How to create a safer shopping experience
The annual holiday season has arrived. The air grows crisp (at least in the Northern hemisphere), new, cool gadgets are released and cyberattacks, along with cologne ads, proliferate. Cyber threats aren’t deterring shoppers though: The National Retail Federation expects online holiday sales to increase by 7 to 10 percent over last year, reaching as much as $117 billion. With e-commerce attacks in Q3 2016 increasing by 60 percent over the previous year, shopping hazards can hit from all sides. From phishing sites to online card skimming to compromised terminals in stores; even gifts themselves pose security risks. Still, there is much both consumers and retailers can do in order to make an all around safer shopping experience.
If it sounds too good to be true…
As a consumer, stay skeptical. Unless you are dealing with a known and reputable company, those amazing deals are probably amazing frauds. Fake shopping websites are much more sophisticated these days, using slick, professional design or mimicking legitimate sites wholesale. Often the domain name is a giveaway – look out for those that are long, with lots of hyphens, and/or that include popular brands or stores but with extra letters or numbers (e.g., www[.]nordstromco[.]com).
Also, the URL in the checkout section should start with https:// and have a padlock icon to the left of it indicating SSL encryption; exit immediately if it doesn’t. Don’t assume that links from trusted sites confer legitimacy: Facebook ads have linked to bogus Ray-Ban sites and Instagram promoted a phishing site that lured buyers with discounted Kanye West Adidas.
Follow all the other commonsense advice you’ve heard about online shopping: Use a credit card, not debit, to limit your losses in case of fraud. Don’t make purchases over public Wi-Fi. Hackers can intercept data through man-in-the-middle attacks or by setting up “evil twin” hotspots that capture your web traffic and can even redirect you to malware or phishing sites. If you use public Wi-Fi frequently, consider encrypting your traffic via a personal VPN connection service. Monitor your bank and credit card transactions frequently and set alerts for suspicious activity.
Even if you do everything right
Unfortunately, the most cautious online shopper is still exposed to security risks. Online credit card skimming is on the rise and using more sophisticated methods that make it harder to detect. According to researcher Willem de Groot, who closely tracks this trend, card skimming has increased by 69% in the past year.
Many legitimate retail sites contain security vulnerabilities that leave them open to attack by attackers that may insert credit-card skimming or other data collecting malware. Unlike headline grabbing DDoS and ransomware attacks, these hacks can go undetected for a long time. De Groot found that earlier versions of card skimming malware used fairly readable and detectable JavaScript but some newer versions use multi-layer obfuscation techniques.
One such example, dubbed Magecart by researchers at RiskIQ, takes advantage of vulnerabilities in eCommerce platforms to inject JavaScript code directly into websites to capture payment card information. The code is served with a valid SSL certificate and various obfuscation techniques have been seen including delivering the payload in two stages, conditional activation of stealer scripts, obfuscated code and renaming the malicious script to blend in with the site.
What can shoppers do to protect themselves? First, make sure that all applications and operating systems are up to date. Consider using web content whitelisting plugins, such as NoScript, that prevent JavaScript and other executable content from running. (Of course you might whitelist a retail site, thinking it is secure, but discover later that your payment data has been compromised.)
The larger burden falls on merchants to ensure their websites are secure: Keep all operating system and web development software up to date. Have a systematic patch management program in place and maintain a web application firewall. Safeguard admin credentials and change passwords regularly; use multi-factor authentication or two-step verification procedures as feasible.
In-store hazards
While much attention has focused on the risks of cyber shopping, online sales still count for less than ten percent of total retail sales according to the latest U.S. Department of Commerce census. Most this season will shop the old fashioned way, with all the dangers that entails. Once through the parking lot fender benders, battles over that last half-priced gaming console and endless checkout lines, shoppers face one final threat, the point-of-sale (POS) terminal.
Point-of-sale malware, in all its hundreds of variants, has become one of the biggest sources of stolen payment cards for cybercriminals. Knowing that security teams are stretched thin and sales volumes high, attackers specifically target the holiday season, sometimes infiltrating and waiting months before execution. The malware steals payment card information by screen capturing, keylogging or by scanning the system’s memory as a transaction is processed in the POS terminal (RAM scraping). The fallout from such attacks can be substantial – costs from the infamous Target data breach during the 2013 holiday season ran to nearly $300 million. Not to mention the tens of millions of inconvenienced and disgruntled customers.
Generally POS malware makes its way through the retailer’s network. Most POS machines are Windows-based systems running some kind of customized hardware and software. Malware might be delivered via malicious email attachments or a drive-by download from an infected website. Another popular entry point is compromised third-party vendor credentials – an employee at Target’s HVAC service provider fell for a phishing scheme, which triggered the entire fiasco.
There is little buyers can do to protect themselves other than monitoring their financial card activity. The new EMV standard for payment cards, aka chip cards or smart cards, help somewhat. They generate a one-time code for each transaction, making it more difficult to extract and use payment information. However, attackers can still steal data and make clones to use on terminals that are not EMV-enabled or make fraudulent purchases online.
Merchants must make sure they are doing all they can to prevent POS malware from infiltrating their system in the first place: Put a reasonable, well-managed patching plan in place; many attacks take advantage of old, unpatched vulnerabilities. Make sure you have an updated anti-virus to block basic attacks. For advanced and targeted threats, consider one of the newer technologies, like Moving Target Defense (MTD), which preempt such attacks by stopping the attack at its initial step.
Beware of what you buy
If the transaction dangers are not enough to be concerned about, some gifts themselves carry risks. A survey from National Cyber Security Alliance (NCSA) found more than a third of holiday gift givers (36%) plan to purchase internet-connected devices for family and friends.
These sought after internet gadgets are proving problematic from a security point of view, as demonstrated by the recent wave of Mirai DDoS attacks. Launched from botnet malware installed on IoT devices such as CCTV cameras and DVRs, attacks strangled more than 80 major websites in October. More recently, hackers took out broadband service for over a million total customers across Europe while hijacking routers to enlist them in a Mirai botnet.
DDoS attacks are only one possible threat from infected IoT devices. Researchers at DEF CON 2016 demonstrated ransomware-infected smart thermostats and compromised remote cameras, baby monitors and TVs all provide opportunities for espionage attacks. The diversity of IoT hardware and software make it extremely difficult to secure. IoT is a mixture of systems, composed of various types of CPUs and chipsets from different vendors. Development boards come from diverse manufacturers and there are ten leading OSs for IoT plus many others in use. Most IoT devices are meant to be install-and-forget and were not built with patching and updating in mind. In this state, developing and maintaining an IoT-wide security product is very challenging if not impossible.
No one is suggesting that you strike those smart TVs or drones off your list, but consumers and merchants alike should stay informed and vigilant. Do your homework – read online reviews and make sure you’re aware of any security issues. The first time you turn the device on, change default passwords and check for updates and patches. Make sure your Wi-Fi is secure and avoid public Wi-Fi. You can’t eliminate every risk, but you can keep yourself safer while enjoying this connected world.