Online payments: revenue growth matched only by increasing threats
Global self-isolation pushed revenues for online commerce to the moon. Even though the pandemic will eventually run out of steam, customers are unlikely to become immune to the comforts of e-shopping. Cybercriminals already have and continue to notice a growing potential to skim their share of the ecommerce growth.
Data analyzed by Digital Commerce 360 show that online spending represented over a fifth of total retail sales in the US last year. In total, consumers spent over $860 billion, a mind-blowing year-on-year growth of 44% or $174 billion, the highest in at least two decades.
For example, 2019 and 2018 saw growth in online sales at 15.8% and 14.3%, making the first year of this decade stand out even more.
Somewhat unsurprisingly, the rapid growth of online commerce was accompanied by an equally significant increase in the number of transactions. For example, Adobe Analytics data show that post-Thanksgiving ecommerce sales by small businesses grew by a staggering 304%.
Impressive growth during a year in self-isolation might seem like a self-fulfilling prophecy. However, experts are yet to come up with good reasons why the shift to ecommerce seen last year should go down. Like every trend, ecommerce has its advantages and disadvantages as well.
This COVID-driven shift in consumer buying habits will be permanent, and we can expect continued increases in ecommerce sales versus in-store purchases.
“The expectation is that by the next holiday shopping season, consumers will be able to safely return to stores […]. This COVID-driven shift in consumer buying habits will be permanent, and we can expect continued increases in ecommerce sales versus in-store purchases,” claims a recent report by Intsights, an external threat intelligence company.
According to Dave Hatter, a cybersecurity expert at the Cincinnati-based cybersecurity company IntrustIT, any retailer is a sweet honeypot of data for cybercriminals. Whereas large companies may have much more robust security, the same cannot be said about smaller retailers, who might get noticed by threat actors due to growing sales.
“Attacks are just up across the board. I recently saw an estimate that the cybercrime toll last year was about $1.1 trillion between ransom fees, cost to secure systems, and so forth. I don’t think that’s going to slow down anytime soon,” Hatter, who is not related to the previously mentioned study, told CyberNews.
With consumers pouring billions into ecommerce, it is unlikely that threat actors are to miss on an opportunity to take a portion of the newly available bounty.
Intsights claim that if ecommerce revenues do not dramatically drop, there will be a significant increase in account takeovers to falsify chargebacks, increased fraud from criminal organizations, and more attempts to abuse discount offers and returns.
“Then there are the Magecart or formjacking hacks in which criminals steal credit card information right out of customer shopping carts as they complete transactions,” claims the report.
Another looming threat that is likely to increasingly impact retailers is social engineering. The critical issue is that, unlike with technical threats, it’s tough to prevent threat actors from successfully engineering people to do what they want to do.
And once the intruder is in, there are virtually endless possibilities to abuse the compromised system. From credit card data theft to impersonation attacks – everything is possible.
“Criminals might not be able to get through your firewall or to break your perimeter. You might have all your data encrypted the right way. Still, suppose an attacker can compromise one of your employees, particularly a high-level employee or an IT employee. In that case, attackers might be able to get everything they want without ever having to try to get through your perimeter defenses,” Hatter explained.
Regulations catching up
To better combat threat actors on the technical front and better reflect the challenges faced by the payments industry in the context of the staggering growth of ecommerce, the Payment Card Industry Data Security Standard (PCI DSS) will get updated this year.
PCI DSS, an information security standard for organizations that handle major payment cards such as Visa, Mastercard, American Express, etc., had last seen a major update in 2013 when the third version of the PCI DSS was released. Even though there have been yearly updates, 2021 should witness a release of PCI DSS 4.0.
I sat down with Hatter to discuss whether the anticipated changes in security standards will have the desired effect and what other measures can businesses and customers take to protect against attempts to steal sensitive data.
Do you see the update as significant in protecting users from potential theft of personally identifiable information (PII)?
I think they’re fairly significant in a good way. If you go back and you look at the core requirements now, those are all, in my opinion, reasonably rudimentary things that anyone serious about cybersecurity should already be doing.
But one of the things that have been a knock on the DSS requirements up to this point is they had very stringent requirements. Within these 12 requirements exactly how you needed to comply, they had some stringent requirements until the final version comes out.
It’s hard to say for sure, but based on what I have found from PCI, I think two fundamental concepts make a lot of sense here. First, that security is a continuous process. The landscape of security is constantly changing, and the idea that I’m going to achieve compliance today and until my next audit, I’m not going to have to worry about any of this, is a bogus concept.
Businesses need to start focusing on employee education and awareness, making employees aware of phishing attacks, and ensuring that employees are using multi-factor authentication where possible,Dave Hatter.
You do need to be continually testing your systems, constantly looking and evaluating your logs, that sort of thing. So, the idea that it’s a continuous process that is not one and done until the next audit, I think, is a critical concept.
And then this idea that they’re going to add a lot of flexibility in there. Instead of saying, well, you must do X to comply, you can show a compensating control, an alternative way to achieve the same objectives, customization around the validation and the controls. I think it is a good thing. I think that’ll make it easier for businesses to be in compliance and frankly to have equal or maybe even better security by adding more flexibility.
Businesses, particularly small businesses that don’t have extra resources, tend to see compliance practices as check-box ticking exercises. What sort of implications might this have in a cybersecurity context?
I think that’s always a problem. In many cases, businesses that have never been hit with a cyberattack don’t really value it. They see it in general and view cybersecurity more as a cost center than as a differentiator or perhaps even a competitive advantage.
They’ll generally just try to check the boxes. They’re going to do the least amount possible to be compliant. And I think that’s one of the things this concept of promoting security as a continuous process brings to the mix.
I’m sure PCI is not going to do anything to lessen the standards. They will increase the standards, but as they bring more flexibility to it, you may have a situation where before a business was doing something that may have gone above and beyond but did not meet the stringent requirements. And thus, potentially may have had to back out of something that would have created better security.
With the flexibility and this idea that this should be a continuous process, it certainly creates the possibility of striving and promoting excellence above.
What other simple and not overly costly steps could small retailers take to strengthen their systems against possible attacks?
Businesses need to start focusing on employee education and awareness, making employees aware of phishing attacks, and ensuring that employees are using multi-factor authentication where possible. So that even if the bad guys might be able to steal credentials to their mailbox, they won’t be able to get into that account. That way, the bar will be raised much higher.
One-time passcode through multi-factor authentication using password managers, rather than having employees rely on trying to remember complex passwords or passphrases. If we can get an employee to use a strong password, have multi-factor authentication turned on, and then use single sign-on (SSO) to access systems.
SSO potentially creates risks because if employees don’t do the other stuff and the bad guys get in, they can access everything. But if you’re protecting those credentials, you’re using strong credentials, you’re using multi-factor authentication, and SSO reduces the need to have all these different passwords.
And in the long run, it potentially increases my security. So, because of the rise in the social engineering type of attacks, the account takeovers, the business, email, compromise, that sort of stuff, I think those are some simple things people can do without an enormous amount of costs without a tremendous amount of friction.
And Google and Microsoft have both said that multi-factor authentication alone will block about 99% of all automated attacks. I think that’s a pivotal thing to do, turn that on wherever you can.