Deals site Groupon has come in for fierce criticism after customers started complaining that their accounts had been compromised and used to purchase hundreds of pounds’ worth of goods fraudulently.
Reports of the account fraud have been trickling in since the start of the month, with users furious with the US site’s slow response – in some cases being told it will take at least 10 days to review their case, according to MoneySavingExpert.
Groupon claimed that its own infrastructure has not been penetrated by hackers, meaning that the fraudsters are likely trying re-used credentials compromised from a separate breach or individual phishing attacks.
A statement sent to Infosecurity had the following:
"I can confirm there has been no security breach to our website or mobile app. What we are seeing however is a very small number of customers who have had their account taken over by fraudsters. Fraudsters have a number of ways in which they can obtain your login details to a website including phishing e-mails, trojan attacks, spyware and malware. By using these methods, it’s possible for fraudsters to get customer account information, log in and make purchases."
The firm added that if it can confirm fraud has taken place it will immediately block the account in question and refund the customer's money.
"With the massive data breaches announced last week by Yahoo – remember it was one billion accounts – it has never been more important to use different passwords on every site and use 2FA where possible,” argued Richard Meeus, VP of technology EMEA at NSFOCUS.
"Using the same username and password on every site should not be happening anymore. We need to change user apathy towards passwords, and maybe also get website owners to be more proactive in supporting their customers by checking their user databases against the lists of breached accounts."
The incident raises interesting questions about where responsibility should lie for preventing this kind of fraud. There have been a spate of similar attacks of late, including ones which compromised customer accounts at delivery firm Deliveroo and National Lottery provider Camelot.
“Large companies normally should have advanced anti-fraud systems, such as detection of unusual user activity or suspicious behavior. Nowadays machine learning technologies can do this pretty well. For low-score alerts users should receive a notification and a possibility to instantly block the transaction. For high or repetitive low score alerts, accounts must be temporarily suspended until user identity is verified,” explained Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.
“This is not an easy task though, as you can erroneously block a legitimate user from making a purchase, and some companies prefer to allow criminal activities rather than investing in advanced anti-fraud systems with low level of false-positives, putting their users at great risk. If fraud prevention systems are not properly implemented, consumers may have a valid reason to sue negligent retailers and claim reimbursement for their financial losses.”
Christmas is one of the biggest times of the year for fraudsters as they look to capitalize on the fact that retailers may be more focused on profits than cybersecurity.
Fraud prevention firm ThreatMetrix claimed last month that UK retailers would face one million fraud attempts each day in the run up to Christmas.