The Black Friday and Cyber Monday shopping sales have long been used by cyber-criminals to scam unsuspecting shoppers hunting for a bargain. The sustained surge in online shopping since the start of the COVID-19 pandemic has only provided further opportunities for nefarious actors to strike this sector. This includes attacking the payment systems used to undertake e-commerce transactions, for example, web skimming to steal users’ payment information.
Ahead of this year’s Black Friday, Infosecurity Magazine caught up with Neira Jones, a renowned expert in all aspects of payment security. She discussed the evolving nature of attacks on e-commerce transactions and how security can be enhanced in this area. The full audio version of the interview can be accessed in the November 2022 episode of the IntoSecurity podcast.
Infosecurity Magazine: How have cyber-attacks targeting e-commerce websites’ payment systems evolved since the start of COVID-19?
Neira Jones: Payment systems have always been a target, but during the pandemic, both consumers and businesses substantially increased their online activities, and those that weren’t previously digital suddenly became digital. As a result, the number of card payment transactions naturally increased.
At the same time, the capabilities of threat actors continued to evolve and to escalate, and they have developed lots of skills to exploit both existing and emerging weaknesses. More vulnerabilities have occurred because we’re using more technology, some of which businesses were not necessarily familiar with. This applies to payment systems and processes in the SME space.
The second driver is that we’ve started to rely more heavily on cloud technologies. All this makes the CISOs job more complicated. Therefore, e-commerce websites are being targeted more than ever before – it’s essentially accelerated more of the same.
IM: What attack trends do you observe targeting e-commerce payment systems in the build up to Black Friday?
NJ: Something that I always say is if it’s too good to be true, then it probably is. If you look at any security analyst report, phishing is certainly a predominant method used by cyber-criminals and they’re becoming ever-more sophisticated. This is because the pandemic accelerated digital communications so we’ve got lots of channels that not everyone used before, such as WhatsApp and social media, exposing people to the digital world who were not as well equipped to deal with the threats as those who are used to interactions on those channels.
We’re seeing increasingly sophisticated phishing attacks on individuals who make payments on these sites. This is partly because we’re getting better at securing our environment, but the technology evolves much faster than what we’re able to cope with. Therefore, once you’ve compromised an individual and you haven’t deployed defense-in-depth or zero trust principles, then you have the keys to the kingdom. Again, it’s nothing new, e-commerce payments will continue to be attacked, it depends as to whether you have a sensible and risk-based security strategy.
IM: There has been a significant growth in industry regulations for payment systems, including PCI DSS and PSD2. What impact have these regulations had on payment security?
NJ: We have good news in terms of impact. With PCI DSS, we are now on Version 4.0, which has been a few years in the making. This version is massive, and to give you an idea of scale, the previous version in 2018 was 139 pages long, whereas Version 4.0 is 360 pages long. That tells us that the PCI Security Standards Council is seeing the challenges in the card payment industry and is trying to address those challenges in the new version of PCI DSS.
"Something that I always say is if it’s too good to be true, then it probably is"
This new version is more flexible, which is important because there is never a one-sized-fits-all, so there needs to be more flexibility as to how you assess the kind of controls you need. This is based on sound principles that have followed the way the world has been moving in terms of more cloud services; for example, working from home and the importance of authentication and authorization. All of those things are in the new standard.
In terms of the impact more specifically, I was really pleased to see from the latest Verizon Payment Security Report that since 2020 there’s been an uptick in PCI DSS compliance across the board. This follows a decline in compliance in the years before the pandemic. So you can see that organizations are getting better at protecting their environment.
With the Second Payment Services Directive (PSD2), I see the biggest impact as deploying strong customer authentication, which is absolutely crucial in securing payments. The standards are evolving in card payments as well, with new versions of 3D Secure, for example, which cater for the new ways in which consumers prefer to authenticate themselves, such as biometrics.
In terms of the challenges for organizations in implementing these standards, there’s nothing new here. The challenges we have following the pandemic is that we’re still recovering and now we have the added economic burden of the cost of living crisis. Everybody’s watching their pennies – consumers and businesses alike – so the challenge is where best to spend money to secure an environment.
IM: What emerging technologies and solutions should payment providers and e-commerce companies be looking to implement to enhance the security of online payments over the coming years?
NJ: I won’t recommend any particular technology because it is not one-size-fits-all. It depends on your business, and what is relevant for one organization is not necessarily relevant for another.
It boils down to this: you have to strengthen the weakest link. It’s all about risk management, and you need to have a sensible strategy and apply logical thinking because you only have a finite amount of money to spend on these things. The trick is to be able to differentiate between the many components – the various systems, processes, capabilities – in your environment that can be improved compared to those few that must be improved in order to achieve your security and compliance objectives.
Strengthening the weakest link is about knowing what your crown jewels are. Of course, you can improve many things and make them more secure but are they all actually that relevant? Certainly, the PCI DSS Version 4.0 is very much attuned to this.
If I were to recommend any kind of technology or approach to organizations, it would be governance, risk and compliance. At the end of the day, it’s about applying best endeavors to the most relevant elements of your environment. And when I say best endeavors, it’s not just technology, it’s that good old organizational principle of people, process and technology.