On July 23, Lakeland, a UK based kitchenware firm announced by email to it’s users that two of it’s encrypted customer database had been hit by a “Sophisticated and Sustained Attack”, possibly resulting in a data leak.
One of the largest misconceptions is that Advanced Persistent Threats (APT) threats are that they are solely concerned with distributed denial of service attacks. DDOS are the most famous method of cyber crime but more concerned with Hacktivism than fraud.
Hacktivists would much rather make their point, usually a “power to the people” stance by taking down a corporate website through overloading it’s servers with an unmanageable amount of web-traffic.
Reality of Email Leaks
Fraudsters looking to benefit financially, try to take over users accounts in order to obtain credit card details or simply make direct purchases. This is called Account Takeover Fraud (ATO) and is one of the fastest growing types of fraud.
What can a hacker use an email address for?
1. Sell them – By breaching a database, an attacked has a list of known user email addresses. Even if all of the passwords are changed immediately (as Lakeland has done), there is still a thriving black market for stolen email addresses and passwords or credit card details.
2. Account Takeover on other websites. User’s often use the same email and password across multiple websites, a fraudster may try to exploit this.
3. Account Takeover on Lakeland’s website. The hacker now knows the email address of actual users of which allows them utilize other types of fraud such as phishing to gain access to accounts.
These attacks are uncommon for e-commerce sites and are a scenario which NuData Security faces when protects against everyday.
Passwords are not fit for purpose in today’s online world, retailers should understand that it is their responsibility to protect users with more advanced security.
For now, this is what we advise:
1. Users should use different passwords for all sites. Consider using a password manager for these such as LastPass of OnePass.
2. Behavior Analytics
Online retailers should understand how users interact with all points of their website. Whether that is their database, app or desktop site; understanding how a good user acts allows you to quickly spot and prevent bad behavior, before a breach has occurred. It also allows you to spot patterns of known bad behaviors experienced in the past by other retailers and websites.
3. Risk Based Authentication
This will help protect users from future account takeover attempts. Fraudulent users cannot act just like the real user does, even if the username and password is entered correctly. If they seem to be acting out of character, risk based authentication allows website owner to provide additional and more advanced security challenges to a user – but only if they are acting out of character.