Fraud Management & Cybercrime , Mobile Payments Fraud

Online Retailers at Increased Risk

Experts Say E-Commerce Transactions Easy Targets for Hackers
Online Retailers at Increased Risk

The breach of e-commerce retailer LaCie is the latest indicator that more fraudsters are targeting online merchants because card-not-present transactions are particularly vulnerable (see Retailer LaCie Confirms Breach).

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

LaCie, a French computer hardware retailer that markets products worldwide, recently confirmed that its website had been breached by a malware attack that went undetected for a year.

The retailer did not specify how many payment cards are suspected to have been exposed, nor did it say how the site was compromised. And company officials declined to comment further.

In another recent e-commerce attack, food company Smucker's reported that a breach of its online payments system likely exposed 23,000 online customer accounts.

Exploiting Vulnerabilities

Some industry experts say e-commerce breaches likely result from an array of vulnerabilities. That's because online retailers, by their nature, aren't as secure as their brick-and-mortar counterparts, says Al Pascual, senior analyst of security, risk and fraud for consultancy Javelin Strategy & Research.

"The financial industry has done a respectable job of protecting their systems and data from compromise, but online retailers have neither the oversight of a feared regulatory regime, or the budgets, to match this level of success," he says.

E-commerce transactions need stronger dynamic authentication or tokenization, similar to what chip cards promise to provide for card-present transactions, Pascual says.

Retailers need to enhance authentication methods to ensure only legitimate customers are able to make purchases, online or otherwise, with payment cards. But Dave Jevans, chief technology officer of online security firm Marble Security Inc., says many online retailers have been reluctant to implement additional forms of user and transactional authentication. "Gas stations implemented the 'enter your ZIP code' secondary authentication for mag-stripe cards, and it has proven highly effective," he says. "Online CNP transactions need something similar."

The increase in e-commerce breaches highlights why card-not-present fraud is a growing worry.

Migration to chip-card technology, such as the Europay, MasterCard, Visa standard, better known as EMV, does not mitigate card-not-present fraud, Jevans notes. "Almost all stolen cards are used in a CNP fashion, and so EMV does nothing to fix this situation," he says.

But Seth Ruden, senior fraud consultant for payments systems provider ACI Worldwide, says that while EMV is no "silver bullet," new security technologies such as chip cards will help the payments industry in the U.S. advance its fraud-fighting efforts.

"Further down the road, tokenization might be to e-commerce what EMV chips are to card-present POS [transactions] today," he says. "While we continue to piece together the framework, the gaps will continue to be exploited."

Online Retail Weaknesses

The breach of LaCie is believed by some security experts to be linked to the exploit of a vulnerability in Adobe's ColdFusion software, a Web application development platform used by many e-commerce sites, according to Jevans and John Zurawski, vice president on online security firm Authentify.

CVE Details, a security vulnerability data-source site, lists 61 ColdFusion vulnerabilities have been identified and documented so far.

"Attackers could have used [a ColdFusion] vulnerability to get code running on the server," Jevans says. "At that point, even if they patched the server with newer versions of ColdFusion, the attacker is there and running code to exfiltrate credit card details."

Zurawski says problems with ColdFusion hacks have plagued numerous websites. "This all goes back almost a year, which would coincide with the length of time LaCie believes they have been breached," Zurawski says. "Adobe has published patches, but website developers and their security teams have to stay on top of the patching and updating to be protected."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.