Tips to Counter Top Cyber Threats This Holiday Shopping Season

Put away your inflatable jack-o-lanterns and take out your Christmas lights, the holiday season is upon us! While the holidays bring heaps of joy and hot chocolate, security teams know they also bring fraud and abuse. Hot products in high demand bring scammers and scalpers. New users bring new payment data, making your checkouts a prime target for e-skimmers. Every user account is at greater risk of takeover because the value of everything skyrockets in Q4.

Many threats you've already addressed. You've patched kernels, updated software, and improved application security. A whole class of threats, however, exploit your services through no fault of your own. Automated threats abuse your services by using them the way they were meant to be used, and supply chain attacks cause damage through a trusted third party. These are some of the most common and damaging threats you'll face this season.

Credential Stuffing and Password Spraying

Credential stuffing and password spraying are similar enough to wrap up together. Credential stuffing attacks use previously breached credentials to take over accounts of users who reuse passwords. Password spraying attacks try common passwords like qwerty123! and Winter2019 to pop accounts using weak passwords. The likelihood of success for both attacks is so low that attackers rely on automation to scale them. This leads to billions of fraudulent login attempts, and the resulting account takeovers lead to billions of dollars in losses.

Protecting your company and users over time is difficult. It's an arms race that lasts forever. Get a leg up, though, by ensuring your customers aren't using common or previously breached passwords. Free services like PwnedPasswords and premium services like Shape Security’s Blackfish give API access to breached data and spilled credentials. These services give you insight to know which users have a higher risk of takeover so you can request a password change in advance.

Scalping

Digital scalping is when a customer purchases goods using techniques not available to average shoppers. This usually means using bots to buy up your inventory in microseconds. It's common to see hot products sell out instantaneously and think that it's an inevitable aspect of retail. In reality, scalpers automate these purchases and resell items at a profit.

Defend against scalpers by limiting the quantity of items that anyone can buy at once or per day. This leads scalpers down the road of automating account creation, so you need to pair this defense with a trust metric for accounts. Give preferential treatment to trusted accounts that have a history of legitimate behavior and use a queue or lottery to throttle new accounts.

E-Skimming

E-skimming or magecart-style attacks involve compromising a third party to hijack a linked resource, usually a JavaScript file. The attacker then injects malicious logic which captures and exfiltrates payment data to a third-party server. This attack caused the record-setting fine against British Airways earlier this year. It's a problem that can affect any company that has a checkout flow.

The first step to protect yourself is to audit your third-party resources and assert they're not already compromised. Once you clear them, the next step is to ensure they never change without your approval. You can leverage the subresource integrity (SRI) feature in browsers to enforce what resources your web pages accept. This protects your users, but you also need to build or subscribe to a resource scanning service to compare your site over time. These tools make it easier to identify what and when something changed.

Happy Holidays!

Get protection and processes in place before you need them, and have a safe and happy holiday!

Jarrod Overson is director of engineering at Shape Security, a company that protects the world's largest enterprises from all types of fraud against their online applications.