Here in New England, the leaves are just starting to turn crimson, garden mums are in full bloom, while pumpkins, apples and freshly pressed cider are crowding roadside farm stands. So why in the world are we marring these idyllic scenes talking about Black Friday and cybersecurity threats for the retail industry? Because signs of the fall season signify “Winter is Coming,” the holidays are approaching and, if you do business online, you had better get your cybersecurity house in order now, and hope it’s not too late.
Historically, the origins of the “Black Friday” references are many - anything from black mass and religious calendar markings, to the 1869 gold cornering scandal in the US that caused trading markets to scramble and investors to lose millions. Most recently, the Black Friday reference is specific to the Friday following the US Thanksgiving holiday - with heavy retail shopping beginning then and lasting through December 25th. Retailers like to say that this is the time profits are high and their ledgers return “to the black.” While the name and reference has stuck, tagging along with it is the increasing threat and dread of cybersecurity risks, both to consumers and to retailers alike.
In a report from Iovation, a provider of device intelligence for authentication and fraud prevention, data shows online retail credit card fraud, referred to as “card-not-present” fraud, increased significantly from Black Friday to Cyber Monday 2016 when compared to the same period in past years. How significantly? The research shows a 20% increase in online retail credit card fraud during the 2016 holiday shopping weekend when compared to the same period in 2015, and a 34% increase in online credit card fraud from Black Friday to Cyber Monday 2014 to 2016.
The research also finds 55% of all online retail transactions were made from a mobile device from Black Friday to Cyber Monday. Why the rise in online credit card fraud? They point to the recent shift from consumers using traditional credit and debit cards with magnetic strips to EMV (Europay, MasterCard, and Visa) chipped cards. While the new chip cards have proven to do a great job of stopping card-present fraud, it is now clear that fraudsters are turning online.
The shift from in-person card fraud to card-not-present fraud shows that cybercriminals are quick to shift the focus of their scams,”
said Iovation CTO Scott Waddell.
Much like EMV became a major weapon for in-person merchants, new authentication approaches will be the antidote to curb this new trend.”
Cybersecurity Tips for Consumers and Retailers to Prepare for the Holiday Season
How can consumers, retailers and eCommerce sites protect themselves this year? Start early and stay vigilant. For retailers, make sure you are constantly educating and reminding employees on how to recognize and report online threats. In addition, online retailers should also increase investment in firewalls for their websites and applications as they stop hackers before they can breach the network and access sensitive customer information. As that previous blog states, specifically for retailers, HTTPS with properly configured SSL/TLS is a must to encrypt the connection with retailer websites and secure all customer transactions.
Tips for Consumers
We roll out these same five core tips every year about this time to assist consumers as they launch their holiday shopping and ordering sprees:
1. Look for “Secure Site” Indicators:
For years, one of the core recommendations for safe online shopping has been to look for the padlock and HTTPS in browser address bars because this indicates a website is using SSL/TLS – an encryption technology ensuring that the data sent to the retailer is encrypted and secure. This mentality has been further reinforced by Chrome’s recent UI changes to mark all SSL-secured sites as “secure”.
While the padlock and HTTPS are still important indicators to look for, it’s important to know that these don’t necessarily mean a website is safe. Creators of phishing websites, imposter sites designed to trick you into sharing your login or financial details by spoofing legitimate sites, have started using low assurance SSL Certificates on their sites to make them look more trustworthy. As a result, many online retailers have moved to using higher assurance SSL Certificates that display their company name in the address bar to assure visitors that their sites are legitimate and help distinguish them from phishing scams.
Note: higher assurance certificates still don't prove a website isn't a phishing website and that's why this method should be used in conjunction with the rest of the advice in this article.
All of this is to say, you shouldn’t just automatically trust a website because it has the padlock and HTTPS. Look for the company name (as seen in the screenshot above), and if that isn’t there, take a second to double check the URL and look for any signs that it’s a phishing site (e.g. extra letters, small misspellings like the number 1 for the letter l, extra strings of numbers or letters at the end). You can also dive into the certificate details, if you’re curious, which can contain more information about the company operating the site. We have tips for how to do that here.
