Protecting Your Online Food and Grocery Business
We speak with PerimeterX expert Deepak Patel on food and grocery websites and apps, and how to protect user data from the latest cyberthreats.
With much of the world currently staying at home, the online sector of the food and grocery industry is booming. And with surges in traffic comes increased risk. PerimeterX cybersecurity evangelist Deepak Patel recently spoke on preparedness against prevalent cyberattacks and how digital businesses can grow their platforms with protective measures in mind. Listen to the corresponding PerimeterX podcast here.
PerimeterX has found that account takeover (ATO) attacks and Magecart attacks are often the most common types of attacks on the food and grocery delivery industry. Why these attacks and not others?
Deepak: If you take a step back, food and grocery delivery applications are just like any other e-commerce application, and they have the same challenges. You have a large set of consumers that are on your application that are providing their usernames and passwords to interact with your application. At the same time, they're also providing payment information for commerce that’s happening on the app itself. So the same kind of attacks that happen on e-commerce sites—like ATO—apply here. I would essentially consider food and grocery apps as a subset of the e-commerce space. The case is similar with Magecart attacks. As a food delivery company, you're focused on providing a customized, personalized experience for your user. So there's a tendency to bring in third-party plugins to achieve that—opening you up to Magecart vulnerabilities.
These days, while sheltering at home during a pandemic, we’re all behaving a little differently when it comes to food. PerimeterX recently published an analysis of web traffic that presented some revealing stats. From mid-January to mid-March, this segment experienced a 41% increase in traffic. Since March 1, the industry’s conversion rate has risen by 80%. How is this change in consumer behavior affecting the attack landscape?
Deepak: Here, the data tells the story. When you look at it, it’s no surprise that there's a huge increase in traffic. It almost looks like there’s a Black Friday event on an everyday basis starting when the lockdown was initiated for the COVID-19 virus. The interesting thing here is that while the traffic increased, the conversion rate also increased. This means that customers know exactly what they want—and it's no surprise that in cases where users are looking for, say, toilet paper, the conversion rate is higher. It's a similar case in food and grocery, where they know exactly what they want to order. That's why the conversion is higher there. What's changing is consumer behavior.
Now, the industry itself was not set up for this kind of a spike in demand—and you can see this across the board. When you think about it, this consumer behavior is what you would have expected five years from today in terms of gravitating behavior from in-store shopping to online. This is a forcing event which is changing a large consumer group that wasn’t otherwise prepared to go online and make those choices. It's accelerating what was projected to happen in the e-commerce space and showing up now, instead.
ATO attacks can fuel a number of kinds of theft or fraud, like gift card fraud. What malicious outcomes are you seeing most commonly in the food and grocery sector?
Deepak: Every industry strives to get repeat customers, because that is one success by which you measure your metrics. The food and grocery industry is no different. In the end, you want customer retention. The customers' information and preferences are stored in their account, and this is one way to entice them to stay with your brand. Gift cards are another way to acquire customers into your system. The challenge is that when you increase the ease of access to your application, you're lowering the bar for who can sign up. You must retain what I call true identity verification. When you implement a growth model such as a gift card program, it incentivizes criminals or bad actors to give chase because it's easy monetization. If one can create fake accounts and order food using a gift card program, they will do that. It's even easier to execute an account takeover as a hacker if you were to use someone else’s account to verify whether the gift card has a balance on it.
Both account takeover attacks and gift card verification protect the hacker’s identity. That’s why you typically see account takeover attacks as the stepping stone from one to the other. The attacker’s identity is safe. Then they can do more high value attacks—whether it's carding attacks where they test the credit card information are verifying, or taking over someone else's gift card, where they go after the anonymous form of payment.
Typically, companies suffer lost revenue, damaged brand reputation and compliance penalties as a result of ATO and Magecart attacks. One could argue the stakes are even higher now due to coronavirus, are they not?
Deepak: Absolutely. As mentioned before, this is a make-or-break moment for the e-commerce space. The entire world is relying on the e-commerce industry to provide them basic necessities for life. Typically, if you are a food and grocery delivery company, groceries are considered commodities. But in today's world, if I must get new groceries every three days, and I may otherwise starve if I’m in a high risk group, it changes the equation. There are also 20-25 million unemployed workers, and you need choices for grocery. There are a lot of opportunities to go build an empire in the food industry right now. When you do this, you cannot risk the safety of your customer data. Every company is aspiring to be the next Amazon here, so the only way you can do that is to be absolutely laser-focused on protecting user data. I talked earlier about repeat customers. It's extremely important because choices are there. As soon as the situation gets better, you'll see that people will only stick with a brand where they feel secure. This is a very fear-driven market, and the last thing you want to do is risk your user data.
PerimeterX recently published a case study highlighting its work with a leading food delivery service. This particular company was dealing with a serious influx of ATO attacks and web scraping attacks with each spike in their traffic. How common are these issues?
Deepak: It's sad to say, but these attacks are extremely common. I'm going to give a parallel here. We protect a large number of e-commerce businesses. During Black Friday, we've seen that about 95% of the requests that come to the login page of an application are all ATO attacks. It's not that much different for the food and grocery delivery apps. At the end of the day, what attackers are looking for is any easy-to-use application—a web or mobile application—where the attackers can verify the validity of stolen user credentials. Because fundamentally, what are consumers doing? They're not using different usernames or password combinations for different sites. In fact, a lot of them use the same username and password combinations for their financial accounts where there's a possibility that they'll lose a lot of money if they don't protect it.
