The Top Retail Cyber Security Threats and How To Address Them

Over an 18-month period from mid-2005, the hackers stole the credit card details of 94 million customers, fuelling waves of credit card fraud and turning the mass data breach from a hypothetical event into reality.

In a few days, what happened to TJX brought e-commerce face-to-face with a new type of vulnerability – data. Ironically, this was the very thing they’d spent the previous decade gathering as fast as possible. By the time Heartland Payment systems were breached a year later followed in 2013 by the huge compromise of Target, it was clear that retail had become a good place to go shopping for data.

Same old story

Today, retail remains a target. Using ransomware as the measure, according to Trellix (formerly McAfee Enterprise/FireEye), retail accounted for 16% of attacks in 2021, putting it in third place behind only banking on 22% and utilities on 20%. Separately, the Sophos State of Ransomware survey found that 44% of respondents in the retail sector reported ransomware attacks during 2021, a percentage matched only by education.

Retail’s underlying vulnerability is that it has a large attack surface, one that keeps growing as e-commerce becomes the main business channel. This depends on lots of transactions, and complex events which can’t easily be stopped or slowed down without hurting the business model. Ransomware gets a lot of attention these days, but e-commerce must also defend itself against retail-specific threats. These divide into two categories – routine threats which every retailer must counter daily and the less common but potentially more serious ones. These include:

Scalping bots

A diverse category of automated software that buys up items in short supply – Sony PlayStations, graphics cards, concert tickets, some sports sneakers – so they can be re-sold at inflated prices. Scalpers are clever because humans can’t compete with their speed and accuracy, leaving online retailers to serve as unwitting middlemen for a market they have lost control of. In most but not all cases, they are not even illegal despite the harm they do to consumers and the brand reputation of retailers.

Defence: not easy because while software systems can detect and limit bot activity, these programs soon adapt.

Denial of inventory

Denial of inventory is a way of gaming e-commerce and online booking systems by holding goods in a checkout basket, stopping others from purchasing them. By the time goods are returned to sale time has elapsed and buyers have gone elsewhere. Akin to a denial-of-service attack but harder to block because it exploits the online sales process.

Defence: Denial of inventory bots imitate a human mouse and keystrokes to evade detection by anti-bot systems. The solution is more machine learning to spot more subtle differences between human and machine interactions.

Fake merchandise and websites

Fake products are the problem retailers suspect they might have but often can’t see because lost sales remain hidden. This issue predates e-commerce, but online commerce has made it much worse. Once, selling fakes on any scale required a shop – now anyone can copy a legitimate website.

Defence: detecting fake online channels using digital risk protection (DRP) services that monitor website domains and social media channels for illicit activity.

Carding attacks

Criminals steal credit card data and test them out by attempting to buy goods for low values. If the card is genuine, they will then attempt to buy more expensive goods. Retailers run up expensive chargebacks, which hurts profits.

Defence: a mixture of machine learning, IP reputation analysis, and browser validation (essentially trying to detect whether the browser looks like a normal agent rather than a bot simulation).

Account takeover (ATO) fraud

A cousin of credential stuffing, ATO fraud is a type of e-commerce attack in which criminals gain access to legitimate accounts using stolen credentials. This leads to a range of frauds, including buying goods, redeeming loyalty points, stealing credit card details, and identity fraud – or a combination of these.  Another incarnation is to create fake accounts which are used to launder stolen funds into gift cards, create fake reviews, or carry out denial of inventory fraud.

Defence: ATO attacks are hard to detect without risking false positives or putting people off with artificial barriers such as CAPTCHAs. As with denial of inventory, the answer is probably more layers of machine learning to spot patterns of account creation.

Web skimming attacks

Perhaps the most feared of all, skimming attacks are a full compromise of a retailer’s checkout process. The most infamous attacks were carried out by a syndicate called Magecart in 2018, which successfully targeted Ticketmaster, British Airways, and sites using e-commerce platforms such as Magento.

Defence: a variety of tweaks can be made to make code injection harder and to properly audit eCommerce code and JavaScript.

Conclusion

Reading this, retailers must look like sitting ducks that face being picked off even if they invest in expensive software protection. And yet in most types of e-commerce fraud, the core of the problem is a lack of control over customer accounts and how they are secured. It follows that anything that improves the security of those accounts such as multi-factor authentication (MFA) will make fraud harder.

That and constant vigilance, assuming the system is under attack rather than waiting for the worst to happen. Many retailers are now also moving customers towards mobile app e-commerce (which is easier to control) and verification.  The future of e-commerce will be based on identifying and authenticating the customer more systematically. The era of buying goods based on a single login might draw to a close.