The Holiday Shopping Season’s Retail Security Reality
Ranking Retail Security: Web Applications & Legacy Systems Are Weak
Black Friday and Cyber Monday are almost here.
Earlier this week, we released our 2015 Retail & eCommerce Security Report that examines a variety of security risk trends and problem areas within the top and bottom 10% of retail companies which represent roughly 200 retail companies. Retail ranks seventh (7th) out of 18 primary industries.
“[Poor] patching and weak application security were two of the underlying themes across all retailers, weak and strong,” said our CEO and co-founder, Dr. Aleksandr Yampolskiy, in an interview for the Dark Reading article “Cyber Monday: What Retailers & Shoppers Should Watch For”.
We also spent our efforts in the research report dissecting common ‘carding’ practices used by criminals. Carding is the unauthorized use of credit card account information to fraudulently purchase goods and services by pulling data from our Hacker Chatter module– one of ten categories and factors featured in our security risk benchmarking platform that automatically detects if company information shows up in these ‘dark web’ forums. Here is an example of a ‘cardable’ forum where stolen credit cards have been validated as working by carders:
Outsourcing of Gift Cards Proves Valuable to Retail Security Risk
Additionally, we looked closely at techniques retailers are employing to offset the risk of fraud from gift cards by using an outsourced service. Gift cards are in high use by fraudsters during the holiday shopping season who use stolen credit cards to purchase gift cards, then use those gift cards to buy other merchandise. They way we did this was to dive into actual specific chatter being made by fraudsters.
Over the course of the last few years there has been a migration of critical business services to third parties. This trend has allowed businesses to save substantial sums through the outsourcing of labor intensive tasks with high overhead to firms that specialize in that single endeavor. This migration also allows enterprises to outsource the risk involved with managing the sensitive information involved in these tasks, creating a game of ‘hot potato’ with sensitive customer data.
In the industry vertical of eCommerce, the majority of gift card processing has been entrusted to CashStar.com. Retailers have moved to CashStar as a way to outsource the risk associated with gift card processing. Online gift card purchases have been a headache for retailers for years, as gift cards are a convenient pathway for the monetization of stolen credit cards. Carders will buy gift cards with hacked credit cards, and either resell the cards directly or make purchases for resale before the gift card code is killed for fraud.
Hacker chatter captured by SecurityScorecard’s ThreatMarket™ platform shows malicious actors are having difficulty monetizing stolen credit cards through gift cards that are processed by CashStar. The screenshot below is from a carding forum where a user is complaining about another forum member. The complainant is saying that a ‘kid’ on the forum is claiming to be able to refill gift cards for a reduced fee, only to come back after a period of time saying the attempt was failed. The complainant explains the reason the attempts fail is because the targets are using CashStar. Retailers using CashStar should be pleased with offsetting their costs.
The Holiday Season and the Retail Security Reality
During these very busy shopping cycles during holiday season, such as Black Friday and Cyber Monday, fraud levels at retailers both in-store and online are known to expand in favor of attackers and criminals. The Retail Cyber Intelligence Sharing Center describes in a recent paper, “Preparing for the 2015 Holiday Hacking Season”, how the volume of sales and activity dictates an acceptable level of insecurity to maximize revenue and simultaneously deal with fraud:
Retailers see much higher volume peaks, especially at sale times, both in stores and online. This makes it harder to detect anomalous traffic, and it’s impractical to block IP ranges based on geography, because online sales can be global. Downtime is expensive, but especially so at this time of year. Retail staff is motivated and focused on sales, at the risk of possibly allowing fraudulent transactions or other types of breaches.
This business reality, however, can be at real odds with the protection of customer data and the negative perception retailers can experience after data breaches and major customer credit card exposure at this time of year. We wish everyone a safe and Happy Thanksgiving, and a happy, secure shopping season.