Experts Weigh in on E-Commerce Security Amid Snowballing Threats

How a retail sector reeling from COVID-19 can lock down their online systems to prevent fraud during the upcoming holiday shopping spike.

The raging pandemic has forced many retailers to re-imagine their businesses, shifting from in-person to contactless interactions through online sales. This new socially distanced reality is colliding with the crush of an upcoming holiday shopping season, creating an unprecedented opportunity for cybercriminals to capitalize.

Magecart is just one of the more potent types of attacks to emerge in recent months. Over one September weekend alone, the group’s card-skimmer malware was launched against 2,000 online retailers, compromising more than 10,000 shoppers.

But experts are warning retailers not to focus only on one threat or on protecting one particular system. Increasingly, attacks are attempting to infiltrate systems from multiple entry points simultaneously, supercharged by bots and automation, and lured by flocks of unsuspecting newbie online shoppers.

In fact, new customer accounts make up 30 percent of current transactions, which is five times higher than pre-COVID, according to Forter’s recent fraud attack index.

With threat levels at historic highs, Threatpost gathered a panel of experts on retail e-commerce security to help sort through the rising threats – and how retailers can defend themselves, their reputations and their customer’s data.

Their prescription isn’t simple. Each suggested a wholistic approach which starts with the basics: Patching, encouraging strong passwords and strong, fundamental Web Application Firewall (WAF) protection.

Besides that, retailers need to understand their own operations first and foremost, gaining a transparent view into them and getting a firm handle on what “normal” looks like for each organization. It’s that critical baseline that will often trigger the first alert the site is under attack.

Industry-leading experts Robert Capps, NuData’s vice president of marketplace innovation; Allan Liska, intelligence analyst for Recorded Future; and Matt Wilson who leads product management for network and application security at Neustar all joined a live Threatpost Webinar event on Oct. 14 titled, “Retail Security: Magecart and the Rise of e-Commerce Threats.”

They offered an up-to-the-minute look at the retail threat landscape, including the application network layer and the evolving role of automation and bots (which are increasingly able to mimic human behavior to evade detection).

Other topics included loyalty programs, fraudsters who buy online and pick up merchandise in the store, the ways cybercriminals can turn an easy buck on unsuspecting retailers is always evolving and more.

Check out our experts’ critical insights on how to keep ahead in our video replay, below, followed by a lightly edited transcript of the event.

Also please check out Threatpost’s collection of previous and upcoming webinar events, available here.

Transcript

Becky Bracken: Hello, everybody, and welcome to Threatpost’s Live webinar titled, Retail Security and the Rise of E-commerce. I’m Becky Bracken and I will be your host for today’s presentation.

Today, we’ve gathered a world-class panel of security experts who will discuss threats online to retailers, and we’re thrilled to have them join us.

The pandemic, as we all know, is created a bit of a perfect storm for retails security breaches, of all kinds.

It’s drastically accelerated the shift from shopping in a store to making even the most mundane purchases online. And I think pretty much once we were all on eBay, bidding on rolls of toilet paper, all sense flew out the window of us not being able to buy everyday stuff online.

In fact, new customer accounts make up 30 percent of current transactions online, which is five times higher than it was before the pandemic, according to Fortes recent fraud attack index.

Retailers have also had to cobble together entirely new chains of business, moving away from in-person to contactless transactions like delivery. And there are new models of buy online, pick up in store. But because they’re new, they’re pretty plum pickings for clever criminals trying to find their next hustle.

And now we’re headed into the holiday shopping season, which will add an entirely new level of chaos.

Fraudsters love to use the cover of spike in traffic for their crimes. More transactions means security is bogged down and gets overloaded with traffic surges and increased volume, which leaves them exposed.

It’s a new world for retailers and we’ve brought together our panelists to sort it out and talk about the trends that they’re seeing.

First, we’d like to welcome Robert Capps, who is NuData’s VP of Marketplace Innovation. He’s a respected industry expert with more than 25 years of experience in the sector. So welcome, Robert.

Next, we have Allan Liska, an intelligence analyst for Recorded Future. He’s a go-to media source and consultant to businesses on how to combat evolving threats.

