Article

Cyber crime poses big risk to mobile holiday shopping

Security experts and retailers are increasingly focused on protecting the consumer's mobile shopping experience and payment platforms to ensure safe transactions.

November 27, 2018 by David Jones — Editor, Networld Media Group

As the holiday shopping season gets into full swing, retailers and payment experts are increasingly concerned about heightened threats to e-commerce sites and the potential impact on mobile shopping activity.

A study from the National Retail Federation and Forrester Research found payment card fraud remains the top concern of retailers, as cyber attackers have moved away from in-store fraud to online following the implementation of EMV chips on credit and debit cards.

About 55 percent of retailers are concerned about the rise of payment card fraud and the implementation of EMV chips has moved a large number of attacks to e-commerce sites.

"The chip in an EMV card makes it difficult to counterfeit the card, but it does nothing to show whether the person trying to use the card is a legitimate cardholder," said Stephanie Martz, senior vice president and general counsel at NRF, in a release on the study.

In addition, a Juniper Research report found that annual online fraud payment losses, involving e-commerce, airline ticketing, money transfer and banking, could more than double to $48 billion in 2023, up from the estimated $22 billion in losses projected this year.

Threat actors

In August, three Ukrainian nationals, alleged to be members of a notorious cybergang known as Fin7, were arrested on federal charges that they stole millions of credit and debit cards in a massive malware campaign, dating back to 2015, which targeted more than 100 U.S. companies. In the U.S. alone, prosecutors said the group stole more than 15 million credit card records from 6,500 point-of-sale terminals, mainly in the restaurant, gaming and hospitality industries.

According to the indictments, the hackers sent emails with attachments to business employees and in some cases followed up with phone calls to make the emails seem legitimate. Once they were opened, the attackers used a version the Carbanak malware to infect the user's device and steal their payment data and resold that information on the Dark Web.

Another major actor this year was Magecart, which operated by skimming credit card information from vulnerable e-commerce sites, according to a research report from Risk IQ and Flashpoint. Magecart, which analysts said was comprised of a series of cyber attack teams, has targeted high-profile names as Ticketmaster, British Airways and Newegg, according to the report.

Check Point Software Technologies last month released its monthly Global Threat Index report revealing a nearly four-fold increase in cryptomining malware attacks against Apple's iPhone. The attacks used the Coinhive mining malware, which involved the use of javascript to search for online Monero cryptocurrency and essentially hijacked the resources of the device. Researchers also found a sharp increase in attacks against devices using the Safari browser, the main web browser used in Apple devices.

Maya Horowitz, threat intelligence group manager at Check Point, said in the study announcement that "attacks such as these are a reminder that mobile devices are an often overlooked element of an organization's attack surface, so its critical that these devices are protected with a comprehensive threat solution, to stop them from being a weak point in corporate security defenses."

Mobile protection

Considering that mobile devices account for more than half of the global URL requests, and that more than half of all personal and business email is first opened on a mobile device, mobile transactions can be vulnerable to all types of threats, according to Brian Duckering, mobile security specialist at Symantec Corp. Symantec acquired a startup, Appthority, as a move to bolster the firm's ability to monitor threats against mobile apps that work in the Android and iOS environment.

Those risks include "network attacks where a hacker could observer unencrypted traffic and credentials, apps that could be a malicious copy of a legitimate app — or maybe use poorly implemented security measures," Duckering told Mobile Payments Today via email. 

The New York State Attorney General's office warned in an announcement that shoppers should avoid any financial transactions through an open, unsecured Wi-Fi connection, as hackers often stake out those type of locations.

It also warned that hackers use variants of known sites to lure consumers into entering their payment information and often target users through social media or email to use these fake sites.

Ron Teicher, chief executive of EverComplaint, said the holiday shopping season is also ripe for transaction laundering, where a merchant account is used to process the transactions of another merchant.

"In addition to being a violation of network rules, transaction laundering is often intended to hide the activity of the undeclared merchant specifically because that merchant would not otherwise be able to get a merchant account and process payments," Teicher said via email.

The reasons why this technique is used could involve anything from the sale of illegal goods to hide transactions involving sanctioned individuals or outright fraud, he said, adding his firm has identified more than 1 million sites that were apparently involved in illegal activity. However the primary victims in these instances were financial institutions and the payment processors, which were not aware of the nature of the transactions.

Photo: iStock



 

About David Jones

---

David Jones is the editor of Mobile Payments Today. He is a veteran business and technology journalist, with three decades of experience writing about business travel, real estate and technology.

Since 2015 he covered a range of technology stories for the ECT News Network, which includes the E-Commerce Times, TechNewsWorld, LinuxInsider and CRM Buyer, writing about cybersecurity, artificial intelligence, machine learning, open source computing and privacy issues among others. He recently covered FinTech issues for PYMNTS.com.

He worked as a staff writer for Bloomberg Business News and an online reporter for Crain’s New York Business. He has written for numerous media organizations, including Reuters, The New York Times, The Real Deal, Continental, City Limits and The Nation. 

He was previously awarded the George Washington Williams Fellowship for Journalists of Color by the Independent Press Association.