Security pros explain Black Friday best practices for consumers and businesses

Consumers have to make sure not to fall prey to fraudulent coupons or deceptively spoofed retailer websites.

Strong Black Friday and Cyber Monday sales crush fears of retail apocalypse but not cyber security concerns The holiday shopping season is off to a record breaking start but analysts are reminding consumers to play it safe online.

Black Friday has rapidly become the most lucrative day of the year for retailers around the world thanks to America's growing obsession with after Thanksgiving shopping. 

The numbers from the days around Black Friday last year are eye-popping. Retailers  brought in $6.22 billion in online sales on Black Friday and another $7.8 billion on Cyber Monday. Americans have now become so eager that the cash is starting to roll in on Thanksgiving Thursday as well, with over $3.7 billion in sales made last year, a 28% rise compared to 2017 according to CNBC. 

For some companies, the single day can now represent up to 30% of their yearly sales. 

These astounding numbers have coincided with steep increases in cyberattacks, breaches, and sums of money lost through the efforts of hackers around Black Friday from both consumers and businesses. 

Last year, Amazon notified shoppers that they had been hacked hours before Black Friday came, and this year, Macy's was forced to send a letter out to affected customers admitting to a devastating hack that gave criminals access to thousands of credit card numbers. 

To help protect consumers and keep companies from hacks, TechRepublic spoke to security researchers about best practices people and enterprises can use to stay safe as they shop till they drop on Black Friday. 

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium) 

Cybersecurity company SiteLock released a detailed study of the Black Friday security landscape and spoke to consumers about how they feel ahead of the shopping holiday. Nearly 70% of consumers said they were concerned about their personal data being stolen as a result of shopping online and about 40% said they were unlikely to shop at either large, commonly-known online retailers or smaller, lesser-known online retailers if their information had been compromised through them.

In an interview, the report's author, SiteLock channel and product specialist Monique Becenti, said breaches, especially around high-revenue holidays like Black Friday, were particularly costly for companies and needed to be preempted through proactive measures. 

"Holiday breaches can cause downtime or reputation damage that can put a huge dent in seasonal sales and a business's bottom line as a result. While both big and small brands are at risk of attacks that impact holiday sales, a breach can potentially sink a small online retailer as these businesses typically have smaller budgets and fewer resources to protect themselves," she said.

It is also a dangerous time for consumers because of the deluge of fake websites and scams that blend in with coupons and announcements of sales.

"There are vast opportunities to steal things during the holiday season through malicious coupons links, email marketing scams and gift card scams," Becenti said. "Black Friday is the biggest shopping day of the year and criminals typically exploit these types of avenues to profit off of personal identification."

According to Becenti, her research found that many cybercriminals were creating spoofed websites that looked to be affiliated with real brands to hawk fake coupons or forms that asked for consumer information in exchange for discounts. Another key point of concern were fake apps--which can be readily found in most app stores--that offered fraudulent coupons or dubious e-commerce portals. 

Any deals that seemed too good to be true were likely just that, and consumers had to make sure they checked all of the links they clicked on. Any link clicked on from an email should be checked again in a browser to make sure it isn't coming from a website purporting to be tied to name brands, according to Becenti. People should look for SSL certificates on websites to make sure they are legitimate.

In her report and in her research, she said she found that many people were being hacked while shopping through their smartphones on public Wi-Fi networks. Whenever consumers are shopping outside of their home, and even while inside it, they should use VPN services to encrypt their internet connection. 

Charity Wright, cyber threat intelligence adviser with security firm IntSights, released an in-depth report on Nov. 14 about the Black Friday threat landscape that said organized retail crime now costs retailers an estimated $30 billion each year.

She found that there was an emerging Dark Web underground community that pooled their efforts in targeting retailers while perfecting point-of-sale malware, deceptive web apps, and e-commerce ransomware.

Her report, "Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives," says retailers have spent millions building flashy e-commerce websites but have neglected to adequately invest in advanced security protocols, making retail one of the most vulnerable industries for cyberattacks.

"The most common type of attack, according to a survey of our customers, is carding--especially card-not-present transactions. They have reported that it's one of the most challenging of areas of attack that they're trying to address," she said. "There have been some improvements, especially with the credit card chips and tokens, but they're still struggling to figure out where these types of attacks start and where they're coming from." 

According to her report, threat actors were using tactics like carding, which involves stolen credit card numbers being used to buy prepaid gift cards, as well as point-of-sale malware, web application vulnerabilities, and more. 

Both Wright and Becenti said companies need to do full, top-to-bottom audits of their security infrastructure to root out entry points criminals may use to breach systems. They should migrate data to secure infrastructure and encrypt point-of-sale systems, card systems, and processors.

But one of the problems during high-volume times, like Black Friday, is that cybercriminals know it is difficult for card companies and businesses to distinguish between legitimate and fraudulent purchases or accounts during the e-commerce deluge. Cybercriminals have made a habit of waiting about 18 months to use stolen credentials, giving any potential breach long-lasting effects. 

"There is a lot going on right now in criminal underground forums related to retail. Threat actors are staging attacks, selling retail products and gift cards on dark web forums and so retailers need to have visibility into that space," Wright said. 

"In order to stop what's going on and also to be proactive and understand what threat actors are doing, you have to have an understanding malware and the community using it,"  she added. "All of this information is available in those forums and marketplaces."

Also see

pcidata.jpg

Image: iStockphoto/seb_ra