Tierney - stock.adobe.com

This Christmas, Covid-19 heightens retail security risks for everyone

Do you think it’s only retailers and consumers who need to consider cyber security when shopping online during the holidays? You’re dead wrong. This year, the Covid-19 pandemic and the shift to remote working has thrown a spanner in the works

The past two months of the year are now well-established as the peak trading period for online retailers and as retailers prepare for the coming Christmas period – coupled these days with the worldwide spread of the Black Friday and Cyber Monday ‘holidays’ made up by American retailers – it is no surprise to anybody with half a brain that cyber criminals will be salivating at the prospect of fresh targets and vulnerable retail websites.

In 2020, the online shopping bonanza is set to be bigger than ever, thanks to the continuing Covid-19 pandemic and various shutdowns of offline retailers forcing more people than ever online, exposing themselves to heightened risk.

“Whether consumers are turning to online shopping to make up for missing the excitement of hitting the high street or browsing the internet for deals to pass the time during lockdown, it’s important that they stay safe when shopping online this holiday season,” says Mark Crichton, senior director of security product management at OneSpan.

“Due to ongoing restrictions consumers are preparing for digital holiday shopping, but they need to stay vigilant to avoid falling foul of malicious links as they look to cash-in on ‘too good to miss’ deals.

“This year the threat is increased as recent research showed that 48% of UK consumers plan to avoid busy shopping areas and this traffic will drive undoubtedly increase e-commerce activity. It is likely that consumers will be exposed to more attacks this year and shoppers must stay vigilant as legitimate offers from retailers, via email and text, could be replicated by cyber criminals,” he said.

According to a study conducted by McAfee, 50% of UK consumers have already upped the amount of online shopping they do during the pandemic, with 80% shopping online once a week, and 40% of UK residents anticipate doing more Christmas shopping online.

New circumstances, new risks

But it’s not just scam artists, price gouging on in-demand items such as the PlayStation 5, or websites compromised with Magecart credit card skimmers, that one needs to be aware of. In 2020, thanks to the pandemic, the orgy of consumer spending has implications for every enterprise security strategy, not just retailers.

Thanks to the coronavirus, the big technology story of the year has been the momentous and unprecedented shift to remote working, which has blurred the lines between the work and personal spheres, in particular with regard to device usage.

This is highlighted in another newly released global study from IAM specialist SailPoint, which found that nearly a tenth of work computers in the UK are now being used for personal needs, most commonly to check personal email, shop online, check the news or use social media.

This significantly increases the risk to the average business, as one slip on the part of an employee shopping online could potentially give malicious actors complete access to corporate systems.

Adam Philpott, McAfee Europe, Middle East and Africa (EMEA) president, says: “The blurred lines between online activity on corporate and personal devices from staff working remotely will force organisations to consider a new potential threat this year: Christmas shopping.

“As cyber criminals launch sophisticated scams to prey on the many Brits turning to online shopping via personal and work devices, businesses need to consider the ramifications for corporate security.

Employees now use their corporate devices for everyday tasks – such as shopping – which creates new risks to the enterprise
Chris Waynforth, Imperva

“To keep cyber attackers at bay, it’s vital that organisations go beyond establishing baseline protocols to create and maintain a secure environment.”

Chris Waynforth, area vice-president at Imperva, is also on high alert. “The boundary between work and recreation has disappeared and employees now use their corporate devices for everyday tasks – such as shopping – which creates new risks to the enterprise,” he says.

“With Black Friday and the holidays around the corner, retailers have a huge bullseye over their heads, so companies are right to worry about employees using work devices to shop online. Web traffic to retail sites spiked by as much as 28% over the weekly average in 2020, thanks to global lockdowns.

“This is creating a feeding ground for hackers looking to scrape card details and steal personal data, but with so many workers now accessing data remotely, targeting retail sites also opens the door for hackers to gain access to business systems.

“Employees may not even realise that their device has been compromised. This is a worrying situation, as once a hacker has access to a device they can scrape credentials, move laterally through systems and target your crown jewels,” says Waynforth.

