With Black Friday and Cyber Monday just a few short days away and the memory of the Target breach still fresh, retailers are under heavy scrutiny. Cyber-criminals will be taking advantage of heavy traffic and increased sales to launch their campaigns this shopping season, and security teams need to be alert for suspicious activity, experts warned.
Retail experts estimate this year’s shopping spending will total almost $750 billion this year, and the frenzy will kick off this week with Black Friday sales in stores and Cyber Monday deals online.
The majority of these sales will rely on credit card transactions, and the past year has shown that payment card data is highly vulnerable. There has been a focus on point-of-sale (PoS) systems in brick-and-mortar locations and the shift to chip-based credit cards, but e-commerce transactions remain highly vulnerable to attack.
Security teams will need to be especially proactive in monitoring their confidential data and assets for any unusual activity, said TK Keanini, CTO at Lancope.
“We have seen throughout 2014 that cybercrime never stops,” Keanini said. “Attacks are likely to escalate even further in the coming weeks.”
While the breaches at Target and Neiman Marcus commanded most of the attention, there were plenty of attacks against retail Web applications during last year’s holiday shopping season.
In an analysis of more than a dozen retail Web applications, Imperva researchers found an average of 547 attacks per day between Nov. 14, 2013 and Jan. 9, 2014. To put this figure in context, the four-week period before the shopping season saw an average of 150 attacks per day, and 267 attacks on average in the four-week period after. The researchers found “a clear growth in the number of attacks during the holiday season,” Barry Shteiman, director of security strategy at Imperva, wrote in a blog post this week.
While it makes sense that there will be more attacks when there is more online traffic, Shteiman said the increase in attack statistics was “too significant.” Imperva said the surge in attack volume may be related to the perception that retail applications are more vulnerable during this time of the year, and that attackers are more likely to succeed, he said.
Retailers roll out new pages promoting special sales and campaigns for the holiday season. Due to the temporary nature of these pages, it’s possible that they may have been built with unsafe third-party libraries or did not follow secure coding practices. Companies are also reluctant to fix bugs during the annual code-freeze, making it likely that some of these pages would remain vulnerable longer.
“Cyber-criminals are more motivated during this time of the year,” Shteiman wrote.
The analysis focused on SQL injection, directory traversal, and cross-site scripting attacks because the company’s Web Application Attack Report had ranked these methods as the top three attack types targeting retail Web applications. Imperva found in last year’s WAAR that retail Web applications twice as many SQL injections than other kinds of Web applications, and confirmed the trend in this year’s report.
A recent Gallup poll found that 69 percent of respondents were concerned about having their credit card information stolen from stores, and 62 percent were worried about having their computer or smartphone hacked. However, a recent Ponemon Institute survey of 1,000 consumers found that while nearly 50 percent were victims of a data breach, 45 percent have not changed their shopping behavior when using credit and debit cards.
Retailers may not have a lot of time left to do a full audit of the applications to find and fix issues, but they should be taking steps to know what new pages have been added to their application so that they can monitor those areas for any suspicious activity. This is not the time to relax existing security policies, either.
“Retail application providers should make sure to be prepared for a wave of cyber-attacks,” Shteiman said.