AI-Powered Bots, More GDPR + CCPA Fines, Retail Goes 2FA - Five Security Predictions for 2020

If you feel worn out from all the security developments in 2019, you are not alone. From the rise of Magecart to the ongoing wrath against sneakerbots and the biggest cybersecurity fines yet levied by a regulator, 2019 was a head-snapping year for infosec. Guess what, folks? 2020 is going to be even crazier! Our team sat down to review trends we are seeing from our vantage point as a web application protection company and tried to envision what 2020 will bring. Here are the predictions that we think highlight some of the most critically important trends in cybersecurity.

Account Takeovers Go Hyper-Distributed, Pass $7b In Losses

Botnet operators know that the more IP addresses and devices utilized in an Account Takeover (ATO) attack, the harder it is for bot defense technologies to confidently screen out bad requests for access to websites and APIs, and to confidently allow access to valid requests from customers or partners. With the explosion of IP-addressable IoT devices, it has never been easier for botnets to spread their tentacles built on massively distributed networks. This means, further, that attackers can mount more low-and-slow attacks that feature millions of devices pinging only once or twice per hour. This type of attack is exceptionally difficult to screen against at the IP or network behavior level. Because distributed botnets are a key mechanism for ATOs, which rely on hammering login pages or APIs to test them for the validity of email and password pairs, we also predict a significant increase in ATO attacks in 2020. This will mean more people find their accounts are hacked, and retailers, travel and hospitality and financial services companies have to even further beef up mitigation efforts. In 2020, The (bot)net net? Expect to see more botnets with hundreds of thousands, or even millions, of devices in tow - and total costs of damages to the attacked web applications and sites eclipsing $7 billion. That’s with a “b.”

Magecart + GDPR and CCPA = As Much As $1 Billion in Fines

This year, we saw GDPR regulators levy a $230 million in fines against British Airways (BA) as punishment for not protecting their users against digital skimming attacks. This established a new precedent for data protection, stipulating that web application publishers need to not only protect against exfiltration of their customer data from the organization’s own databases but also against unauthorized modification of a company’s web properties or APIs. This modification is how Magecart and other digital skimming attacks operate. And it is how customers of BA had their personal information stolen when they tried to log into their accounts on legitimate websites and mobile apps operated by BA.

This was the tip of the iceberg. We are seeing the number of Magecart attacks skyrocketing as cyberattackers increasingly see this attack type as a way to exploit a key weak spot in most organization’s security stances. We anticipate Magecart attacks will continue to pop up on a wider variety of e-commerce platforms such as Shopify, WordPress and Magento. In addition, we believe Magecart exploits will further start to harvest users’ credentials to fuel ATOs alongside payment information (digital skimming). Lastly, we predict that shared WiFi networks will be targeted as mechanisms for digital skimming and injection of Magecart like attacks. All of this will likely mean more fines for GDPR violations resulting from Magecart. California’s own strong consumer data protection and privacy law - the CCPA - took effect in January 2020. Expect the Golden State to also levy heavy penalties when digital skimming is left undetected for extended periods. In our view, 2020 fines will eclipse $500 and could possibly hit $1 billion.

A Major Online Software Company Ditches Passwords (Hint - It’s Microsoft)

The Redmond giant has already begun to dispense with passwords for its enterprise use cases, replacing them with security keys and other means of keeping accounts and networks secure. The fact is, passwords never worked and they are becoming even less effective. Secure passwords are very hard to remember. The average person now has dozens of accounts across multiple services for email, shopping, travel, banking and more. And security experts have long recommended that we keep a unique password for each account. No surprise, the majority of people continue to reuse one or two relatively insecure passwords across all their accounts. It’s all the human brain can remember. In theory, password managers in browsers or as standalone apps should alleviate this problem but adoption of password managers remains very low. Not surprisingly, reports of millions of passwords turning up on the Dark Web are now pretty ho-hum. This is why Microsoft recognizes passwords are actually pretty harmful for security and should be eliminated. Which is why we predict that in 2020 Microsoft will announce plans to ditch passwords for consumer applications and replace them with a combination of AI-driven approaches and security keys that will allow them to validate on numerous factors rather than just a password and username combo.

Major E-commerce Vendors Will Start Adopting, Promoting 2FA

Following on our last prediction of reducing reliance on passwords, we think that 2020 will see a spike in major online retailers both adopting and promoting two-factor authentication (2FA). By 2FA, we mean that shoppers will be required or encouraged to sign up for a service that sends to their phone an SMS code to input in order to complete a purchase. Alternatively, shoppers will be required or encouraged to use authenticator applications on their phones. Retailers could also send out credit-card sized 2FA token generators or even embed the generators in branded credit cards.The calculus behind this development is simple. Retailers will realize that it’s cheaper to enforce or encourage 2FA and try to shift behaviors than it is to maintain the status quo of constant online fraud, ATOs, and remediation efforts, all of which continue to go up in total cost each year.

So, for example, Target (which does not support 2FA today) might introduce a program that rewards shoppers using 2FA with a 2% discount on every purchase executed with 2FA. And it might offer a $15 online shopping credit to people who sign up to use 2FAs with Target. Target might also send special flash sale notices to 2FA holders or give them first dibs on incoming hot merchandise (for example, Target’s popular fashion collaborations). For higher value purchases at retailers that are suffering from major online fraud and ATOs, shoppers may simple be required to supply 2FA as part of the purchase. Right now, only a small number of big retailers, including Apple, Amazon and BestBuy, support 2FA in online purchases and not a single one mandates it. 2020 is the year that will change.

AI Goes To The Dark Side

Artificial intelligence is widely deployed to spot bots, cyberattacks, malware, and even anomalous behaviors of web applications that suggest JavaScript attacks like Magecart. Unfortunately, AI and machine learning is now a widely understood technology. Most of the best tools used by researchers and security teams for AI are open source and can be easily co-opted by the Black Hats to try to recognize security measures and subvert them. We are already seeing some evidence of this in the form of botnet operators that appear to be using what are called “adversarial” tactics to confuse bot detection systems. In addition, many of the powerful machine learning frameworks are now available as-a-service from major cloud vendors like Google, Microsoft and Amazon. So a cyberattacker could access not just the software but a ready-baked infrastructure to perform machine learning and build models, all at a very modest cost. The upshot? 2020 will be the year we see a big spike in AI-powered cyberattacks as the new “AI-vs-AI” cybersecurity reality comes home to roost.

Conclusion

We believe that 2020 will be the wildest security year in a long time. Even if only a few of our predictions come true, the way we think about security will likely be different after 2020. Which actually makes a lot of sense because the technology universe has changed more in the past 3 years than it had in the decade prior to it. Naturally, the threat surfaces, attack approaches, and favorite tactics, techniques and playbooks of the bad guys will change to meet this new reality - where AI has gotten so easy and cheap that everyone can have some, and where bots have become so ubiquitous and painful that all major brands care about them and face a painful IoB (Internet of Bots) future.