FRAMINGHAM – One predictable trend in recent years has been a sharp increase in online attacks directed against retailers during the holiday shopping season.
This year is proving to be no different either, with malicious hackers mounting all out efforts to breach retail networks, steal payment card data and compromise customer accounts — and during one of the busiest online shopping seasons.
What’s different is that more retailers are better prepared because of their implementation of security controls mandated by the major credit card companies under the Payment Card Industry (PCI) data security standard, say security analysts.
A new report from security vendor SecureWorks Inc. confirms that cybercriminals are not letting the economic gloom to dampen their efforts to go after the online retail community in a big way.
A review of traffic on the networks of three dozen of SecureWorks’ retail customers shows the usual dramatic increase in attempts to break into retail systems in the buildup to this holiday season.
The number of network scans looking for open ports and other entry points into retail networks, for example, increased from an average of 56,000 per retailer a month in the first six months of the year, to an average of 202,000 in October. Such scans are sometimes seen as a precursor to targeted attacks.
The increase in scanning activity was followed by a surge in the number of attempted authentication attacks, which are attempts to compromise user names and passwords on retail networks. Such attacks jumped more than four-fold, from an average of 34,000 per retailer per month in the first five months of the year to 137,000 in November.
There’s little doubt that retailers are the ones being specifically targeted. SecureWorks found a 161 percent increase in attempted attacks against retailers overall from the first six months of the year to the last five months of the year, compared with an 11 percent increase in attacks against banks during the same period.
Wayne Haber, director of infrastructure at SecureWorks, said the numbers were predictable, but the amount by which the malevolent activity had surged this year still was “somewhat surprising.”
“We usually see an increase, but not an increase of this level,” Haber said.
The reasons for such increases are not hard to find. Gartner Inc. analyst Avivah Litan said that with online shopping about two to three times heavier between Thanksgiving and the new year compared with the rest of the year, fraudsters know they can get away with their crimes more easily.
“Their fraudulent transactions get lost in the ‘noise’ of the higher volume of legitimate transactions, and retailers don’t have time to review the increased suspect transactions so they often let them go through,” Litan said.
Retail systems such as inventory, shipping, sales, orders and customer service are much busier during this time, so criminal activity such as network intrusions, “can much more easily be hidden amidst the mad shuffle,” she said.
However, Litan said that with the money spent on PCI-related security improvements, she expects to see attackers turn their sights on smaller, more vulnerable retailers. “…The truth is that determined crooks can likely make their way through at least a third of the large retailers who think they are secure,” she added.
PCI standards require all companies that accept payment card transactions to implement a variety of security controls for protecting card data.
So-called tier-1 companies which process more than 6 million card transactions annually and tier-2 companies face a variety of penalties for non-compliance, especially if they are breached. Although industry-wide PCI compliance is still a work in progress, many of the largest companies are believed to be compliant.
“From our experience, dealing with retailers that have complied with the majority of the key PCI regulations are definitely better prepared for these threats then those that have not,” Haber said. This is especially true if the retailers have remedied issues found in previous PCI audits, he said.
Retailers that have not yet implemented measures needed to observe best practices to thwart those seeking to attack them, Haber said. For example, Web services and systems that require user authentication need to require complex passwords and employ password aging measures to ensure they are routinely changed.
Also, many automated authentication attacks use brute force methods to guess at passwords. One way to radically slow down such automated methods is to implement authentication delays and automatic lockouts after repeated failed login attempts, Haber said.
Web firewalls should be used to block everything that is going in and out of a network except for explicitly allowed traffic. Companies need to also scan and test their Web applications to ensure they are not vulnerable to Web attacks such as SQL injection, Haber said.
