Cyber crime seen as major risk to mobile shopping during holiday season

Nov. 20, 2018 | by David Jones

Cyber crime seen as major risk to mobile shopping during holiday season

With Black Friday and Cyber Monday set to kick off within days, retailers and payment experts are increasingly concerned about the heightened threats to e-commerce sites and the potential impact that is having on mobile shopping.

A study from the National Retail Federation and Forrester found that payment card fraud remains the top concern of retailers, as cyber attackers have moved away from in-store fraud to online following the implementation of EMV chips on credit and debit cards. About 55 percent of retailers said they were concerned about the rise of payment card fraud and the implementation of EMV chips has moved a large number of attacks to e-commerce sites.

"The chip in an EMV card makes it difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is a legitimate cardholder," Stephanie Martz, senior vice president and general counsel at NRF said in the study announcement.

In addition, a new report from Juniper Research found that annual online fraud payment losses involving e-commerce, airline ticketing, money transfer and banking could more than double to $48 billion in 2023, up from the estimated $22 billion in losses projected for this year.

Threat actors

In August, three Ukrainian nationals, alleged to be members of a notorious cybergang known as Fin7, were arrested on federal charges that they stole millions of credit and debit cards in a massive malware campaign, dating back to 2015, which targeted more than 100 U.S. companies. In the U.S. alone, prosecutors said the group stole more than 15 million credit card records from 6,500 point-of-sale terminals, mainly in the restaurant, gaming and hospitality industries.

According to the indictments, the hackers sent emails with attachments to business employees and in some cases followed up with phone calls to make the emails seem legitimate. Once they were opened, the attackers used a version the Carbanak malware to infect the user's device and steal their payment data and resold that information on the Dark Web.

Another major actor uncovered this year was Magecart, which operated by skimming credit card information from vulnerable e-commerce sites, according to a joint research report from Risk IQ and Flashpoint. Magecart, which analysts said was comprised of a series of cyber attack teams, has targeted such high-profile names as Ticketmaster, British Airways and Newegg, according to the report.

And Check Point Software Technologies last month released its monthly Global Threat Index report revealing a nearly four-fold increase in cryptomining malware attacks against Apple's iPhone. The attacks used the Coinhive mining malware, which involved the use of javascript to search for online Monero cryptocurrency and essentially hijacked the resources of the device.

Researchers also found a sharp increase in attacks against devices using the Safari browser, the main web browser used in Apple devices.

Maya Horowitz, threat intelligence group manager at Check Point, said in that announcement that "attacks such as these are a reminder that mobile devices are an often overlooked element of an organization's attack surface, so its critical that these devices are protected with a comprehensive threat solution, to stop them from being a weak point in corporate security defenses."

Mobile protection

Considering that mobile devices now account for more than half of the global URL requests and that more than half of all personal and business email is first opened on a mobile device, mobile transactions can be vulnerable to all types of threats, said Brian Duckering, mobile security specialist at Symantec Corp., the firm behind the widely used Norton antivirus and malware protection products. Earlier this month, it acquired a startup called Appthority, as a move to help bolster the firm's ability to monitor threats against mobile apps that work in the Android and iOS environment.

Those risks include "network attacks where a hacker could observer unencrypted traffic and credentials, apps that could be a malicious copy of a legitimate app — or maybe use poorly implemented security measures," he told MPT via email. 

The New York State Attorney General's office warned in an announcement today that shoppers should avoid any financial transactions through an open, unsecured Wi-Fi connection, as hackers often stake out those type of locations. Consumers should make sure to only shop using a site with the https:// instead of http://, because the former is a secure SSL internet protocol.

They also warned that hackers use variants of known sites to lure consumers into entering their payment information and often target users through social media or email to use these fake sites.

Ron Teicher, chief executive of EverComplaint, said holiday shopping season is also ripe for a phenomenon called transaction laundering, where a merchant account is used to process the transactions of another merchant.

"In addition to being a violation of network rules, transaction laundering is often intended to hide the activity of the undeclared merchant specifically because that merchant would not otherwise be able to get a merchant account and process payments," Teicher said via email.

The reasons why this technique is used could involve anything from the sale of illegal goods to hide transactions involving sanctioned individuals or outright fraud, he said.

EverCompliant has identified more than 1 million sites that were apparently involved in illegal activity, he said, however, the primary victims in these instances were the financial institutions and the payment processors, who were not aware of the nature of the transactions.

Photo: iStock

 

Topics: Mobile Apps, Retail, Security

Companies: Symantec

image
David Jones

David Jones is a veteran business and technology journalist, with three decades of experience writing about business travel, real estate and technology.

Since 2015 he covered a range of technology stories for the ECT News Network, which includes the E-Commerce Times, TechNewsWorld, LinuxInsider and CRM Buyer, writing about cybersecurity, artificial intelligence, machine learning, open source computing and privacy issues among others,. He recently covered FinTech issues for PYMNTS.com.

He worked as a staff writer for Bloomberg Business News and an online reporter for Crain’s New York Business. He has written for numerous media organizations, including Reuters, The New York Times, The Real Deal, Continental, City Limits and The Nation.

He was previously awarded the George Washington Williams Fellowship for Journalists of Color by the Independent Press Association.

Sponsored Links:

Related Content

Latest Content