A series of unfortunate events

So what is an enterprise security team to do? First, it is important to understand that an orchestrated, targeted breach of an enterprise through an unrelated, compromised retailer, is unlikely.

The reason for this is quite simply because it relies on a complex chain of circumstances to come together in the right order. In short, if you are targeting an enterprise, why would you compromise it through a vulnerable and unrelated retail website, when you could just target someone in the finance department with a fake invoice?

“There are a lot of ifs here,” says WatchGuard Technologies CTO Corey Nachreiner. “When it comes to retail sites, web application vulnerabilities are typically your top concern and there are many types to worry about. For instance, SQL injection is a type of web application vulnerability that might allow an attacker to steal a retail website’s database, including its user and password data.”

Web app vulnerabilities can lead to a broad range of outcomes, he explains, but typically they either give malicious actors elevated access to the data and resources of the retailer’s site, or to the data the retailer holds on the victim visiting that site – so in short, if an employee is visiting a vulnerable website from their work device, there is little risk of compromising that device.

However, in some cases, exploitation of the device does become possible, for example, in a cross-site scripting (XSS) attack where a booby-trapped website contains code that could exploit a browser vulnerability to load malware or ransomware onto the device.

XSS attacks should be of particular concern as they seem to be especially prevalent right now. According to data gathered by Imperva, XSS was the leading attack vector for application programming interface (PI) attacks on retailers in 2020, accounting for 42% of them, and the third most common attack vector for web attacks, accounting for 16% of them.

Even so, compromise through such an attack is still a multi-step process. “For this to work, first the website needs to have a XSS vulnerability, second your browser must suffer some unpatched vulnerability that the attacker’s malicious code targets, and third your employee has to visit the booby-trapped page on the site,” says Nachreiner.

“This … is possible, and has happened, but it’s not overly common. It’s also important to note that these types of web application vulnerabilities impact all types of websites beyond retail destinations alone.”

Accidental breach is more likely

Far more likely is the prospect of an employee causing their employer damage by inadvertently doing something they should not have.

While many shopping sites are perfectly legitimate, we know there are many malicious campaigns that use sales events like Black Friday and Cyber Monday to entice consumers to click on nefarious sites or links that could ultimately distribute malware,” Nachreiner tells Computer Weekly.

“Since employees might not always be security conscious when it comes to the sites they visit, it’s sometimes best to simply prevent access to non-work-sanctioned sites on corporate machines,” he says.

The good news for chief information security officers (CISOs) is that by activating some security controls like domain name system (DNS) or web filtering that automatically block access to malicious links an employee might be inclined to click on, they can shore up their defences with a minimum of fuss.

Claire Hatcher, Kaspersky global head of fraud prevention solution, acknowledges that it is virtually impossible to stop remote employees from using work devices for personal reasons. “So it’s vital that all laptops, phones and other technologies are supplied with reputable internet security products,” she says.

“Cyber security solutions with behaviour-based anti-phishing technologies can send notifications if users are trying to visit a phishing web page, which can help keep remote work devices protected when being used for personal activities,” she says.

Imperva’s Waynforth says that the incoming online shopping boom is the ideal opportunity for CISOs to reinvent their data security practice and adopt a data-centric approach.

“Given that the traditional network perimeter is now gone, businesses need to reverse their thinking and embrace an inside-out view to ensure the crown jewels are secure,” he says.

As the personal and work borders blend, it is often unreasonable to expect to police people in their own homes
Ian Pratt, HP Personal Systems

“Security teams need to scan their data stores regularly to understand what vulnerabilities or misconfigurations might exist that an attacker could exploit. As Imperva researchers discovered, it takes just one hour for a hacker to make a connection with an exposed cloud database, and just 10 hours until their first attack.

“Further, database activity monitoring [DAM] and cloud data security are essential tools for gaining visibility into the access of sensitive data and potential security incidents in real-time,” he says.

