Thwarting online retail hackers

It is hard to feel sorry for websites. But if you think about them as being a bit like shop owners, it is worth considering that 63 per cent of online merchants are struggling to keep on top of fraud attacks, according to research by payments processing firm Worldpay.

Some have had very public struggles. At the end of 2013, US retail giant Target had 40 million credit and debit card account details stolen by hackers. The upshot was it cost the company $162 million in costs not covered by insurance.

It is, of course, the responsibility of the merchant to keep their goods, cash and customer information secure, but it is also worth remembering they are being targeted by technically minded criminals, while trying to keep pace with a very demanding customer base.

Jackie Barwell, director of fraud product management at payments specialists ACI Worldwide, says: “If you look at a retailer like Next, they have competed to be one of the best in the market at delivery. At one point, if you ordered by 9pm you could get next-day delivery; now it is possible if you order by midnight. There is continual, marketing-led pressure to be the best in order to attract the customer to your website. The fraud team have to try and keep up with that.”

Internet  E-commerce fraud

Multiple entry points for hackers

The rapid pace of change in terms of channels, payment mechanisms, and capacity for fraudsters to gain access to data and systems makes it hard for the e-commerce merchant’s security team to know where there may be a threat and how to counter it. Crucially, the team has to increase security while minimising any negative impact on customer experience. But often there is no real technology discipline around a merchant’s operations.

Merchants are being targeted by technically minded criminals, while trying to keep pace with a very demanding customer base

Paul Ducklin, senior security adviser at security software and hardware provider Sophos, was interviewed in a coffee shop with three different means of mobile payments, credit card machine, a computer to update the shop’s Facebook page and free wi-fi.

“What could possibly go wrong?” he asks. “The problem is that at a small business like this, there are no IT staff; they are trying to be very convenient and they are trying to be on social media. But at least all the devices are not on one network. The step-up to a small shop is that the accounting system is now on a PC on the same network as a PC to read Facebook and the point-of-sale devices. And we see that attitude extend all the way up to the top [shops].”

UK retail fraud

Worldpay’s research indicates that 77 per cent of merchants say a multi-channel payments approach makes fraud more difficult to identify, manage and prevent, yet nearly 80 per cent of businesses surveyed say alternative payment methods would increase in the next two years. From a technical perspective that offers new points of entry and when a breach occurs in an interconnected environment, the hacker has often crossed a border after which no one ever challenges their right to be where they are.

“Once they were in [at Target], hackers were able to pull off 20,000 thousand smaller intrusions in separate Target stores across the US and implant malware on every point-of-sale register,” says Mr Ducklin.

Keeping the customer in mind

Scott Boding, senior director in risk solutions product management at security firm CyberSource, says the use of card-on-file accounts online, which remove the need to re-enter card details into a website, are particularly dangerous. When coupled with the acquisition of non-physical goods, they can be hard to trace. However, he says security measures should not automatically impede the customer experience.

“Ideally they augment customer service, providing additional information for how to handle different situations and quickly speed any customer interaction needed,” he says. “If designed holistically, protective strategies can be used to assess risk. Depending on that risk assessment, merchants can then choose to employ a step-up authentication.”

The technology that delivers this security can range from a few basic rules, such as picking up when a card issuer reports a card has been declined, to artificial intelligence, learning and spotting unusual spending or behaviour patterns.

At the core is a suite of systems looking for anomalies and providing additional data gathering, says Mr Boding.

“A machine-learning-based system on top of that is essential for identifying complex and subtle fraudster behaviours,” he says. “Finally, a flexible rules engine to manage different segments, such as geographies, channels, products and customers, is critical for handling different types of risk appetite.”

But to really minimise customer inconvenience, a firm should ensure its e-commerce hygiene is maintained, thereby limiting the ability of criminals to access one part of the business and then run riot through the rest of it. Otherwise customers will get wise, says Mr Ducklin.

“For a lot of merchants, particularly those who run multiple stores and sites, and have an IT team, very little of what they need to do to make e-commerce work is going to be troublesome for their customers,” he says. “However, as customers become better informed and realise perhaps the big TVs in a store are running an out-of-date operating system, they are going to be increasingly wary about putting their card or card details into that firm’s network.”