While the holidays are fondly recognized as “the most wonderful time of the year,” they’re quickly becoming known for another reason: holiday hacking surges. As online shopping continues to rise, the holidays become hunting season for attackers.
While online retailers are an obvious target, those businesses aren’t the only ones susceptible to being targeted during the holidays. Banks are also common targets as they process thousands of transactions every day during the last two months of the year.
By the Numbers: The Rise of Holiday Hacking
According to a recent report, financial malware related to cyber-attacks increased by 22% during the holiday season last year. The malware attacks affected more than 319,000 consumers. The report also cited that cybercriminals used around 30 families of banking Trojans, which were responsible for online payment frauds totaling $6.9 billion. (A Trojan is a type of malware that is designed to allow the attacker the ability to manipulate the compromised environment in some way.) The report noted that the days of Black Friday and Cyber Monday in November, and Christmas in December saw noticeably higher hacking activity than average.
While businesses are susceptible to a variety of different cyber-attacks, there are a few common threats that are prevalent during the holidays. Phishing campaigns are one of the most common as attackers try to lure their victims with promises of Christmas sales and promotions. The two primary goals of a phishing attack are to obtain account credentials that could be used to access the target systems or to install software that could be used to manipulate the environment or exfiltrate sensitive information to the attacker.
Fraudsters are also active attacking banks by placing skimmers on ATMs and POS terminals. A cleverly designed and installed skimmer is nearly unnoticeable by most users and will allow the attacker to capture the information on the magnetic stripe of the card as well as the PIN code that can be later used to access the victim’s bank account.
Another holiday threat is DDoS. A distributed denial-of-service attack is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. A DDoS attack may not result in a data breach, but unplanned downtime of its eCommerce site could cost the affected merchant lots of money in lost sales during the busiest season of the year.
So how can retailers and banks prepare for the surge in cyber attacks around the holidays? Here are a few tips:
Holiday Hacking Tips for Retailers
- Ensure your eCommerce systems are up-to-date on patches and that they have been configured to disable unnecessary services and eliminate default settings. Unpatched systems and vulnerable default settings are common vectors of attack. The bad guys often find they don’t need to resort to sophisticated attacks if the basic security issues haven’t been addressed properly.
- Protect your POS terminals with a dedicated security solution by confirming the version of the POS solution you are using is certified to the Payment Application Data Security Standard (PA-DSS) and that you have configured it as specified in the PA-DSS implementation guide. Also, be sure to periodically inspect POS systems for tampering to identify attempts at installing skimmers.
- Monitor your environment for attempted intrusions and other anomalies. Be sure that you have an incident response process in place to respond to suspected security issues before they become major incidents.
- Don’t leave anything to chance. Hire an independent third-party provider to conduct a comprehensive audit of your website to validate your security posture and ensure that you are sufficiently protected before the busy transaction season begins.
Holiday Hacking Tips for Banks
- Conduct a security audit and penetration test of your network and systems. Sometimes the best defense is a good offense. By conducting a penetration test, you’re able to identify any holes in your systems before the bad guys do.
- Use a multi-layered security approach to protect against fraud. A layered, defense-in-depth strategy utilizing multiple security controls and protections eliminate the need to rely on a single control to provide sole and complete protection against a particular type of attack. With a layered approach, if one control fails or is circumvented, other protections may still prevent the successful attack.
- Train your employees to be aware of potential cyber threats. Helping your employees know how to identify a potential attack and taking the appropriate steps to help stop attacks is key. The more eyes, the better!
- Just as online retailers should, monitor your environment for attempted intrusions and other anomalies. Be sure that you have an incident response process in place to respond to suspected security issues before they become major incidents.
The last thing you want to deal with during the busy holiday season is a cyber-attack. Connect with our team today with questions about protecting your business during the holidays.