The busiest time of the year for e-tailers is upon us with online holiday sales forecasted to grow by as much as 15% to 82B (source: National Retail Federation http://www.nrf.com). Bloomberg says AMZN, for instance, will get 35% of its total sales in the last three months of 2013.
The rates of online shopping growth have been on a serious upswing in recent years, aided in part by the spike in apps and coupons targeting Smartphone and tablet users who are embracing shopping on the go with greater trust.
This, too, is when cybercriminals kick their activity into high gear, looking to take advantage of distracted IT staff and security teams squeamish to stem business flow, in order to conduct their scams unabated. According to the Ponemon Institute’s 2013 eCommerce Cybercrime report, thieves masquerading as online shops and legitimate buyers will employ a number of ways to make money, including awards points scams, hack mobile coupons and hoarding goods in shopping carts waiting for deals to become effective so they can buy at rock-bottom cost and resell.
But the number one way that hackers will target ecommerce this holiday season is through botnets and DDoS attacks that aim to disrupt online shop availability.
You would think that with so much on the line—a minute of downtime translates to $8K in losses according to @davidautter in his article Cyber Monday Financial Stakes High for Ecommerce and Criminals—that businesses would be making security a top priority especially given that Black Friday and Cyber Monday kick off months’ long buying boon. But as the study indicates, most firms believe that identifying and stopping automated attacks to their ecommerce servers is too difficult.
And they would be right. Dealing with DDoS attacks entails, effectively, not accepting certain traffic types that are assumed to be originating from malicious sources. In other words, if you are going to identify a botnet or a DDoS attempt, you better be right. Otherwise, you will be shutting out legitimate buyers. This false-positive weariness with traditional mitigation tactics is somewhat justified, but firms have options with newer techniques for fending off automated attacks. Heuristic-based application DDoS mitigation and intrusion deception are very promising technologies that thwart unwarranted access to web applications with very high accuracy. Given the percentage that holiday buying boosts overall e-tailer revenue, they are worth a look.
As for consumers, the FBI has some great tips for spotting fraud. I’ve reposted below.
- New products or gift cards being sold on auction or classified advertisement websites where the price is significantly lower than any sales price in retail outlets;
- “One day only” websites featuring the sale of specific items in high demand;
- Phishing and scam e-mails, text messages, or phone calls that look or sound like they’re coming from a well-known retailer and that ask you to verify a credit card number or to update personal account information; and
- Gift card offers on social media sites claiming to be from major retailers…often, these offers are used to gain access to your social media account and personal information.
They boil down to: If it sounds too good to be true, then it probably is. Happy and safe holiday.