For cyber criminals, the holiday shopping season offers what we used to call a “Target Rich Environment” back when I was in the military.
During the holiday seasons there’s a lot of the kind of activity that cyber-criminals love. There are more customers buying things and that means that there are more credit card numbers floating around, there’s more personal information being stored in company databases and there’s less time for customers and companies to verify what’s real and what’s not.
In their haste to make sales, some companies may become careless about the purchase information they collect and they may collect information they don’t need. Worse, with the added load of higher than normal volume, IT departments may be forced to cut corners just to keep up.
Add to the overall frantic pace of holiday shopping the change in credit card security technology and you have even more opportunity for fraud. This year, now that most credit card users have EMV chips in their cards, the instances of counterfeit cards is already dropping.
But in its place, is something called “card-not-present” fraud. This is when criminals use stolen credit card information to order products online or over the phone. They will then sell those products, or in some cases return them for cash reimbursements.
For your business, the overall environment is one in which you’re under attack from all directions. Criminals are using stolen credit cards on one hand while other criminals are trying to break into your network on the other. Adding to the excitement, there are new tools in the hands of cyber-criminals that are making their jobs more lucrative—at your expense of course.
Jeremy Manning, threat intelligence support manager at SecureWorks, tells me of a Remote Access Trojan (RAT) that appeared this fall, just in time for shopping to start.
This Trojan is delivered a company’s computer network through a phishing email and inserts itself into the Notepad application in Windows. Once there it captures and sends out the Track 1 and Track 2 credit card data if a card is read, but it can also send out other card data and it includes a key logger.
Manning said that the malware is based on the Netwire tool that some administrators still use, but in this case it’s been modified. “It was hiding itself in the Notepad application,” he explained. “There was a child process that was running there.” Finding the malware is relatively easy, Manning explained in a blog entry.
Then the threat actors sent a phishing email that was relevant to the company and the employees, showing that they had spent some effort in researching their target.
Unfortunately, that’s only one type of attack and there are plenty of others. Worse, it’s essentially impossible to protect your company against every possible attack. This means that as business ramps up it’s also necessary to ramp up your efforts to fend them off.
“The needs for best practices are amplified over the holidays,” said Dana Simberkoff, chief compliance and risk officer at AvePoint, a company that supports migration and management of Microsoft cloud services. Because of this, she advises her clients to protect customer data so that the bad guys can’t get it, even if they manage to penetrate network security.
Simberkoff listed areas where she encourages her customers to tighten their security. The first is to collect as little data as possible from consumers. “If you have it, you have to protect it,” she explained. Simberkoff said that while there’s often a push to collect as much data as possible for possible future use, that’s really not the best idea.
“Remember that less is more,” she said. “You’re responsible for the data.”
The next step is one that’s been a best practice basically forever, but one that’s frequently ignored, which is to limit what your employees can access. “Make sure that you provide your employees the minimum access to data that they need to do their job” she said. “Every person in the company doesn’t need to have access to sensitive data.”
Simberkoff said that this broad access to unnecessary data is often the result of an overworked IT staff that doesn’t have time to figure out which employee needs access to what data.
Simberkoff also noted that companies aren’t always clear about the purpose for data collection and they aren’t clear about the requests for consent. “You need to have layered consent,” she added, pointing out that you can’t collect someone’s data for one purpose and then use it for something else.
You also need to know about the data flow within your company and you must know what data transfers between your company, credit and debit card processors and vendors. Ultimately, she said, you’re responsible for what happens to your data even when it’s in a business partner’s possession.
All of this will help your company take reasonable steps to protect the data that you’ve been entrusted with, but she also noted that it’s vital for employees to understand that security is everyone’s job.
Now that the holiday shopping season is in full swing, so is the threat level. In addition to protecting your bottom line against cyber-criminals, you also need to protect your customers and your partners. And yes, the bad guys really are out to get you.
“Data is like money. That’s why companies get hacked,” Simberkoff explained. “The more data you hold, the bigger target you are.”