Finally, I’d like to introduce Matt Wilson. He leads Product Management for Network and Application Security at Neustar, where he developed and maintains the largest DDOs mitigation network in the world.

I want to welcome all of you and thank you very much for being here.

For the purposes of today’s discussion, we’ve broken the whole universe of exposure into three vectors: external threats, threats from the network view and threats from the internal view.

First, we’re going to have Allan discuss the retail security landscape as a whole and highlight a few of the most headline making and prolific threats, Allan, if you’d like to take it away.

Allan Liska: Yeah, absolutely!

Thank you very much for kicking us off, and thank you, everyone, for attending today.

So, I want to start with what we’re looking at, in terms of the biggest attacks that we’re seeing against e-commerce and retail sites over the last six months.

So the big sort of headline-grabber, and the reason that it’s in the title of the webinar today, is Magecart, which has hit has hit a lot of major retailers. Whether that’s through actual vulnerabilities in the retail site, or whether it’s through targeted campaigns, there’s been a whole lot of different groups. And there have been a whole lot of different methods of attack, and unfortunately, they’ve been very prolific.

The second thing is we’re seeing is a rise in DDoS attacks against e-commerce and retail sites. So we have [Amazon Web Services] halting the largest DDoS attack ever recorded; GameStop getting hit with DDOs attacks; etc.

So it seems like every major retailer has had a problem with DDoS. And we have now the problem of DDoS extortion. Similar to ransomware, where the attackers threaten to release your data unless you pay them $250,000 in Bitcoin. That’s a big problem.

And then, we also have the problem of retail and e-commerce sites being used as phishing lures. Now that’s been a problem for the largest brands. So, Apple has been used, Amazon has been used, Yahoo and Netflix have been used as phishing lures.

But we’re seeing a change in the capabilities of these phishing-lure campaigns where the attackers are very adaptable to what’s going on in the world. And we’ll talk a little bit about that.

So Magecart is used an identifier for multiple threat actors. It’s not just one team behind Magecart. There are multiple of them. And basically, what Magecart is, is a JavaScript-based card skimmer.

So, you load that up onto a website. You intercept somebody trying to buy something on the store, and you steal their credit-card information. There are dozens of different groups that Recorded Future has been tracking, and they’ve hit thousands and thousands of websites. So right now, it’s one of the biggest threats to e-commerce sites. In September we saw, over a weekend, 2,000 sites get hit by the exploitation of a single vulnerability.

This is a great graphic that I pulled from Security Affairs to show kind of how it works.

What you have is, you have an e-commerce site, and then an actor will get in, [maybe] through an exploitation. They’re using known vulnerabilities that have public exploits, that have been out for a while. They’ll exploit those, top-load their code, or they’ll go buy advertising on certain websites through the banner ads, and they’ll use that and load that in the banner ad itself.

So basically, what happens is the victim gets hit. Then their credit-card and other information is stolen. The attacker then goes and uses that to buy merchandise and other things. The shipment goes to an Eastern European buyer, and the attacker winds up getting the money. It’s a long, complicated process, but it’s been very profitable for a lot of these attackers.

It’s been relatively safe as a means to an attack without detection.

So while Magecart is one of the biggest threats, the other things that we want to focus on are the DDoS attacks and the phishing lures.

I’m gonna let Matt, who has way more information, talk about DDoS attacks. They are on the rise and they’ve taken out some of the some of the larger sites at least temporarily. And again, we’re seeing a rise in retail DDoS extortion. And we expect to continue to see more of that as it gets easier and easier to launch these DDoS attacks.

Every time a botnet gets taken down, another one pops up or it just reforms itself. We saw it with TrickBot, which is generally not used for DDoS attacks. But it was temporarily disrupted and immediately came right back online with backup infrastructure. So, unfortunately, disrupting these botnets is, at best, a temporary solution. They continue to pop back up.

But again, when we talk about retail organizations being increasingly used as phishing lures, one of the things we saw during the pandemic is a quick adaption depending on what the current news stories were.

So for the first time ever, we saw grocery stores being used for phishing. So you get an ad purported to come from a national grocery store chain, but in fact, it was a phishing attack.

