Hacking the holidays: Surge in online shopping and data breaches

December 13, 2016 | Cyber Incidents | By Media Admin |
Online payment fraud is a retail risk year round, but never as much as during the holidays.

For most of us, the holidays are the season of giving. For hackers, it's the season of stealing.

Obviously, payment fraud is a risk year-round, but during the busiest shopping season of the year, retailers are receiving and storing more payment card information than ever, and hackers are eager to steal those large quantities of sensitive data. In fact, we've already seen a spike in cybercrime between Black Friday and Cyber Monday. Unfortunately, it's about to get worse. 

Research by iovation and Aite Group estimated that card-not-present fraud incidents this year will total $4 billion in loses this year, up from last year's $3.2 billion. By 2020, it's forecast to reach a whopping $7.2 billion. A graph charting the trajectory of CNP fraud and online shopping in the U.S. shows an obvious and correlative uptick.

Worse yet, the rate of online fraud is actually accelerating faster than e-commerce. And fraud rates will continue to rise unless merchants put a stop to data theft.

Cybercriminals circumvent payment protections
In response to developments in payment security such as EMV chip cards, hackers have found new ways to bypass protections and obtain sensitive financial data. 

For example, the frequent and sophisticated data breaches of the past year or so compromised hundreds of millions of accounts and facilitated a massive pouring of personal credentials onto the dark web. Cybercriminals buy and sell this stolen information to use for account takeovers and application fraud. And it's likely that more fraudsters will soon start burning through this data at increasing rates.

"As the U.S. migration to EMV progresses, the combination of continued strong growth in e-commerce, ready availability of consumer data and credentials in the underweb and disappearing counterfeit fraud opportunity will create a perfect storm that will result in a sharp rise in CNP fraud," Aite Group Research Director Julie Conroy explained.

This means that e-commerce vendors need to prevent hackers from stealing information in the first place.

"As the rate of online shopping increases, so does payment fraud and cybercrime activity."

Stealing credit info takes seconds
About 4 billion records have been stolen in the past three years alone - so it's safe to assume that just about every cardholder has had their information compromised, or soon will, because even if hackers don't already have that data, it's not too difficult for them to get it. Some only need six seconds and bit of guesswork to find someone's personal information, UK'S Newcastle University researchers recently argued in a report.

The researchers pointed to loopholes that "make it frighteningly easy" for cybercriminals to piece together bits of information from various sites to get full credit card details. These kinds of brute force hacks are called "Distributed Guess Work."

For example, not all online merchants request the same info for processing credit card transactions (all ask for the primary account number and expiration date, but only some need the security code or individuals' address). Also, there's no limit to the number of times a customer can make invalid payment requests (ushering in the ability for cybercriminals to conduct infinite attempts at guessing credentials or card numbers).

Protecting against online payment fraud
With the world of commerce moving online, merchants often pay more attention to optimizing online and mobile apps around the user experience and not enough effort on improving information security.

Now is the time for that to change.

Being at risk as the liable parties of fraudulent activity, merchants need to be double down on threat detection and risk mitigation during and after this holiday season.

There is no one single solution for information security; businesses must take a multilayered approach. The first step is investing in the latest encryption software and monitoring technology, but relying on tools alone is not enough.

When an attack does occur, an immediate response is critical for minimizing damage. Online merchants need tech teams with the skills and expertise required to prevent dtaa breaches. Unfortunately, those are the same skills that are lacking among today's InfoSec pros, especially if they don't undergo intensive, cutting-edge training.

To learn more about the areas of competency needed to prepare for ever-evolving cyberthreats, download our whitepaper.