Operations
16 December 2022
Bots jumped at early holiday deals
HUMAN Security found a spike in account takeover attacks in October. A longer peak season means a bigger attack surface for cybercriminals.
Photo by Tamanna Rumee on Unsplash
×
The Current, delivered daily.
Ecommerce news, right to your inbox.
Sign up for our email newsletter.
Subscribe.sticky-cta-wrapper {
width: 100%;
position: fixed;
bottom: 0;
left: 0;
background-color: var(--black);
}
Subscribe to The Current newsletter
The holidays are peak season in the consumer economy, and everyone is trying to make the most of it. Retailers are looking to capitalize on the heightened buying mood of consumers, while shoppers are out looking for a steal of a discount.
This window of opportunity is only extending. This year, Amazon and others held early holiday kickoff events in October. Meanwhile, the consumer willingness to hold out for deals amid inflation is leading many retailers to believe there will be a particularly strong finish.
But brands and retailers also have to be on guard. The longer season means there is more time and space for bots deployed to siphon money out of the offers that are flying to operate.
“With the holiday shopping season starting earlier and earlier each year, cybercriminals have more opportunities to steal, scam and cause havoc,” said Gavin Reid, CISO at cybersecurity company HUMAN Security. “As consumers move to a hybrid shopping model, and retailers make use of the high engagement online with early access deals, the attack surface for malicious bots have only grown, giving them more opportunities to check things off their list.”
While it’s easy to think of these bots as shadowy forces lurking in unexpected corners of commerce, there’s a pattern to how they work. Fraud follows the money, so if brands are investing more in an area like advertising, the opportunity for malicious activity associated with that investment becomes higher.
With this logic in mind, it makes sense that HUMAN research found evidence of increased bot activity during Cyber Week. “But here’s the catch – the data also shows that these attacks begin to pop up before the holiday season in September and October when attackers were likely trying to get a large number of stolen accounts in advance of the holiday shopping season, so they could sell them on the dark web right before Cyber Week,” Reid said.
There are a few primary tactics that attackers are using, HUMAN found:
Account takeover attacks started in September, with a peak in mid-October, according to the research. By October, more than 30% of login attempts were malicious, which was up markedly from 15% in September. In these attacks, cybercriminals compromise existing user accounts by using sophisticated bots that can be deployed at scale through devices like iPads, a cell phone or a computer.
“What makes them so dangerous is that they cost little to carry out, have a high success rate and have rippling advantages for cybercriminals, including selling them on the dark web or validating the stolen credentials to attempt thousands or millions of logins across websites,” Reid said. “If they succeed, they’ll make fraudulent purchases and credit transfers.”
In particular, ecommerce websites are vulnerable to these attacks because they are places where users store credit and debit card information, gift card balances, loyalty points, and more.
Carding attacks also showed an uptick ahead of Cyber Week. HUMAN found that these rose 350% in early November, and found a 900% increase following Cyber Monday. Carding attacks are a form of payment fraud that focus on the checkout page. Cybercriminals use sophisticated bots and stolen credit card details on ecommerce sites to buy goods, then sell them for a profit. Criminals buy lists of data on illicit marketplaces, then send bots to ecommerce stores that test the cards by attempting small purchases.
“When they’ve proven the card details are valid, the fraudsters will deploy sophisticated bots to use the verified card details to make ecommerce purchases, steal from accounts, and buy gift cards. It’s like when the Grinch enters Whoville to steal presents,” Reid said, adding that the gift cards are either sold at a discount, or used to buy items that can be resold.
Resale is not malicious as a whole, but it can also fall prey to criminal activity. One of the most popular strategies is to snatch up hot gift items and resell them at a mark-up. Yes, the $500 PlayStation5 sold for $1100 is a form of fraud.
It’s important for leaders to understand these threats not so that they live in fear of them, but to understand how to prepare. They can be prevented with proper awareness and strategies. The risk heightens during the holidays, but is not purely a phenomenon of peak season. HUMAN has found that up to 9% of annual purchases at businesses are the result of account takeover activities. Understanding the lifecycle of these attacks can help leaders understand how to detect them and defend against them.
“As online sales start earlier and retailers continually host large sales to attract customers all year round, sophisticated cybercriminals will continue to target ecommerce sites with attacks. And brands need to remain on alert,” Reid said. “By not implementing solutions such as having bot and fraud protection measures in place, retailers and brands could actually lose money, customers, and loyalty—over something that is actually preventable.”
On a tactical level, Reid offered the following tips that can help lower the risk of fraud during the holidays and beyond:
For businesses:
- Encrypt or hash stored credentials on your website to secure database
- Require good password practices and multi-factor authentication (MFA)
- Enable behavior-based bot management and flag potentially compromised credentials
- Continuously evaluate users’ behavior and go beyond just blocking bots to prevent future attacks
For shoppers:
- Check bank accounts during the holiday season to ensure cybercriminals and fraudsters have not compromised information.
- Update passwords to stay a step ahead of cybercriminals.
Subscribe to The Current Newsletter
SubscribeTrending in Operations
Operations
06 February 2023
A secure payment process is crucial in the fight against bot fraud
Cybersecurity delivers brand security, writes BlueSnap CEO Ralph Dangelmaier.
There is one lingering element among the sea of sales heading into the new year that could stick around well into 2023: fraudulent bots.
As online shopping continues to grow in popularity, so does the risk of fraud and cyber-attacks. The presence of these bots on retailer websites can threaten the completion of successful, authentic purchases in the buying journey for consumers. For brands themselves, they can lead to increased security risks, poor site performance and incomplete purchase headaches. With more sensitive personal and financial information being shared online, retailers need to ensure that their customer data is protected at all times, which means security in ecommerce payments is more important than ever this year.
