Staying on Target
According to a July 2013 study from the Center for Strategic and International Studies, cyber criminals cost the U.S. economy $100 billion annually. Those numbers don’t tell the story of who’s at the greatest risk, though: This holiday season, many believe retailers are in the cyber crosshairs.
Last year’s holiday e-commerce sales grew 14 percent to $42.3 billion in total revenue, according to comScore. That’s big money — and it can be an easy target.
“Online services are relatively safe environments for criminals,” says Stephen Topliss, vice president of services and support at cybercrime solutions provider ThreatMetrix. “They’re not going to get caught by the security guard at the store entrance. Financial organizations have invested heavily in online defenses … [but] the levels of defense in place at e-commerce merchants are varied and often inadequate.”
Smaller retailers, in particular, “oftentimes have non-existent or very immature security and risk practices, and rely on off-the-shelf software for all their security needs without defining critical internal processes,” says Yo Delmar, vice president of MetricStream, a governance, risk and compliance company.
“Retailers of all sizes should look toward more robust security and risk management practices,” he says. “They need to go beyond compliance to proactive information risk management.”
Delmar says focusing on site performance and usability over security makes e-commerce sites vulnerable. The industry in general has numerous open endpoints, including POS, bricks-and-mortar stores and websites, and more moderate measures with regards to identification when customers create an account or shop online.
Meanwhile, customers tend not to take their retail accounts and security measures as seriously as they do their bank accounts.
“In many cases, customers will use the same e-mail, username and password across different retailers and e-commerce sites,” Delmar says. “Therefore, if one account is compromised, it likely means other accounts will also be compromised.”
ThreatMatrix encourages retailers to look for users accessing accounts from unfamiliar devices or changing account details like the shipping address or cell number. Topliss says e-commerce merchants should build a history of customers with positive scores based on prior transactions so as to be in position to better assess the device, account and associated address to assure authentic customers are not flagged for fraudulent transactions.
“The key to prevention is to have a layered defense in place,” he says. “This can mean screening at the account creation and login stages in addition to the traditional payment stage.”
For retailers that have comprehensive cybercrime defenses in place, ThreatMatrix sees “a cat-and-mouse game being played out, as criminals change their attack vectors and retailers modify their rule sets accordingly,” Topliss says. “The issue is the large number of retailers who do not have comprehensive controls in place, who are being easily targeted by the more sophisticated toolsets now available to criminals online.”
From high-level criminals planting bots on secure servers to disgruntled employees installing “Trojan horses,” the methods seem simple when compared with the damage they cause. In New York state, home to strong data breach notification laws, “Not only does the company have to mail out notifications … they have to make [consumers] whole if that information that was compromised led to them being the victim of identity theft,” Michael McCartney, president of Digits LLC, told Buffalo’s Business First.
“So if they took your information and used it to get a $20,000 line of credit, the company has to pay you the 20 grand.