Online retailers are already well aware of the existing threats to their customers’ private data and their own networks—but executives at last month’s RSA Conference in San Francisco offered a peek at the emerging threats that are increasingly affecting internet shopping and internet retailers.
High-tech industry heavy-hitters including Microsoft Corp. president Brad Smith and Alphabet chairman (and former Google CEO) Eric Schmidt, alongside dozens of information security experts, opined about the growing influence of ransomware, IP-connected sensors and devices (often dubbed the “internet of things” or IoT) and the increasing implementation of machine learning or artificial intelligence (AI) on all public and private sectors, including e-commerce.
“We’re dealing with a growing problem in need of new solutions,” Microsoft’s Smith said about mounting cybersecurity concerns, during his opening keynote speech. “This is a different kind of battlefield than we have ever seen before.”
Indeed, virtually all the presenters and many attendees at the RSA cybersecurity event spoke passionately about the need to stem the growing tide of online hacks and breaches, as increasingly sophisticated cybercrime rings, terrorist organizations and even nation-states use the same technologies that are enabling broader and better internet use for their own nefarious purposes. “We are in the fight of our digital lives and we are not winning,” said fellow keynote speaker and U.S. Rep. Michael McCaul, R-Texas. “Nation-states are using these tools… and web-based warfare is becoming incredibly personal.”
Online retailers represent a sizable and appealing target for popular ransomware scams—where hackers gain control of and encrypt a company’s data or systems and hold it hostage to extort money. In fact, researchers last year found that cyber-criminals had developed a specific type of ransomware, dubbed “KimcilWare,” that was aimed specifically at 200,000 sites using the Magento Inc. e-commerce platform.
Why online retail? With e-commerce sales projected to rise to an eye-popping $3.5 trillion globally within the next five years, according to a March 2016 report from the Aite Group, “the risk/reward ratio is substantial. Cybercriminals follow the money wherever it goes.” Also, as stores move to accept chip-based cards in the United States, more fraud is transitioning to card-not-present transactions, which often happen online.
Another emerging concern for internet retailers is the threat of account takeover as a result of password breaches, according to “Web Threat Detection Trends in E-Commerce: A Guide to Improve Fraud Detection and Investigation,” an RSA Security report released at the conference. More than three billion user accounts across many popular websites were compromised last year, the report found. And, with the practice of password reuse so common among online customers, online stores are open to the risk of credential replay attacks that result in fraud, research found.
In the face of overwhelming odds and new tools that widen the potential attack vectors and make breaches easier to perpetrate, experts say online retailers can take steps to mitigate their risk of attack, and the impact of these attacks when they happen. One tool that internet retailers may want to consider for their own cybersecurity arsenal is the nascent arena of web behavior analytics, according to RSA Security. Only 17% of online retail respondents in the recent RSA Security research say they are familiar with how web behavior analytics can be used to improve fraud investigation.
But this technology is “rapidly gaining attention for its ability to identify suspicious behavior patterns outside what is typical for a majority of visitors to a website,” the report found. For example, online behavior analytics can indicate how users navigate an e-commerce site from page to page, whether usage times comport to other “normal” user sessions, if a user’s page transitions, click-times and frequency of clicks by page occur outside of normal behavior.
By isolating variances like these, the report concluded, “Web behavior analytics can interpret and project them to demonstrate that some level of fraud may be occurring.” Like other RSA conference presenters, Microsoft’s Smith also called out the need to “harness the power of data” to provide advanced threat protection.
Tim Dalgleish, fraud and risk professional with RSA Security, recently blogged about how internet retailers can manage the progressively prevalent problem of card-not-present fraud and online data compromise. “Credit card numbers are everywhere,” Dalgleish said. “Large-scale data compromises mean that stolen credit card numbers can be bought in the cyber underground for as little as $1 per card.”
Like most risk management scenarios, “there is no silver bullet and a multiverlayered control approach is required,” he said. But there are a few steps internet retailers can take to stem the growing risks. First off, online stores should opt to replace storing customers’ credit card numbers with a unique value, or “token” as it is called in data security parlance, which cannot be used elsewhere, he advised. “The momentum for card tokenization is starting to build and has great potential as a partial solution,” he wrote.
He also advised improving shopper authentication with protocols such as Verified by Visa and MasterCard SecureCode. With Verified by Visa and MasterCard SecureCode, consumers set up an account with their card-issuer and create a code they enter at checkout to verify their identity. “The protocol itself is actually very powerful and effective in reducing online fraud,” Dalgleish said. “When implemented via a risk-based, dynamic authentication approach, it becomes even more successful.”
Favorite