LastPass by LogMeIn, a leader in password management, has revealed its ranking of the most and least secure UK online retailers ahead of the holiday shopping season.
With Black Friday and Cyber upon us, the analysis has revealed that retailers still have work to do to encourage strong password security and support two-factor authentication (2FA).
LastPass identified the top 10 UK retailers by 2017 e-commerce sales and scored them on their security offerings. Features considered in the scoring included password requirements (length, special characters, numbers), if sites featured a password meter, if sites supported 2FA, what personal information is required at account set-up and whether sites ran on secure HTTPS vs HTTP.
Key findings include:
- 2FA Fail
Nine out of the 10 top retailers still don’t support two-factor authentication, Amazon being the only site that did support it. 2FA provides an additional layer of security toward preventing unauthorised access to an account. Unfortunately, these results tie in with LastPass’ recent Global Password Security Report which found that 45% of businesses use multi-factor authentication and that retail organisations are lagging behind other industries in password practices and adoption of multi-factor authentication (MFA).
- Despite passwords being a major cause of breaches, retailers aren’t promoting strong password practice
None of the top 10 retailers require special characters when creating a password and only 2/10 sites (Asda and Very) provide a password strength meter to indicate weak to strong passwords.
- All retailers succeeding in site encryption
Every retailer tested runs on HTTPS, the secure version of HTTP. With all communications between users’ browsers and the website being encrypted, this is good news for shoppers entering personal information and card details.
- The fear of forgetting: We know that fear of forgetting a password is the biggest reason people reuse passwords but most sites make it fairly easy to create a new password if you forget it. If a password is forgotten, all 10 sites send users a reset link or a one-time code, rather than sending the original password to the registered email, making it harder for an imposter to pose as a customer to gain access.
Sandor Palfy, CTO of Identity and Access Management at LogMeIn said: “Black Friday has fast become one of the biggest online shopping events of the year: £1.39 billion was spent in the UK on retail sites in 2017.
“With the wealth of personally identifiable information (PII) and sensitive data that online retailers process, all have a responsibility to ensure they take the necessary steps to protect their customers and educate them on best security practices. Consumers also have a responsibility to understand best security practices, so they can choose where to safely shop online.
“Weak or stolen credentials continue to play a major role in breaches, so it’s worrying that the most popular UK retailers have pretty lax password requirements when hundreds of thousands of shoppers will be flocking to these sites for a good deal on Black Friday.
“Customers should be encouraged to create a strong, unique login that is long and complex, containing a mixture of numbers, letters and special characters with the help of a password strength meter. This password should also be unique so if the worst was to happen and a brand was breached, other accounts would remain secure.
“Given the damage a breach can cause organisations and the high-scale attacks in recent years, this should encourage retailers to assess their security posture before they get into the full swing of the holiday shopping period.”
Meanwhile, Egress CTO Neil Larkins has shared seven tips for a phishing-proof Black Friday:
- Be aware of what a phishing email looks like
Phishing emails are designed to look as real as possible and to the untrained eye can look nearly identical to an email from a trusted sender, such as a bank or social media platform.
If you find the following features in an email from a ‘reliable’ sender, it is often a hint that the email is actually a phishing attack:
– Incorrect spelling and grammar
– Name in the email address not matching the user details in the email body
– An email received from an unknown sender or email address
– An unexpected change to the look/layout of an email
– Web links in emails
2. Check the web links
If you see a suspicious link in an equally suspicious email, DO NOT click on it. Instead, hover your mouse over the link to see if the address matches the link displayed or if possible, open the site in another window instead of clicking the link in your email.
3. Don’t open attachments
You might receive emails asking you to download a gift card registration document to fill out. DO NOT click on it. This could be a malicious document and clicking on it would allow a malware to steal your information. A safe attachment should allow you to preview it without having to download or open it.
4. Don’t be fooled by branded emails
If you receive a branded email and it is different to what you normally see, this could be a sign of an attempted phishing attempt. Examine the email address, subject and body; any typos will point towards it being a phishing email. If unsure, you should contact the sender through other channels to gain further clarification on the authenticity of the message.
5. If it’s too good to be true, it’s probably not true
Cybercriminals will try to disguise themselves as well-known and trusted brands and offer expensive things at a much lower cost. If the offer is not on the brand’s official website, it probably isn’t legitimate.
6. Be cautious with any requests for personal or financial information
In general, you should be very cautious with any requests for personal or financial information. A retailer would never normally ask you these and would send you separate communications outlining this.
