Ido Safruti, co-founder and chief technology officer, PerimeterX
What cyber threats should retailers worry about? Attacks on web applications, loyalty point thefts and digital skimming are all exploding. These are a few of the key findings from the 2019 Verizon Data Breach Investigations Report(DBIR)
The well-respected report, released recently, helps companies understand new risks and mitigate rising threats. Attack trends highlighted in the DBIR Report are increasingly targeting and affecting retailers. Here are three key takeaways for retailers from the latest Verizon report.
Web Applications Are the Most Common Attack Vector
The biggest threat to retailers, in terms of volume, severity, and damages, is attacks on vulnerable web applications. The DBIR found that there was a large uptick in web application breaches from 5% of all breaches in 2014 to 63% in 2018, and a similar decrease in attacks on Point-of-Sale (POS) systems over the same period (from 63% in 2014 to 6% in 2018).
This is a dramatic swing, unusual for such a short period. According to the report, web applications represent a far greater risk to retailers than denial-of-service (DoS) or crimeware (malware that installs itself on devices to perform cybercrime). In 2018, the four most attack types against retailers, including 114 attacks in total, all targeted vulnerabilities in web applications.
Web applications are applications that deliver functionality using web protocols (http/s). The primary threat web applications face are so-called account takeover attacks (ATO) where an attacker seeks to access real user accounts using stolen password and email or login combinations. A key factor in ATOs is password reuse, which remains a huge problem. Most consumers reuse passwords across multiple sites. With this knowledge, attackers search for illegally posted or sold password and username combos on the Dark Web and then apply them against a variety of sites to hunt for matches and then take over the users’ account.
ATOs against web apps are accelerating because there are more passwords being stolen than ever before and the software required to mount automated ATO attacks is sold cheaply on the Internet.
Takeaway:With the pace and variety of attacks increasing rapidly, retailers’ security measures to safeguard web applications must keep pace.
Digital Skimming Replacing Physical Skimming
In a related trend, digital skimming is replacing physical skimming and brick-and-mortar POS terminal attacks. Skimming is where cybercriminals use a physical device or a piece of software to capture customer payment information like credit card numbers. Cybercriminals place tiny skimming devices at physical retail POS terminals, on Automated Teller Machines (ATM), and anywhere else where consumer payment data was entered in plain-text or with the use of a magnetic strip.
The report attributes the decline of physical skimming to the now widespread use of EMV chip-and-pin technology in the United States at POS terminals to secure payment. These chips make it far harder for cybercriminals to access payment data. Chip-to-terminal connections are far more secure than running a card stripe at a terminal.
As noted in the section above, attacks on web apps are growing more common as POS attacks fall. The cybercriminals are following the money and shifting from physical skimming to digital skimming. In digital skimming, cybercriminals compromise a web application and use it to capture and steal payment data online, where EMV technology isn’t applicable. A large recent example of this is the Magecart exploits, which involved malicious hackers compromising components of web applications and installing rogue elements that capture the credit card data of unsuspecting shoppers on large ecommerce sites.
The rise in skimming, which relies on more nuanced compromise of an application rather than the brute force attempts of automated ATO attacks, is causing more organizations to consider how they maintain the integrity of their code. As the DBIR Report notes, “Widespread implementation of file integrity software may not be a feasible undertaking. Adding this to your malware defenses on payment sites should be considered.”
Takeaway: This is a big deal because digital skimming is far more dangerous than physical skimming. Payment data is at risk everywhere and criminals will continue to follow the money.
Credential Theft Leading to More Account Takeovers, Spreading Beyond Payment Data
According to the DBIR Report, 29% of breaches involved stolen credentials, a percentage that is increasing. Further, criminals are looking beyond payment cards for attacks. Once they have taken over an account, they increasingly steal loyalty points for resale on the Dark Web, place false orders of goods or gift cards that can be resold online, or perpetrate warranty fraud.
Loyalty point theft is growing very quickly. Points are replacing Bitcoin as the preferred dark currency on the Dark Web for purchasing drugs, stolen goods, or accessing more stolen credentials. The automated attacks used for account takeovers can hammer websites, costing operators for extra infrastructure and harming their brand if site login pages go down.
Takeaway: Credential theft, fueled by the Dark Web, increasingly leads to automated account takeover attacks that in turn lead to huge losses for retail. These take the form of warranty fraud, unauthorized purchases, depleted gift card or loyalty point balances, and site downtime.
Conclusion: The types of attacks that retailers face are shifting rapidly to focus on eCommerce and web applications. With the rise of loyalty point theft and abuse, as well, retailers must put in place new security measures to protect their customers from this scourge.
PerimeterX provides security services for websites and mobile applications.
Favorite