Same thing with food-delivery services. We saw a huge uptick in fake domains being registered. Domains being registered for places like DoorDash, Uber Eats, things like that.

And we saw that there was an awfully bad attempt to get people to click on to buy toilet paper. So we saw even toilet-paper companies get impersonated as part of these attacks.

So, as things continue to evolve, and especially heading into the season, we normally expect the luxury brands to be impersonated, we see a lot of that with like Rolex and Porsche, and Mercedes, et cetera. As phishing actors get more sophisticated, they’re moving downstream and they’re moving to very specific verticals that people aren’t necessarily expecting to be used as phishing lures. And we expect that trend to continue. So, unfortunately, it’s something that’s not going away.

Matt Wilson: Yeah, hi, everybody.

So DDoS really falls into two different aspects. You think about it in two different ways. One is about protecting your infrastructure.

And that’s really the idea that having a website that’s up, is actually really critical obviously. So, you know, if your website’s not up, everything else kinda doesn’t matter from a retail perspective.

So we’ve seen for years that DDoS has been used for a lot of different reasons. It’s being used currently and political ways, you know, taking down political dissidents, targeting our nation states.

In the case of things like the invasion of Georgia, and some other places, they saw a lot of DDoS attacks preempting that. Also, you see a lot of people, just sort of angry and wanting to take somebody offline.

But then you’ve also seen a lot where you’ve had both anti-competitive type of type of threats where someone wants to take down a competition that might exist in another area.

But increasingly, what it’s come back to here recently is the idea of extortion attacks. We’ve seen a huge uptick in this. It was never really went away.

We’ve always had a lot of customers who have come under extortion attacks, but they tended to be, as Allan mentioned, in specific industry verticals, against high-profile brands, things like that.

So, increasingly, starting back in August, you started to see a lot more extortion attacks, including a big campaign of different groups going after financial and travel companies, and they’ve since morphed. And I think you’ve seen a transition from just focusing on high profiles — large banks, things along those lines — and now they’re starting to go after what are traditionally less high-profile, less-lucrative types of businesses, in healthcare, regional banks, insurance providers, even things like personal care products.

It’s started to evolve, and the threat landscape has really evolved, particularly in the last year. So we’ve seen kind of two real things happen.

One is, new people beginning to get threatened and attacked. These aren’t traditional types of targets, who might not be what you would consider to be high-risk. So they may be less likely to have protection in place. So maybe they’re a little more likely to pay out a ransomware, but then they’ve also sort of moved down the stack.

And so you’ve seen things that where, instead of just trying to take down networks, [bad actors] try to take on applications.

And I don’t just see one type of attack. For instance, some of these extortion attacks, there’s about six or seven different vectors that are commonly used as part of these attacks. Typically it’s not one, they don’t simply send one vector. They’ll send multiple vectors. So having one type of protection really doesn’t work anymore.

You need to be able to have defense in depth. So, it starts at the network level.

Being able to absorb the big bandwidth attacks leaves you to be able to put your resources into more specific, more targeted types of attacks on your end.

Like I said, this is what we’ve seen a lot of, is…extortion attacks, but you’ve seen them as part of phishing campaigns with the idea being that the DDoS attack is very much a diversionary tactic.

They hit the news. They’re big. We talk about things like, you know, the largest attacks out there being in the two terabits per second type of range. And they’re all big, really big.  And they’re very scary looking.

However, the real damage can come behind the scenes, and I equate it to walking down the street and someone comes up and punches you in the face. Meanwhile, someone else is picking your pocket, while you’re worried about your face. And that’s very much where DDOs falls into that threat landscape.

Oftentimes, it’s not just a matter of if you’re going to be in an attack, having a plan is very important.

One of the biggest parts of [defending against] a DDoS attack is simply limiting your attack surface.

You have applications that are open to the web, being able to limit that down to the ports and protocols and applications that are most important to you, because, a lot of times the attackers can block them and prevent them hitting the other types of services – the other things that I’m not using upstream. I can prevent them from hitting that and I can narrow it down.

They’re not going to attack something that they can’t reach, because they can’t reach it. So, it’s not effective. And so, they will move on to another target. But then, the other big thing is having the visibility.