7. Adopt the right security technology
The best solution to avoid phishing attacks is to have the right security technologies in place. The application of Machine Learning, deep learning and NLP have made it increasingly possible to mitigate this risk. By analysing various attributes, from the sender’s authenticity to the end user’s ‘normal’ behaviour, smart technology can now recognise patterns and highlight anomalies. In particular, in cases where a phishing email requires an individual to respond, users can be alerted to the fact they haven’t emailed this recipient before or that the recipient’s domain is not trusted – immediately raising red flags for the user in scenarios where cybercriminals are leveraging established relationships.
Sam Curry, Chief Security Officer at Cybereason:
1) The increase of online credit card collection imposters over the holidays will be apparent as they do more at this time as people balance year-end holiday finances and fear of debt. For example, the consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.
2) Holiday ransomware. While ransomware infections globally are down considerably over the past three to five years and in 2018 there hasn’t been a WannaCry or NotPetya attack, it is still an extremely effective method for hackers to make money. Consumers should understand that the pictures and other assets on their computers increase in value to hackers over the holiday season and this means that consumers are more likely to pay ransoms and panic if ransomware strikes.
3) Phishing scams online are on a meteoric rise over the holidays, especially driven by deals and rebate offers. Basically don’t open any attachments or click on links appearing to be from trusted vendors you shop with. Go directly to the website of the vendor looking for the sales and deals.
Advice to reduce risks while online shopping
- Remember to know your liability with your credit card and banking cards that can be used online – impose a voluntary limit or hiatus with your company if you don’t like the liability risk.
- Also, check all of your bills and receipts online: keep a central family register of purchases for cards that you want to track to reconcile.
- Default to suspicious of any inbound calls – worst case, take a case number, record the inbound source number, independently go to the web and call support before doing anything as a default way to handle these.
- If a deal looks too good to be true, it probably is…so don’t click on anything. Do feel free to record coupon and discount codes and to go directly to vendor websites with those codes.
- Avoid downloading anything from questionable websites. Disable pop up ads on your devices by using trusted software. Always verify the vendor, look for typos or common permutations of email addresses.
Paul Bischoff, Privacy Advocate, Comparitech.com
- Phishing. Expect a lot of phishing emails claiming to be from retailers, banks and payment processors. They will try to get you to click on links that lead to forgeries of legitimate websites where you enter your password or credit card information. Don’t click on links in unsolicited emails and always check for valid HTTPS before entering any information into a website.
- Non-delivery scams. You buy something and it never shows up. This often occurs when a scammy merchant claims there is some problem with Amazon or Ebay’s payment system. They’ll try to contact you and extract payment through some other means. Don’t interact with merchants outside of the marketplace’s official channels.
- Straight up theft. Thieves will be looking to lift packages off your front doorstep to put under their own Christmas trees. Consider using a locked drop box to receive packages or install a security camera.
- Digital credit card skimmers. Hackers compromise a website by installing a keylogger on payment pages. When a buyer enters their information, the keylogger records everything typed in and sends it to the hacker. There’s not much an average person can do to spot or prevent this from happening. It’s up to the website to properly secure their payment gateway.
Todd Peterson, IAM specialist, One Identity
The pure eagerness for people to bag the best deals on Black Friday is a huge threat as people may neglect basic security hygiene in a rush to smash through their loved ones’ Christmas lists. Keen shoppers need to realise that ‘easy’ doesn’t necessarily equate to ‘safe’, so having non-essential websites store their passwords or credit card details or using the same password across all online stores is ill-advised.
By taking extra measures, such as using a different password for every website, enabling multi-factor authentication or opting in to extra security provided by your bank, for example, it may be extra steps, but the security payoff will be worth it. After all, if it’s more difficult for you as the shopper, it will be more difficult for hackers. Treat personal online transactions the same as you do for work; if it wouldn’t fly with your boss at work, then reconsider.
Lamar Bailey, Director of Security Research and Development at Tripwire
Your inbox with start getting flooded with Black Friday deals soon if it has not already started. Not all of the emails will be legit, as attackers will take valid emails and change the links to point you to malicious sites that may look like the real things. Always check the sender address to make sure it looks normal and instead of clicking on links go to the company website and the deals will generally be on the front page.
Never use your ATM/Debit card for any transactions. If your number is stolen it can take days for the bank to refund the money to your account and even longer to get a replacement card. If you use a credit card and your number is stolen the credit card company will quickly adjust your account and overnight a new card. The best option is to use virtual credit card account numbers from your credit card company. With these you can set a limit and timeline so there is less opportunity for theft.
