Technology Executive Council
To join the CNBC Technology Executive Council, go to cnbccouncils.com/tec
Opinion - Technology Executive Council

Op-ed: How to protect yourself from cybercrime when holiday shopping online

Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black
Share
Key Points
  • According to the FBI, cybercrime has increased by 400% this year.
  • Increasingly savvy cybercriminals are deploying tactics like "e-skimming attacks," where they inject malicious code into website payment processing pages in order to siphon credit cards and account credentials from customers.
  • There are things consumers should do to protect against cybercrime including shopping with a VPN on a secure network, says Tom Kellermann, head of cybersecurity strategy, VMware Carbon Black.
Kerkez | Getty Images

The 2020 holiday season looks a little different this year amid the global pandemic, which has accelerated digital transformation for many retailers nearly overnight. More than ever, consumers are flocking online for holiday shopping. In fact, consumers spent $9 billion on U.S. retail websites on Black Friday -- a 22% increase over the previous record of $7.4 billion set on Black Friday 2019.

 For cybercriminals, the sudden shift to e-commerce for both shoppers and retailers is a gold rush. According to the FBI, cybercrime has increased by 400% this year. Increasingly savvy cybercriminals are deploying tactics like "e-skimming attacks," where they inject malicious code into website payment processing pages in order to siphon credit cards and account credentials from customers. Magecart is one of the most prominent groups behind this activity, consistently extending their capabilities and improving their tactics to infiltrate e-commerce applications, evade detection, and sell sensitive card data.

 What does this all mean for consumers? It could mean that credit card data is up for sale on dark web forums right now without shoppers ever being aware of it. In fact, recent VMware Carbon Black research into dark web forums found swiped credit card information for sale on the dark web for the mere cost of $10 per high balance card. Similarly, PayPal accounts are selling for $2 to $10 each, with prices varying based on how much is available in the account.

 The reality is that holiday hacking poses a serious significant risk for consumers and a herculean challenge for retailers. The good news is there are ways to stay one step ahead of attackers via cyber self-defense. Here are some tips both consumers and retailers can use to ensure this year's online shopping is as seamless and secure as possible:

How shoppers can protect against cybercrime

Shop with a VPN: The use of virtual private networks (VPNs) has become increasingly popular over the years for the simple reason that it is effective. VPNs help to conceal network traffic in a way that makes it more difficult for attackers to tell what you're doing online. Turning on a VPN before your next online shopping spree can go a long way in preventing attackers from gaining access to your information.

Keep software up-to-date: One of the most common attack vectors for hackers is to target older versions of software with known vulnerabilities that they can exploit. By updating all software and applications on your devices prior to shopping, you can harden your device against exploitation.

VIDEO1:1401:14
Online holiday shopping sales expected to increase between 20%-30%: NRF

Use a nextGen anti-virus:  Employing a modern antivirus solution is fundamental to staying secure in a time of unprecedented hacking sophistication. Contrary to popular belief, this also applies to Apple devices.

Shop at home on a secure network: Public WiFi is always something to be wary of, but the risk becomes notably greater where online transactions and credit card data are involved. Any holiday shopping on a network that is not your own should be avoided, as public WiFi networks are often watering holes for malicious actors looking to snoop on traffic and steal valuable data.

Use multifactor authentication: In the same way that you have both a house key and an alarm code to protect the integrity of your home, having both a password and device for authentication in place will help protect you from cybercrime.

Click carefully: From phishing emails and texts promoting fake sales that will direct you to false websites designed to steal your credit card to letting your data be exposed by unsecured retail websites, every click counts. Thinking before you click is always essential, but when attackers are pulling out all the stops to fool you as they normally do during the holiday shopping season, taking the time to assess links and websites before giving them any of your data is imperative.  Remember the rule of R2:  Read the headers the Reply to and Return path must be the same.

 For retailers: visibility is key

One of the biggest challenges facing retailers from a security standpoint is how broad the attack surface has become. The move to online retail practices has expanded the methods cybercriminals can use to breach systems, and securing customer data requires the latest technologies and practices. Retailers must secure the integrity of both end user and point-of-sale (POS) systems, while maintaining the ability to monitor network activity for both preventative and forensic measures in the event of an attack. Here's how:

Integrate network intrusion detection systems with end-point detection systems:  Retailers should be certain that end-point detections systems are communicating with intrusion detection systems. Taking this measure will ensure that defenders have the entire picture when or if attacks occur.

Establish visibility and data streams: Getting real-time data from endpoints and other systems that interact with an organization's network such as retail websites is an essential capability. This data can then be used to prevent network intrusions or the deployment of malicious malware such as Magecart skimmers. If left unchecked, criminals would be able to use these attack methods to steal valuable payment information such as credit card numbers, names, and physical and email addresses.

Keep software up-to-date: Hardening is an imperative. Retailers should ensure that all applications are up-to-date via patch management and vulnerability prioritization. They should also conduct regular code integrity checks and implement firewalls as added defense.

Microsegment: Leveraging microsegmentation means keeping networks and tools separate from one another in terms of connectivity. Using this technique will insulate retailers from cybercrime events in that it reduces the ability of hackers to move within and between systems once one particular component has been breached.

 There's no doubt holiday shopping is going to be a bit different than previous years for us all. The risk of cyberattacks are higher than ever as cybercriminals leverage new and sophisticated attacks. These malicious actors remain serial opportunists, and the rapid shift to online shopping has proven a boon to their criminal operations. The cybercrime wave of 2020 is metastasizing, with increased vigilance from shoppers as well as proactive security measures from retailers both can ensure a secure holiday shopping season ahead. Cybersecurity is a functionality of conducting business in 2020.

 

 By Tom Kellermann, head of cybersecurity strategy, VMware Carbon Black and a member of CNBC's Technology Executive Council