By Ed Nadareski
The biggest online shopping event of the year is on the horizon: Amazon Prime Day begins at 9 p.m. this Monday, July 10. While the average person is thinking about browsing their wish list items for discounts during the 30-hour sale, hackers are looking to take advantage of the surge of online purchasing activity that comes with an event like Prime Day.
Of course, there’s a huge spike in online transactions for an event like Prime Day, but we’re also seeing consistent growth of e-commerce activity—approximately 23% year-over-year. The immense increase of online transaction processing has been accompanied by an equivalent rise in the number and type of attacks against the security of e-commerce systems. Cyberattacks on businesses represented 44 percent of all the 2016 data breaches recorded by the Identity Theft Resource Center, and a retail breach constituted the largest number of compromised records in that category.
Many attacks continue to focus on vulnerabilities that have been previously known or published and are readily available from third-party components that leverage website’s shopping cart software. These types of attacks can trick an online shopper into thinking they are using a safe website. Another approach that has caused multitudes of problems for web applications is a SQL injection or cross-site scripting (often referred to as XSS) vulnerability. This type of vulnerability allows an attacker to push client-side scripts into a web page. This can be used to bypass certain types of access controls such as same-origin policy, a policy in which a web browser permits scripts from the first web page to access data in a second web page, only if both web pages have the same origin.
Experian reports that e-commerce fraud rates spiked 33% in 2016. At the state level; Florida, Delaware, Oregon and New York were the riskiest states for e-commerce fraud in 2016. In fact, 70% of e-commerce billing fraud came from three states – Florida, California and New York – based on the sum of fraud attacks reported, and Miami accounted for the most ZIP Codes ranked across shipping and billing fraud.
While businesses may not see a surge in online shopping as a risk, the reality is that 53% of employees are using time at work to shop online, and if they’re doing so on the company’s network, the threat goes beyond the individual shopper.
Is there a way to guarantee 100% that you won’t be hacked or be the random victim of an attempted attack while online shopping? No! But, following these five easy steps will go a long way in helping your security position and protecting yourself and your organization from online retail fraud.
1. Keep your operating system and its applications up to date by patching and applying new releases as appropriate. Vendors are always working on providing as much protection as possible for their respective applications. Look for Microsoft’s “Patch Tuesday” as one of the primary sources for your patching requirements.
2. Always use HTTPS! If a website you’re working on doesn’t have it or the online vendor isn’t supporting HTTPS, it is highly recommended you stop using that site.
3. Use security plugins that are developed for your browser. For example, AdBlock Plus is a small plugin used with Google Chrome (other plugins have been developed for MS Internet Explorer, Firefox and others) that will assist you in blocking advertisements and webpage sections you may want to hide.
4. Use strong passwords. You’d heard this time and time again, but there’s a good reason for that. This is very important! Do not use a birth date, your first name or even your pet’s name. Any good hacker can easily manipulate these types of passwords. Use a password that has upper- and lower-case letters, along with special characters and numbers. For example, using “01011990” is not a good password. Adding in better controls we could use “Jan0!(99O” which produces a much stronger password.
5. Never, ever for any reason, should you give out your login information to anyone. Handing out your login credentials is one of the biggest reasons people are hacked or companies are breached. Banks, healthcare organizations, and even software support technicians should never have any reason to ask you for your login ID and password. This information should be kept in a secure place and changed every 90 days, or more frequently if needed.
Before breaking out your credit card for Prime Day, or with any other online retailer, consider these simple steps to protect your information.
If you’re a business with online purchasing capabilities, contact one of our CISSPs to discuss preventive measures for your security program around e-commerce and online transaction processing: firstname.lastname@example.org or (585) 385-0610 ext. 206.