Put away your inflatable jack-o-lanterns and take out your Christmas lights, the holiday season is upon us! While the holidays bring heaps of joy and hot chocolate, security teams know they also bring fraud and abuse. Hot products in high demand bring scammers and scalpers. New users bring new payment data, making your checkouts a prime target for e-skimmers. Every user account is at greater risk of takeover because the value of everything skyrockets in Q4.
Many threats you've already addressed. You've patched kernels, updated software, and improved application security. A whole class of threats, however, exploit your services through no fault of your own. Automated threats abuse your services by using them the way they were meant to be used, and supply chain attacks cause damage through a trusted third party. These are some of the most common and damaging threats you'll face this season.
Credential Stuffing and Password Spraying
Credential stuffing and password spraying are similar enough to wrap up together. Credential stuffing attacks use previously breached credentials to take over accounts of users who reuse passwords. Password spraying attacks try common passwords like qwerty123! and Winter2019 to pop accounts using weak passwords. The likelihood of success for both attacks is so low that attackers rely on automation to scale them. This leads to billions of fraudulent login attempts, and the resulting account takeovers lead to billions of dollars in losses.
Protecting your company and users over time is difficult. It's an arms race that lasts forever. Get a leg up, though, by ensuring your customers aren't using common or previously breached passwords. Free services like PwnedPasswords and premium services like Shape Security’s Blackfish give API access to breached data and spilled credentials. These services give you insight to know which users have a higher risk of takeover so you can request a password change in advance.
Scalping
Digital scalping is when a customer purchases goods using techniques not available to average shoppers. This usually means using bots to buy up your inventory in microseconds. It's common to see hot products sell out instantaneously and think that it's an inevitable aspect of retail. In reality, scalpers automate these purchases and resell items at a profit.
Defend against scalpers by limiting the quantity of items that anyone can buy at once or per day. This leads scalpers down the road of automating account creation, so you need to pair this defense with a trust metric for accounts. Give preferential treatment to trusted accounts that have a history of legitimate behavior and use a queue or lottery to throttle new accounts.
E-Skimming
E-skimming or magecart-style attacks involve compromising a third party to hijack a linked resource, usually a JavaScript file. The attacker then injects malicious logic which captures and exfiltrates payment data to a third-party server. This attack caused the record-setting fine against British Airways earlier this year. It's a problem that can affect any company that has a checkout flow.
The first step to protect yourself is to audit your third-party resources and assert they're not already compromised. Once you clear them, the next step is to ensure they never change without your approval. You can leverage the subresource integrity (SRI) feature in browsers to enforce what resources your web pages accept. This protects your users, but you also need to build or subscribe to a resource scanning service to compare your site over time. These tools make it easier to identify what and when something changed.
Happy Holidays!
Get protection and processes in place before you need them, and have a safe and happy holiday!
Jarrod Overson is director of engineering at Shape Security, a company that protects the world's largest enterprises from all types of fraud against their online applications.
Related story: When it Comes to Security, US Consumers Put Their Money Where Their Trust Is
Jarrod Overson is Director of Engineering at Shape Security, a company that protects the world's largest enterprises from all types of fraud against their online applications.
Jarrod Overson’s career has been one underscored by impact and ingenuity. As a software engineer at Napster, Jarrod developed and maintained distributed backend systems that allowed music to reach the masses. From there, he spent time teaching at JavaScriptU and then developing at OneHealthSolutions and RiotGames.
Jarrod’s expertise led him to work as a consultant for Gossamer Solutions, where his experience enabled him to train, speak, and consult for the modern web.
Jarrod’s path at Shape began as a Software Engineer Lead and then as Director of Engineering, where he led development of Shape's Enterprise Defense.
Jarrod is a frequent speaker on modern web threats and cybercrime and has been quoted by Forbes, the Wall Street Journal, CNET among others. He co-authored O’Reilly’s Developing Web Components, created Plato and many other JavaScript analysis and reverse engineering tools, and frequently writes and records topics about reverse engineering and more.