Richard Bird
Black Friday Cybersecurity: Insights from Traceable Chief Security Officer, Richard Bird.
It’s that time again — the season of Black Friday and Cyber Monday, and all the cybersecurity trimmings that come along with them. This time of year, retail and e-commerce shops and services providers see massive activity with those taking advantage of deep discounts, and unfortunately, it also means one of the most vulnerable times when it comes to cyberattacks.
The Most Frequent Attack Types on Black Friday
Black Friday and the holidays aren’t just a time for giving, but they are also the prime time for “taking” by the bad guys. The most common attacks during this time are ones that take advantage of our distractions as consumers and security professionals, and the increased volume of our online transactions.
The bad actors are going to focus on any weakness in your cybersecurity defenses that are susceptible to fraudulent account takeover (ATO) or account creation, automated attacks leveraging bots to scrape, steal and scalp data from all of our web assets and phishing attempts that pinpoint our emotional desires and anxieties that we experience during the holiday season.
What CISOs and eCommerce Business Owners Can Do to Prevent Attacks in the Short-term
Security and business leaders in the e-commerce space need to embrace the knowledge, data and experiences they’ve gained over the last 3 to 4 years, instead of re-inventing the wheel.
The most common methods of attack that you’ve experienced in prior holiday seasons is exactly the way you’ll be attacked this year too. Why? Because of the success the bad guys have had in that same time period. Bad guys go with what works, which means you should be well prepared to fight their efforts.
Err on the side of security with new account creations by leveraging identity proofing tools, monitor your riskiest API calls and aggressively review your highest trafficked target pages for exploitable weaknesses. Cybersecurity professionals should be thinking like the Grinch during the holidays in all the clever ways that he snuck presents away from the trusting citizens of Whoville.
MFA is a great tool for everyone in the digital world, from consumers to IT workers. But it is crucial during the holiday season to acknowledge the well known weaknesses of the authentication method.
MFA is a proven target for social engineering, and with the substantial up-tick in online traffic during the holiday season e-commerce organizations must take steps to educate their consumers or provide tool-tips during the customer sign-in transaction to encourage users to be hyper aware of the risks of phishing and social engineering when it comes to their multi-factor authentication actions.
For a Long-term Approach, Considerations for Zero Trust
While it’s too late in 2022 to consider a zero trust strategy for your holiday defenses, it is never a bad time to embrace aspects of zero trust in your day-to-day operations. Particularly during the holiday season. Cybersecurity professionals should be scanning environments, web pages and assets specifically for misconfigurations that are allowing open end points or lateral exploit capabilities via APIs.
Inherently trusting that an API intended for use by applications won’t be used by bad actors for other purposes is the type of mistake the bad guys relish. Don’t just have a healthy distrust of hackers and antagonistic nation-state actors, have a healthy distrust for you own preparedness and question everything about your operational run-time environments, because that’s what the bad guys are doing.
Prevent Now Rather than go Bankrupt by Paying Later After a Threat
Like the old saying goes, an ounce of protection is better than a pound of cure. While recovery capabilities are crucial for companies today, the reality is that companies are struggling mightily to weather the costs of a breach.
The cost of attacks don’t just accrue after an incident. Today’s API and application-borne attacks are a huge risk to day-to-day operations and revenue. And the holiday season is exactly when companies can’t afford to be taken off-line or lose a cent of sales dollars.
Add in the increasing possibility of fines and penalties for failing to protect customer data and the total impact of a breach and we can begin to grasp why 60% of small and medium sized businesses go out of business within 6 months of a successful attack. Investing even a little bit more in cybersecurity, whether that be measured in dollars or focus, is better than going broke after you’ve been hacked.
Payment Providers and Banks Need to Implement Solutions Now
The recent and embarrassing exploit of Zelle and the ongoing fraud that leverages payment platforms like PayPal shows the troubling weaknesses in both the technology and processes that are used by payment providers and banks. This historical performance should have both of these types of organizations on high alert for the holidays.
Payment providers and their e-commerce customers are becoming ever more dependent on the connections between each other and bad guys are pouncing on their technical and social engineering weaknesses to execute a decidedly old-school style of “man-in-the-middle” attacks to defraud consumers.
Payment providers and banks need to accept the responsibility for the tools they create and provide to their end-users and not shirk their obligations when those tools are exploited by bad actors. Victim blaming has been the most common response this past year, which is not a sustainable long-term strategy for payment providers and banks if they want to retain their customers and revenue base.
About Traceable
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.