I can’t tell you how often customers come to us, and they didn’t really have any idea of what their actual traffic looks like, whether it’s in terms of bits per second or packets per second, or, even if you’re talking about application layer transactions, what’s normal for me, how many queries are coming in and hitting my web server?

Having these types of numbers and having this type of visibility is very important to understand what’s abnormal, what’s different.

So, moving forward at the application level, really, it comes down to two things: Are you putting a WAF in place? So if you put WAFs in place to protect your your application, there’s two different ways of doing that protection.

You have the negative security model, so as Allan mentioned, this is about being able to protect against the known bad.

So when bad guys are using commonly available exploits, they’re able to do that because people aren’t patching, and people aren’t paying attention. And they don’t know that they’re vulnerable to this.

Having something like bot management, where you’re trying to identify what is good and what is bad and get rid of the very common stuff, you can get rid of known bad.

Not everybody can patch; not everybody even knows they need to patch. So being able to have a service upstream from you, that can simply narrow down that threat landscape, is actually very important.

Those are some of the very main drivers behind having something like a web app firewall in front of your applications. And then also, it can adapt.

So Azure application changes as developers roll out new things like, hey, I can adjust what my settings are. And there’re things to do with automatic learning and relaxation rules. If I think it’s alerting too much, it’ll automatically scale back or give me recommendations on that.

And they next layer on top of that, bot management. And so having the bot management behind it, it’s going to be able to identify what is a legitimate user versus a not-legitimate user.

So you know, IP addresses, or users or clients are coming to your website — being able to look at this and say, “you know, there’s kinda like very basic bot and then there’s very, very advanced.”

You know, being able to narrow down what the threat is increasing or decreasing, as it continues to do and being able to focus your resources on the threats that are not the very basic ones — not the kind of the big ones — but the very detailed, fine-tuned ones.

And so with that, I’ll pass it to Robert.

Becky Bracken: Thanks Matt. Now, I’d like to introduce Robert. He is going to talk about internal operations, how emerging threats look from, from inside the organization, and provide some really interesting information on it.

Robert Capps: Cool. So, it’s sort of an inside view out, one of the things we talk about here in regards to application-layer threats, is it does require defense-in-depth strategy, and we’ll get into that in a minute.

But one thing that most people don’t quite understand is that about one in three interactions on your web applications or API endpoints today were malicious in the first half of 2020. And that’s average.

Some industries have much higher percentages of suspicious or bad traffic and others much lower. In the financial area, financial institutions, in general, most institutions are seeing about 10 bad logins for every one good one.

So, if you think about the impact that’s having on your business, and on the infrastructure that’s required to manage those bad transactions.

Whether they are servers, the data center, additional virtual machines in the cloud, your services, plus the staff required to manage all that.

For every one good customer login, you’ve got 10 bad ones that are occurring, trying to test credentials that have been stolen through phishing, or malware, or intrusion, or what have you. And of those attack volumes, 1.4 percent of them are going to be good.

So if you think about a million credentials being verified, which is a small number these days, with the data breaches that are out there, 1.4 percent of those million attempts will be good customer credentials that work on your website.

If you think about your fraud teams, you think about your operations, how would you manage resetting those customers? How would you manage understanding the true impact that that, that credential verification attack is going to have on your business?

Automated bot activity against financial institutions is huge.

But what’s even bigger, is 96 percent of what we’re seeing now is advanced human emulating techniques in order to evade detection. And this is after we’ve seen all of the other fraud tools, the other protections and the infrastructure protect. You know, the login page. And if you think about, you know, you’ve got your wife’s out there, you’ve got your, your CDN content distribution networks.

You’ve got all these different organizations and different products and services that are out there trying to avoid that very basic automation.

And most of the browsers are now moving into the advanced human emulating. So let’s go into the next slide and talk a little bit about what that means.

So there’s been this huge evolution over time. You know, we had good humans logging in. You typically saw them coming from similar IPs each time and with a low volume of transactions. Reputations for those IPs were generally good. There wasn’t a history of fraud or anything else involved.

