By Gavin Cartwright, Associate Partner, UK&I Retail and Consumer Products Cyber Lead
For many retailers, Black Friday and Cyber Monday have become one of the most important online trading periods as shoppers rush for their Christmas mega deals. As a result, the number of transactions is set to skyrocket.
Last year, Black Friday saw a 515% online increase compared to an average Friday. It should be a profitable and memorable time in what has generally been a difficult year in retail. Increasing overheads and falling consumer confidence has made this one of the toughest years for retailers since 2011 according to our EY profit warnings. Using the sales frenzy weekend to drive volumes back up will therefore be a welcomed opportunity.
However, one potential threat to this hopeful occasion is the rise of online payment card skimming. Similar to physical ATM skimming, this occurs when an attacker captures the details of a payment card at the point of a transaction.
Online payment skimming has caught out a number of high-profile ecommerce sites these past few months, and the chances are this trend will continue. Over half of organisations in the retail and consumer products sector feel they are unlikely to spot a sophisticated cyber-attack according to our recent Global Information Security Survey.
Due to the stealth like nature of the changes and the evolving versions that are used to exploit retail sites, identifying and stopping these attacks isn’t always easy.
On the positive, retail and consumer organisations are making progress on cybersecurity, but they must continue to mature their capabilities across how they secure, detect and respond to cyber-attacks and incidents.
As such, for organisations with online payment facilities, what can be done?
1. Make it harder for attackers to get in
A key deterrent is having the right levels of security hygiene for online payment architectures. This includes keeping them up-to-date with the latest security patches, security hardened default settings, and having a process to review and secure developer codes. Our survey shows that only 8% of consumer-facing organisations have information security functions that meet their needs with 55% saying they have plans to improve. As attacks continue to grow in number and sophistication, having these foundational areas of security working well becomes the best form of defence.
2. Track online activity and updates linked to e-commerce payment platforms
Several new ‘zero day’ vulnerabilities have been discovered that exploit extensions to payment platforms, such as features added to payment pages to perform useful tasks like picking delivery slots or tracking delivery times. Working with IT and web developer teams to understand all the software types and various versions in use is the first step. This should then be followed up by maintaining a close eye on new security fixes to this software, assessing the impact of applying the change and deploying these updates in a timely manner.
3. Check web architecture for unauthorised or unusual changes
In recent breaches, we’ve seen how the source code for areas of the website that don’t generally change show a recent change in the ‘last modified’ logs. When investigated further, a small amount of new code was seen to re-direct payment details to unapproved sites. Working with internal and external web teams to monitor the change control of websites becomes important to allow early identification of such changes and allow for quicker investigation and repair. This can be performed by manual inspection of code, but likely to be more efficient through automated software that can check timestamped versions of your website code, or through the likes of file integrity monitoring software. Given there is often a reliance on third parties to support an organisation’s website and online payment facilities, these checks need to be in collaboration with suppliers with changes regularly reported back.
The significant increase in traffic that this year’s Black Friday and Cyber Monday will attract, will make this a prime time to further target retail and consumer online payment sites. By protecting your online architecture and maintaining transaction trust, this could well be the ‘best deal’ you offer your customers.
Follow our blog
Click here to sign up to our blog series.