But be careful not to go too far with such measures, as overly restrictive policies can also be a source of risk, as Ian Pratt, global head of security for HP Personal Systems, explains: “Putting measures in to block this activity – such as website blacklisting – can result in even riskier behaviours as users find ways to work around prohibitive security tools. Also, as the personal and work borders blend, it is often unreasonable to expect to police people in their own homes.”

“Organisations must find new ways to protect users and allow them to make mistakes. By building security into devices from the hardware up, organisations can protect users clicking on malicious links by having the contents open in an isolated virtual environment.

“This virtual ‘cage’ – which is transparent to the user – runs on its own virtualised hardware, so it can’t access other browser tabs or anything else on the system, infect the host PC or spread through the corporate network. This means that if an employee does click on a rogue site, they cannot be compromised,” says Pratt.

Teach your humans well

Stuart Reed, UK director at Orange Cyberdefense, says that technical measures against phishing are undoubtedly more robust and sophisticated now than ever. But, he warns, that doesn’t eliminate risk altogether – we’re all only human, after all.

“Humans are more complex and harder to predict in certain scenarios, while easy to manipulate in others. Security awareness educates employees about manipulative techniques that might be used against them, and highlights the benefits of adapting their information security behaviour. Building resilience towards social engineering attacks provides a significant line of defence,” he says.

For Nachreiner at WatchGuard, the human angle manifests in terms of lax attitudes to password security. In the context of retail security, this is a huge and dangerous potential point of failure for enterprises and something that is hard for security teams to control.

“The main concerns I have with retail sites specifically have to do with their own security. When these sites suffer data breaches and leak data, user passwords get exposed,” he says.

“Unfortunately, studies show many people reuse the same password everywhere. So, if a user’s corporate password matches any password leaked from one of the sites they visit on their personal time, their employer is also at risk.”

In mitigation, while password hygiene is important, from an employer’s perspective if an employee is using the same password as they do on a retail site for their corporate logon, in a data breach it matters less whether the employee accesses the retail site on their own, the company’s or a friend’s device, because the password will still be exposed.

Nachreiner says that from an employee’s perspective, the main concern should be oversharing personal and private information. “For instance, many everyday users allow browsers to save their passwords. If you save your passwords on your work machine, your employer or any attackers that compromise that machine may have access to them,” he says.

“The same issue applies to storing your credit card details in local browsers, something I strongly advise against. Your business and its computer systems could be targeted by certain attacks, and if you have personal information on a work device, that could end up affecting you directly,” he says.

“But it goes both ways. If you fall victim to a cyber attack due to lax personal security hygiene and you use work devices for things like online shopping and banking, you might be opening up your employer to a breach.”

Acceptance and goodwill

Kaspersky’s Hatcher encourages CISOs to have employees acknowledge and follow four key policies to protect themselves.

First, they should only shop at legitimate online stores, accessed by typing in the address or selecting it from bookmarks rather than a link – browser address bars can help check if the website is genuine, carrying a padlock icon and using HTTPS.

Second, payments should only be done via credit cards or robust payment services to ensure transactions are protected.

Third, shopping employees should be encouraged to verify discounts – if they receive a special offer in an email or text, check the sender and any web links are genuine before clicking.

Finally, employees should be encouraged to manage their own passwords with password management tools that safely store unique credentials for online accounts.

We recommend that CISOs accept that some Black Friday shopping will happen on corporate devices,” says Hatcher.

The good news for enterprise security teams and CISOs is that there are some soft benefits for them in getting things right.

“In a post-Covid world where it’s becoming virtually impossible to separate our personal and professional lives, one benefit employers can offer is to help secure employees’ personal lives by implementing policies and protections to safely allow personal activities like online shopping on work machines,” says WatchGuard’s Nachreiner.

Indeed, perhaps a little counter-intuitively, getting it right may well make it safer to browse a retailer’s website on a work device than a personal one, so a benevolent CISO could generate some goodwill from enabling some secure personal use by remote working employees.

Read more about Covid-19 and cyber security

Read more on Hackers and cybercrime prevention