Sign In

Communications of the ACM

ACM News

Handling Holiday Hackers


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
The Grinch, in the classic cartoon "How the Grinch Stole Christmas."

Countermeasures exist to help holiday shoppers avoid giving up their payment card data and intimate details to hackers and scammers.

Credit: MGM Television

Cybercrooks are out to spoil consumers' holiday cheer, using tactics old and new to steal their credit card numbers and information when they shop online for gifts, goodies, and gear. If they can't dupe people into logging in to fake websites to freely share their digits and details, they'll use e-skimming to seamlessly capture card numbers from within merchant websites that they have hacked.

There are countermeasures, so shoppers can avoid giving up payment card data and intimate details. Consumers can get a sense of how the fraudsters operate and learn to apply advice from experts to conduct safe transactions.

Holiday hackers are wasting no time in setting up shop. Based on the report "The State Of E-Commerce Phishing 2019" from NormShield, an enterprise third-party risk rating service, about 22% of potentially 9,000 fake e-commerce phishing web domains designed to resemble those of popular e-tailers could appear during the fourth quarter of this year.

Criminal hackers often get unsuspecting consumers to access bogus websites, including e-commerce fakes, using phishing attacks. Phishing, whether by email or text messages or malicious web ads, lures consumers to click on links that appear to represent an organization or vendor they trust. The message could stress urgency, that their bank needs them to log in right away and update their information, or it could offer them a discount on a popular product.

Phishing attacks are very prevalent during the holidays, according to Kelvin Coleman, executive director of the National Cyber Security Alliance, who says bad actors are collecting people's Personally Identifiable Information  (PII) surreptitiously. Cybercriminals use the stolen consumer data in any number of frauds, including identity theft.

Criminal hackers have ways of obtaining PII and credit card data besides phishing. The FBI has warned small- to medium-size businesses and government agencies that process credit card transactions to watch out for e-skimming this holiday season. E-skimming works by injecting malicious code into legitimate e-commerce websites and online payment tools that e-tailers use; the code collects every credit card detail that passes through the site or tool, together with consumers' PII.

The malicious code sits inside the e-tailers' checkout pages, according to Chris Reid, an executive vice president at Mastercard; the cardholder enters their card details, the transaction is successful, and the e-skimmer also copies those details and sends them off to the cybercriminals.

Businesses that use Payment-as-a-Service technology are especially susceptible because cybercriminals are compromising those providers. This approach has enabled bad actors to put e-skimmers on tens of thousands of merchants' sites that use payment-as-a-service all at once, according to John Pescatore, director of Emerging Security Trends for information security training vendor SANS.

"The prominent example here is Adobe Magento Commerce," says Pescatore. "Hackers found a vulnerability in it; they created these e-skimmer attacks, typically called Magecart. At its peak, Magecart was compromising 7,000 different website purchase points simultaneously."

Consumers can keep their transactions secure despite phishing or e-skimming. As a rule, they shouldn't click on links in ads and messages to get to websites they know; they should go straight to the company website using the link they find most familiar, according to Coleman. Consumers should prefer links to merchants where they see the Hypertext Transfer Protocol Secure (HTTPS://) at the start of the web address in the web browser, according to Coleman. This protocol confirms that the site uses encrypted connections when people surf there.

Many e-tailers get extended validation web certificates. "When they click on a website or its payment link, the Uniform Resource Locator (URL) should turn green. If it does, that means the vendor has gone the extra mile in web security," says Pescatore.

It's also essential for consumers to mitigate transactions. They should use major credit cards rather than a debit card; the card companies then won't hold them responsible for fraudulent transactions. "It's much easier to have the credit card company reverse a charge on a credit card, as opposed to the bank refunding the money," says Coleman.

E-tailers should use well-known web application and server security measures to fight e-skimming, according to Pescatore. The Center for Internet Security (CIS) publishes 20 security controls and resources that online vendors can use to safeguard transactions.

On the consumer side, use a secure payment service, something like PayPal, if possible, says Pescatore. As for major credit cards like Visa and Mastercard, consumers can sign up for virtual credit cards or one-time card numbers, says Pescatore; when people use them for transactions, the only thing cybercriminals can access is a newly-generated one-time number that represents their card number to the merchant.

Payment services are adopting a better alternative to virtual credit cards. Visa Solutions and Mastercard Payment Gateway Services are among payment services pushing out click to pay to secure online payments based on the new EMV Secure Remote Commerce (SRC) industry standard, according to MasterCard press release. Consumers can now click to pay at select merchants in the United States, leading up to wide availability in early 2020, according to Mastercard. Click to pay simplifies secure payments on merchant websites, mobile apps, and mobile devices. Individual merchants must add the SRC click to pay technology to participate.

Click to pay is a form of tokenization that enables consumers to do digitally what the chip on physical cards does in the real world, according to Reid. MasterCard gives a unique number to the participating merchant that they use with the consumer's credit card, so the consumer doesn't have to type in their card number or credentials, according to Reid.

The need for so many security solutions for e-commerce could make people think online shopping fraud is an insurmountable issue. However, consumers are getting smarter and more accustomed to the pitfalls of shopping online. They're reading about stolen consumer information and the remedies to keep it from happening to them, and they are sharing this information with their friends and families.

As with many things that get done right, it takes a village to stay ahead of online fraud at this and every season.

David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account