Device IDs were definitely being generated, and often they linked back to the same consumer time and time again. So you had good reputation to rely upon when those humans loaded up your login page or a page in your application, that page rendered in the browser and the scripts that are associated with it. The graphics, they all loaded, they executed as well and information is collected and generated. And there’s a real consumer interaction that occurs at that point. Now, when the customer starts navigating around the site, they’re doing so in a way that is appropriate for human. They don’t necessarily have millisecond delays between page loads. They load the page, they look at the page, they look for the right button to push, to go to the next step.

When we look at input velocity, we see mouse movement. We see keystroke input that is very human-like. You know, it’s not 10 milliseconds per keystroke, or the data’s not being posted into the entire page, all at once. You’re seeing what would be normal for moving your hand. Say, if you want to type my name from the R, to the O, to the B, to the E, R and T.

There’s a dwell time between those keystrokes that looks humanlike.

And all the data matched, when you look at the endpoint, the client data that’s submitted versus what the server is observing on the network, everything seems to line up. And in the end, in the situation, where you needed to intervene in the transaction, where you needed to send something as simple as a captcha or as advanced as a two-factor challenge.

Those humans are able to solve those.

And then we saw automation, right? And so, when we talk about basic bot activity, we’re seeing, you know, high volumes of transactions coming from an IP. You’re seeing the reputation of those IPs being poor because they’re sending a lot of bad login transactions are there. They’re hitting you with a whole lot of volume.

They’re not generating device IDs. There’s no actual client present. It’s a script sitting on a server somewhere, that’s just setting transaction post after transaction post. And then, of course, because they’re doing that, there’s no rendering and no completion of any content that’s on page.

Good news is that basic bots really don’t have the ability to enter to complete interventions or challenges. And so many of those even things simple like CAPTCHAs can still be very effective against these basic, automated techniques.

Then we get into advanced bots. This is the evolution of threat as after organizations deployed, things like web application firewalls, and content distribution networks, and throttling and even infrastructure within their own data centers to stop automation.

Basic automation, we’ve seen that the authors, the scripts are providing automation technologies, and are starting to make their products more intelligent.

They rotate through a much lower number of transactions per IP address. The IP reputations tend to be good. They tend to be seated down into home, cable modems and DSL networks and such like that, even wireless connections versus coming from the cloud or a data center. They are creating valid device IDs, though they have no reputation. They look like new devices.

They’re rendering pages probably using a headless browser, headless engine for automation. They’re loading scripts. They’re executing the scripts that normal interactions [will cause].

But here’s where it gets really interesting.

They still can manage things like humanlike navigation, velocity and input. But computers are still very different, and emulating human behavior is hard.

Either they’re going to follow a script and use similar timing every single time they, and they go from page to page; or they’re going to introduce randomness into those interactions. So some interactions may be 20 milliseconds, some maybe 80 milliseconds.

But what’s going to happen is, as you observe real human behaviors, you’re going to see very standardized sets of data. You know, human interactions tend to line up in regards to how fast people type, how fast people navigate.

That randomization of data stands out very, very clearly against those human patterns.

And so even these advanced technologies are being caught up in automation detection techniques and they still can’t deal with interventions.

And so what we’ve seen now is a move to a hybrid blending of human and automation. Automation takes the heavy lifting of sending all the transactions and when those transactions are intercepted by anti-bot technology or by other fraud or risk systems, those interventions that are served up and those transactions are sent to another human somewhere else on the planet. In fact, we saw a boutique financial institution firm where they were seeing 100-plus thousand transactions a day that exhibited this exact pattern.

I’m looking transactions at the surface, but some randomized data and randomized weight status  resulted in an intervention on most of those transactions.

And those interventions are rendered on a computer somewhere else in the world that had additional data associated with it that we could identify it was not the original device. And so that got to be a very, very interesting technique, because it showed a continued evolution of the attackers to find ways around the cybersecurity and anti-fraud solutions that are in place across the industry.

Becky Bracken: And I think this is a good time to turn to our poll. It was kind of an interesting mix: 6 percent of you are concerned about DDoS attacks and presence of automation; 19 percent are concerned about advanced persistent threats; 25 percent are concerned about data breach; but 44 percent of you are worried about Magecart.

And so let’s maybe take a minute to go around with our panelists and talk a little bit more about where major heart attacks are first visible and early mitigation, and what will alert retailers quickly that they are under attack.