Make sure your credit is frozen.
Javvad Malik, Security Advocate at AlienVault
For consumers, the biggest danger from retail cyberattacks is loss of personal information, such as their social security number, date-of-birth and home address. This information can be used to take control of their assets as well as be sold on black markets like the Dark Web. The best advice for consumers is to more regularly monitor credit, debit and ATM card activity for fraudulent transactions and immediately report anything suspicious.
Jack Baylor, Security Threat Researcher at Cylance
Avoid ‘too good to be true’ resellers on auction sites such as eBay, especially for computer games or related products such as ‘Fifa points’.
People often put up faked game codes claiming large discounts compared to buying directly from the game manufacturer or the likes of reputable markets such as Steam, Microsoft Store (Xbox1) or PlayStation Store (PS4). Often consumers are left out of pocket with nothing more than a nonsense string of letters and numbers to show for it.
Adenike Cosgrove, Cybersecurity Strategist, EMEA, Proofpoint
Black Friday-themed spam emails often take advantage of recipients’ desire to cash in on increasingly attractive deals, creating tempting clickbait for users. These spam messages may use stolen branding and tantalising subject lines to convince users to click through, at which point they are often delivered to pages filled with advertising, potential phishing sites, malicious content, or offers for counterfeit goods. As with most things, if offers appear too good to be true or cannot be verified as legitimate email marketing from known brands, recipients should avoid following links.
All holidays and major events provide a variety of fodder for threat actors to create compelling lures and themed email attacks. Just last week for example, the threat actors who regularly distribute the Emotet Trojan sent a barrage of Thanksgiving-themed malicious spam. The attached and linked documents, which the emails claimed were e-cards and other Thanksgiving wishes, contained malicious code that installed the Trojan. While Emotet provides a high-profile and particularly dangerous example of a holiday-themed threat, seasonal lures abound.
Another known tactic used by cybercriminals is shipping notification scams, as consumers are likely to check on the progress of their Black Friday purchases. To avoid being tricked, always log into sites such as UPS, FedEx and merchant sites directly, rather than relying on potentially malicious links included in email messages. As with all email, recipients should never open attachments or click through links from unknown senders.
Rusty Carter, VP of Product Management at Arxan Technologies
With Black Friday, it is not only retailers and consumers who are looking forward to the start of the shopping season. Cybercriminals, for whom the increasing proliferation of mobile shopping apps is opening up lucrative attack opportunities, are also likely to profit.
It goes without saying that among the excitement of a bargain, cybersecurity is not top of mind for consumers, however, it is this type of distraction that opens shoppers up to multiple risks. With many of our high-street shops closing down, it is clear that online and mobile shopping is continuing to gain momentum.
However, the new opportunities associated with the growing range of M-Commerce services also entails new risks: business transactions via web and mobile applications – be it payment transactions or the transmission of sensitive personal data – are particularly threatened by cybermanipulations and open up a range of possibilities for fraud and data theft. Fake apps have also become a problem for mobile online commerce.
The often deceptively authentic-looking counterfeit products act as official apps for well-known brands, playing off unsuspecting consumers in a variety of ways. More worryingly, these fake apps are published on official app stores such as Google Play and Apple’s App Store. Not only does this leave consumers vulnerable to attack and data exposure, but it also has the potential to damage the reputation of the organisation whose apps are being mimicked.
We already know that retailers continue to be a hot target for hackers. Take the ongoing threat of Magecart attacks, which have already had success in the retail industry with the likes of Shopper Approved, TechRabbit, Kitronik and others becoming victims.
The recent wave of attacks is placing a stronger emphasis on what we already know – software vulnerabilities, incorrect configuration and other holes in defences are not going away, and attackers can use a company’s own software against it and its customers. While existing best practices continue to be relevant, there are additional security measures that can be taken to address specific attacks like Magecart.
Organisations should implement certain mechanisms and controls that continually monitor code for injection and detect when code is being modified, as once an attack is detected these same mechanisms can provide real-time alerts and trigger processes to deactivate accounts, remove malware and nullify any progress made by attackers.
As a result of the successful attacks this summer, we can expect to see a potential wave of attacks this holiday shopping season too, with attackers capitalising on the weaknesses discovered as well as the low likelihood of rapid adoption of application protection at the browser and mobile endpoint. Organisations need to take action now to protect themselves and ensure they and their customers are not the next victim.