The holidays are upon us and the shopping season is kicking into high gear. This year, an estimated 270 million consumers will shop online and, for the first time, more than half of them will use mobile devices to check off their holiday shopping lists.
With consumers searching for holiday discounts through display ads, social media and email, malvertising and email spam will be significant vectors for cybercrime this season — especially for mobile shoppers. This is worrisome for the simple reason that most mobile devices do not posses the ability to block many of these threats, leading to increased vulnerabilities as attackers seek profit gain during the busiest time for online commerce.
‘Through a research, Talos found that Android users are particularly vulnerable. Of the all Apple and Android OS blocks observed on the Cisco’s Cloud Web Security (CWS) platform, the Talos team found that nearly 95% were Android-related. At the heart of the problem, many users are running significantly older versions of the Android OS, which lack the security updates for today’s most persistent threats. This holiday season, we advise that our mobile shoppers exercise additional caution.’
What are measures retailers can take to heighten their online security?
Alan W. Silberberg, CEO of Digijaks and advisor on cybersecurity for the US Small Business Administration, says retailers need to use two factor authentications for any of their online sales, marketing or e-commerce platforms, and that passwords cannot be saved in any kind of clear file. They need to be encrypted and hashed.
- Do not allow guest checkouts. A surprising number of online retailers have this feature
- Only allow secure connections, meaning use HTTPS not just HTTP.
- Don’t store sensitive data. If sensitive data must be stored use very strong encryption.
- Monitor systems constantly and set up alerts based on activity, transaction amount and volume.
- Enforce address and credit card verification. Again, a surprising number of platforms and sites don’t require CVV.
- Do not assume that your hosting provider is updated on the latest patches and has an updated PCI compliance.
- Get an external security audits done regularly. There are many agencies that specialize on this.
- Have a very clear disaster recovery plan to restore systems in case of an attack that renders the primary system online.
- Ask you solution provider or hosting partner to provide you with a copy of their disaster recovery plan.