Can we start with Allan?

Allan Liska: Sure, I think that’s one of the big things. Part of that layered protection is then that understanding which attackers are coming after you.

But I think even before that, and this is boring, but I say this all the time: In 25 years in the industry, we still haven’t gotten it right.

Vulnerability management is a big thing for protecting against major attacks. You need to know what vulnerabilities you have exposed on your e-commerce site, on your retail site. And you need to make sure you’re patching those regularly, especially as we get closer to the holiday, and a lot of sites shut down, and don’t want to allow code updates, et cetera.

You need to make sure everything’s fully patched. So again, part of that layered protection starts with good vulnerability management. You want to have rules in place on your WAF, that’s looking for this kind of activity. Certainly, you want to be alerted if there is any known activity coming out of your e-commerce site. And then ways of scanning for any ads that may be on your site, looking for malicious code that’s embedded in those ads themselves.

So, that’s a way to start.

Matt Wilson: Yeah, so I mean, I would double down on the vulnerability patching. Obviously, that’s where a lot of this stuff starts: Having a site that is up-to-date.

But not everybody can patch, right? Like not everybody is able to, if it’s legacy code — there’s still legacy code written in the sixties, still out in places. Simply because it can’t be patched, it can’t be updated, and, you know, you’re going to break a lot of things if you do it. So hopefully people aren’t quite that extreme and running things on 40-year-old code.

But, you know, even then as applications become more and more complex, your ability just to go and make changes and fully test all the follow-on kind of problems, it can be problematic. I’d also say just simply have good visibility into your platform.

Understanding what traffic is normal, when it goes abnormal: What is the application doing behind the scenes and having metrics internally that you can use to monitor that and identify what is looking like, not even necessarily malicious behavior, but aberrant behavior. Understanding normal and being able to identify what is abnormal.

Becky Bracken: OK, so, back to patching, we got a really good question on this and I want to get this in here while we’re on the topic. Chris Brown mentioned you can only patch what you control. Most major attacks are conducted by compromising third-party code. You can’t patch code you don’t own. What do we say to that?

Robert Capps: Be careful what code you deploy on your website.

So, you know, a lot of what’s going on here is that libraries, free libraries, plugins that are available in some of these e-commerce platforms, have questionable security practices, or maybe haven’t been vetted in a period of time since they were deployed, and new vulnerabilities are found. You just need to find a way, as a retailer, you have to find a way to understand how to protect your site.

And you have to be responsible for making sure you have the right products and services out there, and minimizing the number of things that you employ, so you have fewer things to review. You know, I’ve been on the small-merchant side where you want to use all the greatest technology out there to make your storefront look good. But it becomes a nightmare to manage, and so simplicity is best and, you know, be careful with the technology to deploy. Just because it’s available doesn’t mean it’s safe for your customers.

Becky Bracken: What about Allan or Matt, do you have anything else to add to that?

Allan Liska: Yeah. One of the things that I tell people is, that’s absolutely true, especially if you’re using a lot of third-party code installed on your site.

The organization is contracting with that third party. Do you have the ability to say, “Hey, what are your review processes?” Understand the review process. Make sure they are reviewing the code, and, if not, look for alternatives, that you have more faith in their ability to actually review the code and so on. I think that that’s kind of a big part of it. And it puts a lot more work on you.

Unfortunately, if there is a compromise on your site, your customers aren’t necessarily going to want to hear about third-party code. They’re going to want answers from you about how you’re going to fix it.

Becky Bracken: Moving on to our second-most terrifying threat, which are data breaches for our audience.

So, maybe we can go around and talk specifically about data breaches and beyond the patching and the normal sort of hygiene stuff, what should retailers be looking out for?

Let’s start with Robert.

Robert Capps: So I know when it comes to data breaches, we have to recognize that most consumer data has been breached in some way, shape or form, and the cybercriminals have assembled a lot of this data together in larger datasets that are the sum of the parts of many breaches. And so, everything we’re doing from a retail perspective, I think we’re doing from a financial-services perspective to manage the security of consumers. It needs to be with a lens of most of this data has already been compromised.