In today's digital landscape, constant technological advancements and the significant increase in online activity due to COVID-19 contribute to the rise in cybercrimes and bot threats. The sophistication of cybercriminals and the rise of advanced attacks against protocols like Payment Card Industry Data Security Standard (PCI DSS) compliance have made it imperative for retailers to implement robust security measures in their ecommerce operations. For example, specific bot-powered fraud threats include these disruptive schemes:
- Account takeover: This type of fraud occurs when a bot takes control of the user account, and the activity results in unauthorized transactions and theft of users’ personal information.
- Ad fraud: Bots are used to artificially inflate website traffic or click on online ads, which results in wasted ad spend.
- Carding: A form of card fraud where attackers make many attempts to authorize stolen card credentials.
The root solution to this problem is to protect customer information. So retailers must ensure that their online payment processes are secure and that payment systems are protected against bot activity and other forms of cyber-attacks. As a result, implementing security measures that can quickly detect and prevent fraud has become a top priority.
How to optimize against bot-based fraud
Protecting one’s company from bots and fraud doesn’t have to be a complicated process. In fact, it’s par for the course in today’s tug-of-war between bad actors and cybersecurity systems. It’s important to understand that any business can become a target of a bot attack, but it isn’t a foregone conclusion that bot activity will cripple that company’s ecommerce operations. It is crucial to first be aware of the risks and establish an actionable method to protect themselves.
Implement continuous monitoring for suspicious activity.
Businesses should continuously monitor transactions and suspicious activities while having an incident response plan in place to quickly detect and respond to bot fraud. Implementing fraud detection software programs can analyze customer behavior and transactions in real-time to identify and flag such suspicious activity.
Behavioral analysis is used to track and analyze customer behavior over time, which allows payment orchestration platforms to identify long-term patterns of fraud. This can include tracking customer browsing and purchase history, as well as analyzing repeated customer interactions with a retailer's website. This ultimately helps to quickly identify and prevent fraudulent purchases or account creations.
Prioritize anti-bot technology.
Implementing CAPTCHA, multi-factor authentication, or challenge-response systems to detect and block bots from accessing websites or applications are table stakes at this point. But it should be said that these basic preventative measures can help stop automated scripts from creating fake accounts or gaining access to login credentials to make fraudulent purchases. Simply put: they get the job done.
Additionally, businesses can also use IP blocking and user-agent blocking to cut off known bot IP addresses. Tokenization is another anti-fraud method, in which payment providers tokenize sensitive data such as credit card numbers and replace them with a non-sensitive equivalent called a token. The token is a randomly generated string of characters that has no intrinsic value and is used to reference the original sensitive data. The sensitive data is then stored in a secure, off-site location, separate from the token so data isn’t stolen or compromised during a data breach.
Rely on payment platforms for easier detection.
Payment platform partners usually have robust fraud detection and prevention systems in place and can help businesses use their technology and data to help identify unauthorized transactions. Payment technology itself can be used to assess the risk of a transaction by analyzing data such as a given IP address and device data to then be used to identify potential fraud, including bot activity. By analyzing large amounts of data, these algorithms can quickly identify and flag suspicious activity, such as multiple purchases from the same IP address or abnormal spending patterns.
Implementing 3DS authentication through payment providers also increases the level of security and helps to prevent account takeovers by bots. 3DS authentication works by redirecting customers to their card issuer's website during the checkout process, where they are prompted to enter a one-time code or use biometric authentication to verify their identity. This helps to ensure that the individual making the purchase is the actual cardholder and not a bot using a stolen or compromised card.
The benefits of implementing a secure payment process
We’ve gone through the how, but an equally important component of the equation is the why. Being secure sounds good, but what will a secure payment gateway — which allows retailers to accept credit card and other electronic payments securely and seamlessly — do for a retailer, site visitors, and eventual customers?
Simply put, a secure payment gateway provides encryption and security protocols to protect sensitive customer information, such as credit card numbers, during online transactions. This ensures that customer information is transmitted securely and is not vulnerable to the severe hacking or data breaches mentioned above. Most importantly, this helps to build trust with customers, so they can be confident that their personal and financial information is protected.
Furthermore, a secure payment gateway also allows retailers to accept a wide range of payment options, including credit cards, debit cards, e-checks, and more, which can increase the chances of customers completing a purchase. A streamlined checkout process is probably the most fundamental yet important component when it comes to customer retention. It seems simple to say, but making it easy to check out and increasing the chances of customers completing their purchases reinforces brand security in the customer’s mind, on top of increasing sales for the retailer.
From an internal perspective, a secure payment gateway can also provide retailers with valuable data and analytics. This can include information on customer demographics, purchase history, and more, which can be used to improve the customer experience and optimize marketing and sales strategies.
Security in ecommerce payments is crucial in 2023, as online shopping continues to grow in popularity, as does the risk of bot-related fraud and cyber-attacks. Retailers need to protect customers' sensitive information and their reputation by ensuring secure online payment processes and implementing robust security measures to detect and prevent fraud.
Ralph Dangelmaier is the CEO of BlueSnap, an online payments technology company.
Keep reading...Show less
Loading...
Subscribe to The Current Newsletter
SubscribeLatest from Operations
.sticky-cta-wrapper {
width: 100%;
position: fixed;
bottom: 0;
left: 0;
background-color: var(--black);
}
Subscribe to The Current newsletter