Top Ten Tips for Retailers During National Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month (NCSAM), a collaborative effort between government and the technology industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. This year's overarching message – Own IT. Secure IT. Protect IT. – focuses on critical areas including citizen privacy, consumer devices and e-commerce security.

In recognition of NCSAM, we’re taking the opportunity to talk about the steps that retailers can take now to protect their digital businesses ahead of the busiest shopping season of the year. When Black Friday comes around, you’ll want to be in action mode versus reaction mode. When sales are coming in fast, your focus needs to be on customer service, shipping and pricing strategies - not fighting with automated bots. We strongly encourage retailers to keep these top ten cybersecurity tips in mind to help ensure a positive experience for their consumers.

Account takeover (ATO)

Account takeover occurs when someone gains unauthorized access to an online account. Botnet operators use automated tools and a botnet of compromised PCs, smartphones or IoT devices to test password and user credentials across thousands of sites to see which ones work. Even if your credentials aren't compromised, retailers who allow social login - such as Facebook and Google - for fast checkout are at risk if those particular accounts are compromised.

Tip #1: Focus on behavioral anomalies and characteristics to block ATO. The determination of whether specific behavior is human or bot must be made quickly on the first access and request, rather than over a series of pages. If the attack starts with a request to the login page, any delay in determination will occur after the actual attempt has been made. Read more about account takeover.

Account abuse

Account abuse happens when automated bots create fake accounts on your online store. Hackers use these accounts at scale to attempt carding and gift card fraud or spread malware which can negatively impact your brand.

Tip #2: Leverage solutions that help you detect fake account creation attempts in real time to automatically block bad bots and prevent account abuse. Read more about how to stop account abuse.

Carding - credit cards

Carding is a brute force attack on a retailer's website using stolen credit cards. Due to the massive number of breached records over the years, large databases of stolen credit cards are available for sale on the internet. Attackers use malicious bots to test stolen credit card data on a retailer's website. To verify the cards work, attackers typically make a low-cost purchase, and only if successful do they place bigger orders and receive products or services using the fraudulent cards.

Tip #3: Purchases of very small amounts followed by purchases of larger amounts could indicate carding fraud. Read this blog to learn more.

Carding - gift cards

Gift card fraud is something all retailers need to be concerned with heading into the holiday season. Gift cards are a popular present, so having the balance stolen will result in a negative brand experience for all involved. Gift card fraud happens when attackers guess the card number or use numbers purchased off the dark web, and then steal the balance of a gift card.

Tip #4: As with credit card fraud, purchases of very small amounts followed by purchases of larger amounts could indicate gift card fraud. Read this blog to learn more.

Scraping

Rich content plays a significant role in driving customers to your site; however content scrapers can steal your content - including pricing, tax your web infrastructure and reduce your SEO ranking. Since pricing can be a large competitive advantage and plays a massive role in attracting customers and repeat business, your site is vulnerable to scraping of pricing, product information, inventory and customer reviews.

Tip #5: Protect your pricing and catalogs in real-time with solutions that recognize legitimate search engine bots while blocking or serving dated information to malicious price scraping bots that intend to steal your data. Read the blog on scraping to learn more.

Magecart

Up to 70 percent of the code on your website likely comes from a third-party source. Recently, threat actors have exploited a vulnerability on e-commerce sites and placed malicious JavaScript code acting as a cloud-based keylogger on thousands of them. As buyers enter their credit cards and other personal information into these breached e-commerce sites, their payment information is sent automatically to attackers.

Tip #6: To avoid Magecart attacks, deploy solutions that continually monitor any changes in your third-party code. Read the blog on the client-side blind spot.

Formjacking

Formjacking is the digital version of skimming a credit card at a gas station. A formjacked website does its malicious work without disrupting a legitimate purchase. As you checkout, the attacker receives your credit card data in real-time.

Tip #7: Use a solution that monitors changes to checkout pages and user input forms. Read the blog discussing formjacking.

PII harvesting

Attackers manipulate your checkout page to get the user to unnecessarily input personally identifiable information that might include social security number, address and phone number. This data is forwarded to a secondary location by the attacker for use in future exploits.

Tip #8: Monitor changes to checkout pages and user input forms so you can take action quickly. Read the blog.

Clickjacking

Clickjacking is the process of tricking a user into clicking on a pop-up window that takes them to another, potentially malicious, website. It could come from a rogue ad or an infected browser. Users often aren't aware of what they are clicking on and retailers might not know it’s happening to their users until they see analytics which point out things like high shopping cart abandonment rates.

Tip #9: Users should be wary of what links they click on when browsing the internet and retailers should block unwanted client-side scripts, ad injections and redirects. Learn more.

Extensions

Browser extensions can be beneficial, but they are also a common vector for malware. As you travel across the internet, you'll come across pop-ups for coupons or anti-virus software. Less experienced users can have a difficult time discerning real and fake offers for extensions.

Tip #10: Retailers can tell their consumers that a simple way to check for malware is to follow these steps to see the Chrome extensions installed. If they don't know what an extension is for, they'll want to remove it. For additional user information, read this blog from Google on checking for malware in Chrome. Retailers can learn more from PerimeterX here.

Cybersecurity Wrap Up

While National Cybersecurity Awareness Month is in October, these tips are worth keeping top of mind all year long. For retailers, taking digital security seriously makes it easier to protect your consumers’ experience as well as your brand reputation and revenue.