What happens is, these attackers use food delivery applications or e-commerce apps to test whether a user’s credentials are valid. Once they know they’re valid, they will go after well-known financial accounts, whether it's Wells Fargo or the Bank of Americas of the world, to try and siphon off the money there. So it is a large responsibility for the application owner to make sure that even though they're not the source of the data breach in terms of these ATO attacks, they have to make sure that that user data is protected.
The second part that you asked about was web scraping attacks. If you're a successful business, it's likely that your competitors—or someone else—is looking through your data. For example, let's say you're a food delivery app and you have contracts that you've signed with restaurant groups, and you have custom pricing that you’ve negotiated. Now, if your competitor gets access to that kind of pricing—that is your intellectual property. That could have been the difference maker for your app to succeed in the market. And now, if competition is copying you as quickly as you execute, it is going to be almost life threatening for your e-commerce business. Innovation and change happen at lightning speed in this space. ATO and web scraping attacks have to be considered as business threats, especially now that there's hypercompetition happening in this space.
Understandable. So, in the case study mentioned above, why did switching to an external bot management solution make such a difference compared to their previous in-house solution?
Deepak: If you go back to the roots of how any application is formed, the team that comes up with this application is typically not a technology team. They understand the business, they understand the customer pain—the challenge for the customer, and how quickly they can deliver. What's the action that they need to take? They're not thinking it through in terms of the application-level challenges in terms of security. And to a large extent, account takeover is not even a security problem. It is actually a business logic problem—same with scraping. When you start off with a team that knows a lot about making the app user-friendly and making the app work with the business, they're not focused on securing the app. When you build an in-house solution, you spend a lot of time dealing with bot attacks which is not usually the expertise of the food delivery app teams. So they end up over-spending time on this.
And it's not just spending a lot of time—you won't even get the right level of protection. Think of a company like WhatsApp. It used to be a 20-employee company. You have to dedicate three or four members of that team to protect against bots. That's a lot of resources being dedicated to just bots versus growing the business. And it's very unlikely you're going to come out ahead, because an in-house team can only see the bot attacks that are happening on their side. As a focused bot management company, we are protecting more than 200 customers. So we see all kinds of bot attacks. In fact, our customer success team and the security operations center (SOC) team, they all see millions of attacks. And all of that learning is going into this bot management solution that we have. So, we can offer the very best protection there is in the market. This way, these companies can go and focus on growing their business. We bring in the experts and operate as an extension of their teams and help them grow their businesses.
What are your words of advice for concerned food and grocery businesses during this time?
Deepak: We've talked a lot about handling account takeover attacks, Magecart attacks and all that stuff. But when you're considering a solution, you need to make sure that that solution lines up with what you're thinking. Can that solution grow along with it? Tomorrow, if your user base doubles or triples, just like the event that happened a few weeks ago, can everything in your technology stack scale with you? You have to take a very holistic approach towards choosing a vendor. Does that vendor have support teams that can work with you? Does that vendor understand your business model? Can they bring in business metrics when they support you during those events? Is that vendor future-proof enough? Do they have an architecture that's open enough such that if you were to change from one CDN to the next, would it create problems for you? Look beyond just the basic requirements of protecting against account takeover. Make sure that it lines up with your vision of where you want to take the app.
As a consumer, I’m also curious myself about what I should be doing to minimize my risk. What should I be wary of?
Deepak: First and foremost, do not use the same username password on all of your applications. Our understanding is that there are close to a thousand apps that a typical user needs to run their daily life. This is where we would strongly suggest the use of a password manager and two-factor authentication. Yes, there's a bit of inconvenience that comes along with it, but the fact of the matter is it'll go a long way. If you can do that, it's better than using long passwords, because just using a long password on multiple sites doesn't mean much. At the end of the day, your information is already out there. There are websites being compromised on a daily basis. Data from breaches two years ago are still the source of ATO attacks today. So as a consumer, use different passwords for different websites.
When it comes to your payment data, there's nothing better than monitoring what's happening on your transactions. Try to get credit cards where you can get a different number for each transaction. Monitor your activity often, because thankfully, based on how the US credit cards work, the liability is limited if you're able to get in front of it. If you let the merchant know that you didn’t make a certain transaction, you can avoid it.
I want to close out with an interesting story about the way the first Magecart attacks were detected. It was not because an enterprise had a solution monitoring their activity. It was because a lot of users complained about fraudulent charges, and then the merchant figured out that the consumers complaining about these fraudulent charges were coming from a specific retailer or specific e-commerce shop. That's how they figured out that these credit cards were being skimmed off of this one particular site. So you are at the forefront of figuring out fraud when it happens. Be vigilant. But at the same time, there's never been a better time to participate in the e-commerce world and get what you need. This is the world of hyper-personalization. There’s nothing to be overly fearful of. Enterprises are very much aware of these threats and everybody is stepping up to take care of your user data.
For more information about bot detection and mitigation, visit the PerimeterX Bot Defender page and view The Forrester New Wave™: Bot Management, Q1 2020 report. For more information about client-side code and Magecart protection, visit the PerimeterX Code Defender page.