News that web application security outfit High-Tech Bridge has notified Zen Cart, one of the largest ecommerce management systems, of a critical flaw that enables the execution of arbitrary code certainly won't help settle rattled nerves on the biggest shopping weekend of the year.
Nor for that matter will the arrival of ModPos, one of the most advanced pieces of card data stealing malware to surface this year. SCMagazineUK.com has been asking industry experts exactly what risks retailers face, and what they can do to mitigate against them even at this late hour of the day...
1. Point of sale
Point of Sale machines are an obvious retail risk, not helped by the emergence of malware such as the aforementioned ModPos which is both hard to detect and complex in that it applies three core modules (an uploader/downloader, keylogger and POS scraper) to steal card data. As Matthew Aldridge, solutions architect at Webroot, says: "PoS machines are at risk because of their location and in most cases, low level of physical security, which makes it easier for hackers to plant malware or even switch the machine all together." Obviously they need to stay where they are located as rule, however regular virus checks should be run on the system to ensure they are not infected and, where possible, they should not be left unattended for long periods of time.
Kevin Burns, head of solution architecture at Vodat International, points out that while 'Chip and PIN' card use in Europe has reduced the opportunity for fraudsters to use counterfeit and stolen cards in high street shops, cardholder data can still be used for online fraud. "Cardholder data stolen en masse through high street shops remains difficult to use online without the card security code printed on the card and without the customer's address." Burns agrees, but this doesn't mean retailers can discount the risk. Criminals will be looking for new ways to make fraudulent payments online including creative ways to gather the required cardholder data, such as phishing for example. "Both European and US merchants need to take advantage of the fraud services offered by the card schemes and their payment service providers to provide the best defence when the cardholder is not present," Burns concludes.
Jules Pagna Disso, Nettitude's head of research and development, warns that retailers really should learn from previous attacks on the industry, many of which been conducted via fake Point of Sale (PoS) terminals with wireless access, enabling attackers to capture the payment card details and pin numbers used in transactions. "Only trusted third parties should be instructed to maintain PoS terminals and it is vital that wireless communications is monitored," Disso says, "as this is commonly used by criminals to exfiltrate data in attacks on retailers."
2. Client side injected malware (CSIM)
Chemi Katz, co-founder and CEO of Namogoo, during a conversation with SCMagazineUK.com warned that the CSIM threat spikes significantly during the Black Friday through Cyber Monday weekend. "CSIM includes ad injections, product injections, and affiliate hijacking which lures shoppers away to competitors" Katz told us, continuing, "we have already identified over 50,000 ad injector signatures with an average of 200 new signatures appearing daily." Namogoo recommends that retailers learn how to recognise the early signs of CSIM, including listening to customer complaints about competitor ads and suspicious surveys. "Other signs of CSIM," Katz says, "include bounce rate rises whilst conversion rates drop. High bounce rates can point to a few things, but when coupled with low conversion rates on your checkout page, then CSIM is very likely the culprit." So be aware that if your site metrics go against common sense, Client-Side Injected Malware may be the root cause.
3. Insufficient transport layer protection
Jeremiah Grossman, founder at application security specialist WhiteHat Security, revealed that analysis of retail websites by WhiteHat researchers found that they are more likely to exhibit serious vulnerabilities compared to other industries. The most commonly occurring critical vulnerability class for the retail industry was Insufficient Transport Layer Protection with a 64 per cent likelihood. "When applications do not take measures to authenticate, encrypt, and protect sensitive network traffic," Grossman warns, "data such as payment card details and personal information can be left exposed and attackers may intercept and view the information." Right now, over Black Friday weekend, Grossman reckons the best mitigation advice comes in the shape of operational awareness – being first to know if something is going wrong or being hacked. "To do this," he explains, "a concept called ‘honey-tokening' is always a good idea. It simply involves placing special files in the system, records in the database, accounts on the system, and so on – none of which are ever supposed to be touched or accessed. IT Security can then trigger warnings on these items that instantly signal if someone or something has breached the security of the system."
4. Production freeze
Trey Ford, global security strategist at Rapid7, brings our attention to the problem of production freeze which happens as retail organisations enter the seasonal shopping period which really starts this weekend. "They halt updates and configuration changes in their payment and order fulfillment systems to limit the risk of interruption and slowdowns to mission critical systems." Ford says. "IT teams and security folks are scrambling to test and lock in configurations, verify controls, and plead to their respective deities that systems perform exactly as intended during the shopping rush." All of which means that there will be very little in the way of updates to those systems over the next 90 days. "Think of this in terms of the security lifecycle: Prevent, Detect, Correct." Ford told us, "from this point forward, retail energy investment should shift from prevent, to detect and correct." This is particularly good advice as attackers already inside an organisation will stay quiet as they see more credit cards in the next couple of weeks than the next six months combined. Ford advises retailers to check all third party access and remote access pathways into payment networks, change passwords and lock out vendors that do not need access right now. Also he says they should, "be 100 percent confidant that payment networks do not have access to the internet, on any protocol, in any way. Some systems do online payment clearance and settlement - makes sure those systems can only talk to specified host names or addresses on defined ports."
5. Too bloody busy syndrome (TBBS)
The 'too bloody busy' risk should not be underestimated, because a high volume of traffic can act as a distraction while bad things happen. "Usually the highest risk score is from new users," Noam Grinberg, VP of risk management at payments company SafeCharge told SCMagazineUK.com, continuing: "On busy days retailers expect to have high numbers of new user which will put a strain on their manual review processes for suspicious transactions." Criminals, of course, see this as an opportunity to commit fraud and will take advantage of the high volume and traffic so they will be much less noticeable. Grinberg's advice to mitigate this risk is that retailers should focus on new users and first orders from the site with suspicious buying behaviours, make use of 3D secure dynamically for high deposit amounts, and pay extra attention to international orders.
Also falling under the TBBS banner is DDoS traffic. Andy Herrington, head of Cyber Professional Services UK and Ireland with Fujitsu, warns that during the Black Friday and Cyber Monday weekend unusual traffic will likely be confused with DDoS traffic due to the excessive volumes, and as a result it will be difficult to identify unusual traffic that may be related to an attack. "Retailers must focus on the integration of threat intelligence and other information sources to provide the context necessary to deal with today's advanced cyber threats," he says. "Implementing a strong security education programme underpinned by a robust security framework will allow retailers to get on the front foot in combating these types of threats, in order to ensure that these threats don't come to pass."
Finally, as Andrew Barratt, managing director for Europe at Coalfire points out, "spikes in demand can cause a ripple effect through the business. Logistics can struggle to keep up with the volume of goods to ship which leads to fraud checks being missed or address verification not happening and all of a sudden there is a perfect storm for the criminals to take advantage of." Mark Rodbert, CEO of idax and honorary visiting computer science professor at the University of York, agrees that, "when the pressure is on, too often convenience beats security. With so many businesses focused around making the most sales, employees will be tempted to take risky shortcuts." He told us that it is critical that retailers reinforce security policies and best practice while at the same time "keeping control of access and implementing the principle of least privilege is essential."