Retailers and shoppers alike are holding their breath as the holiday shopping season nears. As sales peak and massive consumer data flows through point-of-sale programs everywhere, what comes with the merry spirit is the high risk of cybercrime. Retailers are vulnerable and unprepared, a new study by SecurityScorecard, a security ratings agency, shows.
“Retailers are a prime target for cybercriminals,” Sam Kassoumeh, cofounder of SecurityScorecard, said in a statement. “As we have seen with recent breaches, the lack of basic security controls and best practices can lead to a compromise of consumer data that can have a long lasting impact on customers.”
A 2017 study by PwC shows that more than 4,000 cybersecurity incidents hit the retail sector last year. SecurityScorecard estimates that one cyber attack costs an e-commerce retailer $4 million, and a data breach costs $172 per record. The damage eventually falls onto consumers in the form of fraudulent charges and identity theft.
SecurityScorecard analyzed the state of cybersecurity of 1,924 U.S. retailers and nine credit card issuers during the period from January to October, and identified retailers’ major areas of concerns and what consumers can do to protect themselves.
The weak links: Cybercrime can happen at any link in a retailer’s IT structure. The study finds that web applications, ranging from basic wifi networks to third-party payment processors, are the most vulnerable entry point for hackers.
One root cause is the extensive use of third-party services, Alex Heid, chief research officer at SecurityScorecard, told Observer.
Third-party payment processors, for example, increase the risk of credit card fraud.
“Traditionally, retailers kept their payment information locally and encrypted. But some businesses failed to encrypt their information and fell victim to data breaches. Over the last decade, the industry has responded to the challenge by switching to a tokenized payment model, where merchants store their payment information on a third-party service,” Heid said. “This is essentially outsourcing risks.”
Social engineering, where hackers send phishing emails to trick consumers into visiting fraudulent sites, is another common tactic in cybercrime. “There is a massive amount of consumer email lists circling around in the market,” Heid said, as a result of past data leaks at companies like LinkedIn and Dropbox. Owners of these emails are all potential victims of phishing.
Past SecurityScorecard studies have shown that social engineering schemes are three times more prevalent in November and December than slow shopping seasons.
What can consumers do? Cyber attacks often don’t stem directly from merchants, but their vendors, payment processors, and other parties in the supply chain that are invisible to consumers. However, there are things consumers can do to prevent, or control, damages from security breach on the merchants’ side.
Heid offered three tips for consumers to protect themselves in this shopping season:
1) Don’t use one password for all shopping platforms. Hackers often steal passwords from one platform and use it to break into other platforms. Having multiple passwords can reduce the risk of one compromised account quickly spreading to others.
Another option is using a password management system, such as KeePass and LastPass.
2) Watch out for phishing emails. Many phishing emails are disguised as password reset messages, security alerts and surveys. Consumers should not open or follow the leads in these emails if they come from suspicious senders.
3) Many banks offer virtual credit cards, an electronic payment tool that generates a one-time credit card number for purchases. Virtual cards are safer than physical credit cards because they eliminate the possibility of fraudulent charges on stolen cards.