James Coker assesses the security risks posed by the dramatic shift to e-commerce caused by the pandemic and outlines how retailers and online shoppers can protect themselves
The COVID-19 pandemic has brought about substantial changes to everyday lives, many of which look set to sustain long beyond the crisis. One of these is the dramatic shift to e-commerce, emanating from the temporary closure of physical retail stores as part of strict lockdown measures. In the UK, for instance, figures from the Office for National Statistics (ONS) showed that e-commerce grew by nearly 20% year-on-year in May, and accounted for a record 33.4% of total retail sales.
Lisa Forte, partner at Red Goat Cyber Security, says: “The pandemic drove the entire world almost instantly online, and shops in Europe shut their doors and quickly had to transform their businesses into a solely online model, which is unprecedented.”
Even since the reopening of non-essential stores around the world more recently, e-commerce sales have generally remained well above pre-pandemic levels, with many consumers previously new to this domain now using this channel regularly.
New Opportunities for Cybercrime
While the online space has provided a critical lifeline for many retailers this year, unsurprisingly, cyber-attackers have sought to take advantage of the additional opportunities the shift to e-commerce has provided. Forte notes: “Any time you see a rapid global migration to a different way of doing business, you will see mistakes and oversights leading to security holes that turn into huge opportunities for cyber-criminals.”
Even before the pandemic, there were major concerns about the impact of cybercrime related to online shopping – be it payment fraud, data hacking or other customer scams. Back in March, for instance, a report by Juniper Research predicted that online payment fraud losses will increase by 52% between 2020 and 2024. However, this has been revised significantly in light of the pandemic. “We anticipate that this growth will accelerate to over 70% over the next four years, compared with the 52% we outlined in March. This is mainly due to the increased usage of e-commerce during the pandemic, which has also generated a rise in fraud,” explains Nick Maynard, lead analyst at Juniper Research.
Cyber-criminals have undoubtedly ramped up attacks at a frightening speed since the crisis began. Chris Waynforth, area vice-president, Northern Europe at Imperva, observes: “As the volume of online sales grew, so too did the volume of cyber-attacks on online retailers. In fact, according to data from the Imperva Cyber Threat Index, attacks rose dramatically around late March and have continued throughout the year – exceeding the peak levels around last year’s Black Friday and Cyber Monday events.”
“The pandemic drove the entire world almost instantly online, and shops in Europe shut their doors and quickly had to transform their businesses into a solely online model”
As well as the greater volume of e-commerce activity, a number of other factors have heightened the risks associated with online shopping since COVID-19 struck. One is the fact that a number of retailers, including small independent stores, were forced to sell online for the first time. Raef Meeuwisse, author of Cybersecurity for Beginners, comments: “Traditional retailers, who weren’t online in the past and are inexperienced in using those kinds of technologies, can fall foul of misconfiguring or setting up vulnerable online hosting services that can be exploited.”
Another opportunity has been borne out of the creation of a vast number of new customer accounts, each storing highly sensitive information. Forte notes: “From an attacker’s perspective, if they get one of the consumer’s passwords, they’ll then have passwords to almost all of their accounts. This has provided the cyber-criminals with an opportunity that I’m not sure we have ever seen before.”
Similarly, Riskified has seen user accounts become increasingly targeted since the start of the crisis. Elad Cohen, VP data science at Riskified, outlines: “Account takeovers (ATOs) have quickly become one of the preferred methods for fraudsters. They’re a huge threat to merchants, because they’re difficult to detect and deter. Merchants risk upsetting established customers if they’re too aggressive in trying to deter ATOs, but allowing an ATO to take place will cost the merchant in chargebacks, while also upsetting an established customer.”
Additionally, the ongoing pandemic has precipitated a huge rise in online scams targeting shoppers. Kevin Bocek, VP security strategy and threat intelligence at Venafi, explains: “COVID-19 has prompted a surge in the number of us shopping online, and cyber-criminals are using this to their advantage by creating spoof websites for popular retailers to catch out bargain-hunting customers. They do this by creating fraudulent domains that are almost identical to real retailer sites, with very similar URLs which simply substitute a few characters to look the same at a glance.”
It is also worth noting that many subsets of people who rarely or never shopped online before the pandemic, such as elderly people, have now become regular users. These customers are especially vulnerable to scams due to their lack of experience with digital technology.
Although the volume of attacks has grown substantially, the tactics employed by cyber-criminals haven’t varied a great deal compared with recent years. Payment security consultant Neira Jones says: “When you look at the pattern of attacks, especially on retailers, more often than not you will find that the attacks are not sophisticated. Certainly in the last two or three years, the root causes of attacks on retailers stem from things as simple as phishing attacks to steal credentials.” She adds that this pattern has been exacerbated by COVID-19.
Another common method used to target e-commerce platforms that has been expanded in the pandemic is Distributed Denial of Service (DDoS) attacks. For example, Imperva has observed that the average online retailer has experienced around eight application layer DDoS attacks a month so far in 2020.