So, when we look at things like two-factor authentication, when we look at things like how do you authenticate a new user, you have to come from a perspective of, what can I do to effectively protect this transaction that’s coming to be, so that, only the good, legitimate consumer is the one that can take this action?

And you know, that’s the whole defense-in-depth strategy. Again, it’s not just dealing with the stolen data, but also going to the top of the funnel and dealing with how it’s used and how it’s validated.

Account takeover attacks are a real problem for all industries right now, because the cybercriminals have figured out that username and password data stolen from one website is useful broadly across a many, many, many different organizations. Because consumers are notoriously bad at maintaining individual usernames and passwords for each site they interact with.

And it’s just a huge problem of abuse of that data. And so, anything we can do to minimize the usefulness of stolen data will directly impact the number of breaches and the scale of breaches, because data that is useless, no one’s going to bother steal. And so, we need to focus on how do we operate in the face of massive data breaches, and that has to be the design criteria for a lot of the new techniques.

Matt Wilson: Yeah, I think along the same lines, you have to be able to trust, but verify.

Understanding that you’re driving your consumers to have good passwords. If they have not logged in for a while, or if they’ve been part of a breach, you could potentially ask them to reset things.

As Robert said, people are bad about re-using the exact same password everywhere, because it’s easy to remember. So…being able to use other data, use threat intelligence, to try to identify what is the reputation of that user, what is the reputation of that device.

Meshing together if the person’s the credit card has this address, but they’re trying to ship to this address. A lot of these things should be raising red flags with folks.

Becky Bracken: OK, well Allan, what are you seeing? Do you have a best practice suggestion?

Allan Liska: So I think that both Matt and Robert hit on the big ones.

You know, we really need to look at making sure (as painful as it often is for consumers who don’t like it) that everybody has unique password and that they’re not re-using passwords. There are a lot of really good plugins that retailers can use to check to make sure that they’re not allowing somebody login with or create an account with compromised credentials.

And I realize that you run the risk by making it more difficult for them to create an account that they just won’t buy from you, but ultimately, you’re doing it for their safety. User-behavior analytics has been there, has become much more popular inside of corporate networks. Some of those same principles can apply to e-commerce and retail sites. So that’s a big thing.

The other thing is, we’re seeing a big uptick in loyalty-card dumps on the dark web. Turns out that there’s some value in those. So, if you are a brand that has loyalty cards, monitor for large dumps of your loyalty cards.

Becky Bracken: Are they mapping it for purchases?

Allan Liska: Lot of times, yes. If you think about it, airline loyalty points are where the money is. I mean, I haven’t traveled anywhere for a while, but I’ve got a whole lot of United points that if somebody were to get ahold of and get the rest of my identity to match it up with, they could convert it into a product, or, you know, take some trips or whatever.

So that can be valuable. We see that with a lot of grocery stores where they’re now taking those points and they’re using them not just for free gas, but actual merchandise or gift cards or whatever.

So those points can wind up being valuable, especially if they can be converted to other things that are easily transferable, you know, across different underground marketplaces.

Robert Capps: Yeah, loyalty programs are a source of a lot of automated activity, as well.

We had a client that had the ability for you to take your receipt home and sign up for loyalty program, and have that receipt applied to your account, based on a random digits at the bottom of the receipt. And those random digits weren’t random.

Someone figured out the patterns and started running tens of thousands of these receipt combinations through an automated checker, to add the residual value that was unclaimed on those transactions to a given set of rewards accounts. And they were buying product, and fulfilling on eBay, Amazon and other online-order systems.

In a lot of cases, you know, there’s millions of dollars going out the door, and the marketing teams are all cheering it on because they see so much success in that program.

Becky Bracken: Well, I think the takeaway here is never underestimate the creativity of criminals. They’re pretty good at that. All right. Well, I think that’s about all we have time for today.

I want to thank our panelists again; Allan Robert and Matt. You guys gave us some great information on some pretty breaking stuff and stuff at that important for a growing number of retailers.

But I also want to thank our attendees for taking the time to spend a little time with us and learn about retail e-commerce security.

Please, check out Threatpost’s archive of previous webinars. It’s a great source of information. And also, please, come back and check out our daily coverage.

 

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.