Here at the Retail Cyber Intelligence Sharing Center (R-CISC), we're bracing ourselves for one of the busiest times of year — not just for retailers, but for criminals. Of course, not all retailers see huge increases in sales volume right now (when's the last time you got a tire as a present?), but for many, this is a critical period.
During peak shopping windows, availability is everything. If a retailer has an outage during Black Friday or Cyber Monday, every second can cost them. To have a greater impact, denial of service attacks will focus on those times for maximum effect.
We've also seen more extortion and ransomware attacks this year, and they're not just going after banks and retailers. Other organizations are being targeted, and these types of attacks are sure to be a factor this season. Fraudsters will also take advantage of high transaction volumes to try to hide their activities, and they'll rely on the fact that retail staff will be under pressure to make customers happy and keep things flowing smoothly.
Wire transfer phishing emails — appearing to be from one C-suite executive to another — are coming in droves. They typically hit on Friday afternoons, when employees are trying to finish their work and go home. Phishing attacks on consumers are taking the form of purchase- and shipment-confirmation emails, since those are common activities now. Researchers have described other types of attacks, such as triangulation fraud. POS malware is always a concern, and we exchange threat intelligence with partners and within the membership to keep up with the latest, nastiest kinds.
We don't know the full extent of what's being planned, but when we see tens of thousands of fake customer accounts being set up in a short period of time, we know something is coming.
But not all risks come directly from attackers.
With the shift in liability from the card issuers to the merchants last month, the EMV rollout is underway, but in many cases will take additional time to complete. Delays can happen anywhere along the line, from the POS provider's systems to the back-end software integration.
The change in user experience will need to be managed. Consumers in the U.S. are not accustomed to the slower process of inserting a chipped card into the reader, waiting for the transaction to complete, and then removing the card. Multiply this change by millions, and you can only imagine the stress that store employees will face on the biggest shopping days of the year.
Yet, it's not all threats, doom and gloom. Despite the imperative to keep customers happy and transactions flowing, retailers aren't helpless. Many have evolved very sophisticated security programs, and are sharing what they know; this can make all the difference. The R-CISC can support the threat intelligence exchange at a variety of levels, and offer additional resources to help retail and commercial services organizations. We hope to keep this from being the FUDdiest time of the year.
See the R-CISC's new guidance paper, Preparing for the 2015 Holiday Hacking Season, at https://r-cisc.org/resources.