“COVID-19 has prompted a surge in the number of us shopping online, and cyber-criminals are using this to their advantage”
Investment in Payment Security
Clearly, the security of online shopping must be enhanced to account for this new landscape. For retailers, the most obvious step is to develop the security around payment platforms. Meeuwisse notes: “We’ve seen in the past where under-investment or failing to patch or update a platform has resulted in a huge loss of credit card details.”
At a time of economic hardship and falling revenues, persuading retailers to invest in cybersecurity for their sites will be a hard sell. Yet doing so is likely to herald significant long-term benefits to the business. “The problem at the moment is that most organizations are seeing reductions in revenue and therefore looking at where they can reduce their overheads,” comments Meeuwisse. “Conversely, cybercrime is increasing massively in the retail space so the last thing you want to do as a retailer is reduce your cybersecurity budget; you should be increasing it. Those contradictory forces mean that you’ve got to be a very progressive, forward-looking retailer to understand that increasing your cybersecurity in the current climate is potentially a competitive advantage.”
Similarly, Jones believes the strength of individual retailers’ cybersecurity will form a major part of consumer purchasing decisions going forward. “During the pandemic, we’ve seen that fraud and cybercrime are very much on the agenda, so suddenly consumers are not only aware of the need for privacy, they’re also much more aware of fraud and therefore they are much more sensitive to retailers that might be breached,” she notes.
For larger retailers, already established in the e-commerce domain, there is the opportunity to go the extra mile in securing their platforms. One option is the implementation of advanced monitoring technologies, which are designed to provide effective security while crucially also keeping friction low. Cohen explains: “A machine learning solution can make instant, accurate decisions by analyzing data across the purchase cycle to help legitimate customers successfully complete their purchases.”
This includes detecting any suspicious activity in the payment platform. Meeuwisse says: “One of the primary methods of attack that we’ve seen repeatedly used is to inject or swap scripts in a platform. So what you really want to do is monitor the integrity of your own site and services so that if there are any changes performed, you can verify that they were as expected and do not contain anything errant.”
Jones highlights the importance of monitoring to selectively target users behaving unusually with extra authentication: “Behavioral analytics are going to play a role to identify such things as whether or not the fact that you jump from one place to another is a recognizable pattern of a normal human being,” she states.
In the case of smaller retailers, including those which have only recently begun trading online, these kinds of technologies are likely to be prohibitively expensive. Instead, for these businesses, which are unlikely to have large security teams and expertise, selecting the right payment platform provider is the most crucial element. Meeuwisse states: “My advice for the smaller retailer is that cybersecurity is much cheaper at the front end; a small amount of research and adding security at the very beginning is likely to save you a fortune in the long run. Only choose payment platforms and services that have a reliable service history where you can see the security is there.”
Those businesses also need to be highly targeted in the security investments they make, informing merchant providers of their specific “pain points” to get the right solution, according to Jones. “For SMEs, it becomes a difficult proposition because they have to understand their risk and fraud patterns very well in order to deploy something that is going to make economic sense for them,” she says.
Responsibility on Consumers
Alongside the retailers, consumers should correspondingly take more responsibility for their online safety in this new world. This includes making themselves aware of common fraud tactics such as fake websites and phishing, as well as ensuring they adhere to basic security practices like strong passwords and MFA. Forte advises: “As everything has shifted online, users are now thinking ‘I’ll put all my data in anywhere,’ but we’ve really got to remember that cyber-criminals are more active now, so we’ve got to be more careful.”
Retailers can provide a helping hand in promoting more secure behaviors as well. “They need to provide clear guidance about how shoppers can be assured that they’re on the correct site or dealing with legitimate representatives from the company,” outlines Meeuwisse. “For example, they should not be using third party email addresses to contact or request details from customers. They should be limiting outgoing contact calls and ensuring when they do they never ask for identifying data over the phone.”
Forte also believes retailers should be making 2FA or MFA compulsory rather than optional for entering online accounts.
She adds: “It’s a shared responsibility: it’s part their responsibility, and its part the consumer’s responsibility. So we can never say it’s all the company’s responsibility to make sure you’re secure, because if you’ve got a terrible password, and you haven’t turned on 2FA, there’s very little they can do.”
Securing the Shift to Online
The accelerated shift to e-commerce during COVID-19 has provided a raft of new opportunities for cyber-criminals. Not only are there far more online shoppers and accounts, but many retailers and consumers are very new to this domain and are less prepared for the risks posed by malicious actors.
It is a shared duty of retailers and consumers to tackle this growing menace; for retailers, investing in strong cybersecurity technologies is likely to become a commercial necessity, although the approaches taken will vary according to their size and resources. Consumers should also take more responsibility for their online security, making sure they are aware of the risks posed by fraudsters and making practices such as strong passwords and MFA habitual.