2. Use Strong, Unique Passwords and Two-Factor Authentication When Possible:
For sites requiring a username and password to be set up as part of the buying process, try to use different combinations to the ones you use for banking, web mail and other accounts. We have tips for creating strong passwords here. If the site offers some kind of two-factor authentication (a common one is to send a one-time passcode sent via text), you should consider implementing. This means even if someone were to obtain your username/password, they still wouldn’t be able to access your account without that second authentication mechanism (e.g. the passcode sent to your phone).
Common sense can also go a long way - if they start asking for details you think are irrelevant to the purchase, such as bank account details and date of birth, start questioning why. These details are not needed for a simple online purchase.
3. Be on the Lookout for Scams:
Beware of unbelievable offers sent by email – regardless of whether you know of the retailer “offering” them. Phishers (fraudsters masquerading as known companies) send millions of emails daily and place thousands of online ads offering the best ‘cannot miss’ deals. If you receive an email or see an online advertisement, be sure to check the URL in the browser address bar. As briefly mentioned above, be extra wary of IP addresses (such as http://245.123.123.1/special-offer) and email addresses or websites containing a well-known brand name in conjunction with other lettering or numbers (e.g. www.globalsign-1.com).
4. Use a Safe Method of Payment:
Most credit cards offer protection on purchases, so use them wherever possible. Debit cards and other methods of payment usually offer a lower level of protection and may leave the consumer out-of-pocket while a claim is processed. If the merchant does not accept credit cards, or you do not have one, look for other methods of safe payment such as PayPal.
5. Get the Details, Keep the Records:
Make sure you know the merchant’s full address, especially if it’s outside of your own country, and double check the delivery costs and refund terms. This information will help you in case you run into any problems with delivery of items purchased.
Tips for Online Retailers
Coincidentally, October in the US is National Cybersecurity Awareness Month, and the Office of Homeland Security has some sound advice we all should be aware of, as well as toolkits and best practices to get us through safely and securely. Their “Stop.Think.Connect.” toolkit provides helpful resources for consumers and retailers to stay safe online. Materials include ready-made cyber presentations, tip cards, and more. Find all the cyber materials in the Stop.Think.Connect. Toolkit here.
Other considerations for smaller retailers, whether doing business online or brick and mortar, are suggested in this smallbiztrends report, “The 7 Top Retail Risk Factors Your Small Business Faces,” the first being the economy itself as the single most significant risk factor, with Security Breaches being the number two. "With big retailers being struck by security breaches every day, small retailers have reason to be concerned, too. Secure your store network and restrict access to sensitive information only to those employees who need it. If you offer free Wi-Fi in your store (which you should), set up a separate guest network for your customers. This FTC website offers tips and resources for cyber security.” Other risk factors effecting retailers can be found in the 2017 BDO Retail RiskFactor Report.
How to Get Ready… Leverage PKI
What all retailers, eCommerce site managers, etailers and retail service providers should be doing is a cyber-risk assessment at the foundation level, namely, at the PKI foundation. Your business encompasses many different digital risk factors that all need to be accounted for, including:
- Securing websites with SSL / TLS Certificates - Secure your internal and public networks with the correct type of SSL Certificates you need for your online retail business, such as OV, EV, Wildcard, and Multi-domain, with options to add Subject Alternative Names (SANs).
- Digital Signatures for Receivables/Invoicing/Shipping - Digital Signatures Replace wet ink signatures and enable electronic workflows with digital signatures for PDF and Microsoft Office documents.
- Secure Email for Inbound/Outbound Supplier & Customer Communications - Encrypt sensitive internal and external communications and mitigate phishing threats with S/MIME. Digitally signing an email proves authorship and prevents tampering, assuring the email recipient that the email came from you, not an imposter, and that the content of the email has not been altered in transit. Encrypting email ensures message privacy and keeps sensitive information from falling into the wrong hands.
- Internal User Authentication - Replace passwords with cost-effective and user-friendly certificate-based authentication.
- Internal Machine Authentication - Ensure only approved machines and devices can access your corporate networks and resources.
- Employee Mobile Authentication - With employees on the road or on the remote retail floor, digital certificates can be used on mobile devices for email encryption and signing, and authentication to email, VPNs, and Wi-Fi.
With these PKI foundation safeguards firmly in place, any retail organization doing business on the web should be well on their way to a safe and secure holiday cyber-season. Are you looking for some advice on how to get your PKI foundation in order? Let GlobalSign know – we’d love to discuss your challenge and offer some solutions for you to consider.