shopping so POS hacks are to be expected, especially for businesses who have weak security systems. Back in 2014 Target became a target (pun intended). A malware had apparently been uploaded to the retailer’s network after hackers were able to log in using the credentials of a third-party service provider. The malware was able to decrypt information from the POS device’s RAM, providing hackers the unencrypted data such as customers’ credit and debit card account numbers.
Distributed Denial-of-Service (DDoS) Attacks
Retailers stand to lose more during December, which makes it a perfect time for criminal hackers to extort money. To make matters worse, DDoS-for-hire services do exist, which means anyone can initiate an attack for financial gain and bragging rights. A teenager can go to a site, pay for the size they want, and give the IP or website site address to send it.
Protecting Your Business from Holiday Cyber Heists
1. Identify your vulnerabilities.
Having a foolproof system is every enterprise’s goal, but security experts are realistic enough to acknowledge that cyber attacks are continuously evolving into something else over time.
Implement security testing to find out vulnerabilities that your IT team aren’t aware of or have not anticipated. The pattern among all successful data breach cases always lies in the execution, not just the tools. Knowing how criminal hackers can penetrate your system and how to mitigate this attack is the best solution for any enterprise.
2. Partner with outsourcing incident response (IR) experts.
Aside from your in-house IR teams, you could seek retainer services of outside cyber security firms. Together, they can help deploy your IR plan to minimize the impact of an online breach.
3. Keep your POS hardware and software up-to-date.
Using a combination of EMV (Europay, MasterCard, and Visa) technology, end-to-end encryption, and tokenization (the process of replacing sensitive credit card data with a token that has no exploitable value) can help mitigate POS security issues.
4. Use network segmentation.
If your network allows third-party access, make sure that your payment systems remain inaccessible to outside parties. This can be done through network segmentation, which is aimed both at boosting performance and improving the security of the system.
5. Collaborate with industry counterparts.
Retailers should participate in IT security forums and get updated in the latest industry news to get armed with the right information to combat cyber security threats. The question now is not why you will get hacked, but when. Being one step ahead of criminal hackers is the best way to counter their attacks.
Balancing security with profit can be a feat as you try to juggle usability with protocols. Furthermore, you can’t control your consumers and employees from falling prey to criminal hackers even if you already have the right security measures in place. However, this doesn’t you should give up. By implementing best practices and assuming the worst, this can mitigate potential threats and secure profits.