Month: May 2019

How To Mitigate Account Takeover In Retail

RH-ISAC article featured on Retail IT Insights. The below is an excerpt from the article. For the full post, visit:

Online shopping is pervasive, especially as more and more retailers expand their digital commerce. While online shopping provides a multitude of benefits for both retailers and consumers, it also has created a new threat in the industry called account takeover (ATO) fraud.

ATO is the unauthorized access and control of a legitimate user account. By getting hold of a customers’ usernames and passwords, cybercriminals can use the hacked accounts to glean a lot of information. This information can be used to create new accounts, impersonate real customers and steal goods and services.

Like so many other types of fraud, ATO is increasingly committed at scale by bots. In fact, according to Akamai’s “State of the Internet Security” report, more than 40 percent of online login attempts are attackers trying to invade accounts. Hackers write scripts that test various combinations of stolen usernames plus potential passwords across multiple websites and apps, until they find a way in. This is called credential stuffing. These brute-force attacks are helping fraudsters move as quickly as possible and focus on maximizing the value of each successful ATO.

Impact On Retail & Hospitality

Since January 2018, at least 17 retail and hospitality companies were compromised and likely had account information stolen from them. The 2018 Credential Spill Report from cybersecurity firm Shape Security showed that 91 percent of the login attempts made on online retailers’ websites were hackers using stolen data. This startling statistic speaks to the unique challenges that retail and hospitality organizations face with balancing the need to secure their websites while maintaining minimal friction for customers who wish to shop online.

According to the credential spill report, an estimated 82 percent of login requests for hotels and hospitality online markets are attributed to credential stuffing. To better fit the needs of the customer, hotels have incorporated the use of mobile applications to streamline user experience during booking, check-in and even as a substitute for room keys. But this has significantly increased the attack potential for hospitality.

ATO not only wreaks havoc for victimized users, but can create serious damage to companies’ own brands, reputation and revenue stream. Retailers need a serious online fraud strategy to protect consumers and their organizations. Let’s now look at cyber criminals’ tactics and then some best practices for detention and response.

ATO Best Practices For Retail And Hospitality

ATO is an increasingly costly threat for retailers in the U.S. and worldwide. As education and awareness increases for cyber teams, customers and legitimate account owners, so does the capability and sophistication of cybercriminals. Key recommendations to consider include:

  1. Develop a plan and process
  2. Adapt and adjust your methodology
  3. Utilize your network
  4. Join an information sharing organization/fraud committee for support

Retail and hospitality organizations need to protect their business and their customers from ATO fraud. Cybercriminals are becoming more and more sophisticated and using automated botnets and other techniques to efficiently attack online retailers. For eCommerce companies to succeed digitally, it’s imperative to protect against ATO through a multi-pronged approach which includes sector collaboration.

Read the full article on Retail IT Insights:


Collective Genius, Common Purpose In-Person Events Build Relationships, Trust

As an information sharing and analysis center, the RH-ISAC provides many ways for information security teams to share not only IOCs but also information on processes, technology and other insights. As Suzie shared in her last letter, our membership community is very active in sharing – whether it’s via the technology platforms or participating on Cyber Thursday webinars or Weekly Intel Calls.

We already know that the most innovative work happens when diverse people interact closely with each other to integrate ideas in new ways. This collective genius is what shapes our always-evolving priorities and choices and helps take our individual defenses to the next level.  Following the highly successful workshops hosted by Las Vegas Sands and Walgreens, the RH-ISAC and PVH Corp. are proud to provide the opportunity for teams and practitioners in the New York metro area to come together for a day of sharing knowledge, experience and insights.

We asked area members for topics they would be interested in learning more about and have put together a strong agenda for the day:

  • PVH’s own Director of Information Security Operations Nicholas Zaky will lead a discussion on how to perform threat intelligence and data mine threat actor infrastructures using IOCs in your environment.
  • Jason Lay, threat intelligence lead at Qurate, which owns QVC, HSN and zulilly, will show us how we can turn the table on thieves who use social media as a reconnaissance tool to share individual data (and selfies) on the Deep Dark Web.
  • Phillip Miller, CISO at Brooks Brothers, will lead a discussion and share case studies on how to improve the security posture of your organization.
  • RH-ISAC analysts will review the threat landscape based on information shared in the RH-ISAC community.
  • Smriti Kawal Jaggi, threat intelligence analyst at Shape Security, will wrap up the day with a threat briefing.

Even more important than the virtual intel sharing we do every day is the networking and discussions that build relationships and deepen trust among our teams. Trust is created through in-person dialog and mutual respect during these face to face workshops. Deep trust will enable us to share more openly and freely whether through the listserv, threat intel calls, or through 1:1 intelligence sharing.

Join us on May 9 in NYC to do just that at the PVH Intelligence Workshop. Email with registration requests! Find out more about the event here. We look forward to seeing you there!

P.S.  All are welcome to join us for a happy hour following the workshop. Details to come.