Black Friday, the annual American-inherited discount day which precedes Cyber Monday, has come around once again. Busting in with its cut-price retail goods and heightened tizzy of consumers looking for the best deals, so does the risk of fraud, cyber-attacks and cyber-crime shoot up like a 4th of July firework.
Dave Palmer, director of technology for DarkTrace notes that: “Digital sales reached up to £2.5 billion on Cyber Monday in 2015. Amazon alone generated 36 percent of all online sales last Cyber Monday, accounting for an estimated £800 million. With so much money changing hands over the internet, the ramifications of a cyber-attack would be huge. Digital sales grind to a halt. And millions in revenue go down the drain as they watch their most lucrative day of the year pass them by.”
With amount of money flying around cyber-space, we're absolutely bound to see some crime. Ilia Kolochenko, CEO at High-Tech Bridge, reminds us: “Black Friday, as well as other crowded days, can be a great smokescreen for sophisticated cyber-attacks. IT teams will be busy maintaining high loads on their systems, and will probably not have enough time to react to all security notifications and anomalies.”
Retrospective research by Kaspersky Lab specialists shows that the number of financial phishing attacks is expected to rise this holiday season. Over the past few years, the holiday period was marked by an increase in phishing and other types of attacks, which suggests that the pattern will be repeated this year.
On top of this, researchers at website security company WhiteHat Security recently studied thousands of retail websites and found that only 40 percent were PCI DSS compliant. WhiteHat also looked at compliance rates over the course of a year and found that there is a marked decline in the percentage of retail websites that are PCI during the holiday period.
Distributed Denial of Service attacks
Of the back of the heels of the major Dyn attack and the Brian Krebs/Akami debacle, it is hard to argue that 2016 hasn't been the year of the record-breaking DDoS attack. Unfortunately, now we have Mirai botnets prowling around the web, there is a very credible threat to any retailer who hopes to churn in Amazon-level money.
Paul McEvatt, senior cyber-threat intelligence manager in UK & Ireland at Fujitsu advises that, “Retailers know that consumers will be rushing to websites to get the best deals possible. Whether there is an accidental DDoS attack caused by this influx of traffic or malicious DDoS attacks taking websites offline, retailers are at huge risk of losing a huge amount of revenue if an attack is successful. Ensuring DDoS mitigation tools or services are in place, active and optimised is a priority for any e-commerce provider.”
Matthias Maier, security evangelist at Splunk said: “While many retailers have already prepared for additional [DDoS] protection through their ISP, they still need to closely monitor all systems end to end to ensure that nothing was overlooked that could lead to a denial of service attack.”
Maier added: “During such a high profile shopping day such as Black Friday, and during the lead up to Christmas itself, it is more important than ever to be able to spot a threat or technical difficulty, find the pattern that causes any delay or outage and eliminate a potential mis-configuration or vulnerability before it manifests into a full scale outage.”
Offering some thoughts on why this is such a huge issue, Keith Tilley, EVP customer services management from Sungard Availability Services said: “Nowadays, customers expect a quick and easy online purchasing experience, involving as few clicks as possible. However, seasonal peaks – such as a spike in web traffic during Black Friday & Cyber Monday – can overload servers, causing long outages and frustrated, deeply unhappy customers.”
Tilley added: “Ironically, these peak seasons account for a significant proportion of a retailer's' annual turnover, so even the smallest of disruptions in service can have disastrous consequences for businesses; both in terms of revenue and reputation. Our recent research found that 29 percent of retailers feel they lack the necessary skills to ensure this availability – which should serve as a cause for concern as we enter into peak season.”
Paul Ducklin at Sophos said: “While chip transactions provide better protection against the sort of hack that saw tens of millions of credit cards skimmed at Target stores in the US around Thanksgiving in 2013, Chip and PIN isn't perfect, but the data on a card's chip is almost impossible to clone, the magstripe is read in its entirety every time you swipe, and is trivial to skim. The Target hack involved malware on each cash register that watched out for magstripe data appearing in the computer's memory.”
Security company Digital Shadow blogged, “When a new campaign for the POS malware known as FastPoS was discovered in September 2016, it became clear that the malware was still under active development. A similar pattern was detected in 2015, whereby new campaigns and upgrades appeared to occur in the months leading up to Christmas. It's highly likely that the same will occur in 2016.”
Matt Aldridge, solutions architect at Webroot reminds us PoSs aren't to be forgotten as “their easily accessible location and low level of physical security, makes it easier for hackers to plant malware or completely switch the machine out. The malware used to target PoS devices scrapes the details of every card that passes through the payment machine and can even record PIN numbers.”
Aldridge adds: “Ahead of Black Friday retailers need to run regular virus checks, make sure the PoS software is up to date and ensure the devices are not left unattended to minimise the chance of being successfully targeted.”
Javvad Malik, security advocate at AlienVault said: “Having an incident response and crisis management plan is crucial for all companies to have, this is even more important during high traffic periods. Things to consider, but not an exhaustive list include, regularly checking the integrity of hardware such as point of sale terminals.”
But what happens if the traffic is real customers, but just a huge spike of them all at once?
Richard Agnew, VP NW EMEA at Veeam said the key to preparing for these is capacity planning: “To determine what the potential peak loads are for site servers, remove the guesswork by reviewing previous figures using monitoring data and plan for a significant uptick beyond anything seen before. For greater capacity, consider moving less vital workloads to the public cloud to benefit from its scale.”
Bill McGloin, chief technologist – information at Computacenter, told SC: “One of tne of the most critical decisions an online retailer can make is when to put up a holding or busy page on their website to protect it from being overwhelmed by sheer load from visitor traffic, or when to deploy additional capacity to cope with traffic created by Black Friday trading, for example.”
McGloin added: “This decision has profound implications for key success factors such as customer experience, ability to trade, and brand credibility. Using data analytics for real time insight enables retailers to see immediately, and predict in the future, these trends and make well-informed decisions ahead of time, often saving the business from potential trading disasters.”
Security company Imperva recommended, “Minimise downtime and maximise performance and availability with load balancers. By distributing network traffic across a system of load balancers, shoppers can move quickly through the checkout process with little to no congestion. Failover is often used in tandem with load balancing to reroute heavy traffic to a secondary server. This ensures that your customers do not experience any downtime.”
Albie Attias, managing director of IT hardware reseller King of Servers, says: “Server redundancy is key for enterprise IT security as hackers often target networks and ecommerce stores because they know how crucial they are. The last thing you want is to have to deal with the board because the systems went down at the most crucial time for trading in the year. Sony and Microsoft have both learned this the hard way as hackers attacked their PSN (Playstation Network) and Xbox Live networks over the Christmas period last year, resulting in lots of angry customers.”
Attias added: “It's also recommended that a full-page caching system is implemented well in advance of Black Friday. This prevents overloading the network with requests from people trying to access the same page. Often, the ecommerce team will create a specific ‘Black Friday deals' landing page, so this solution is particularly effective in such instances.”