With an increase in use of net-banking, digital wallets and various mobile apps for wide range of payments, the number of cyber-attacks on such services if growing at unprecedented pace. While e-commerce companies are increasingly improving the security of their IT-infrastructure, services and operations, the users should be equally concerned and stick to firm security practices while making payments or shopping online.
Security researchers all over the world have been monitoring campaigns in which cybercriminals compromised large and small e-commerce websites in an effort to steal payment card and other sensitive information provided by their customers or acquire access to their net banking or mobile banking accounts.
Over last several years multiple cyber-attacks against some of the largest e-commerce companies were carried out globally. The breach of The Target Corporation, the second-largest discount store retailer in the United States after Walmart, in 2013 resulted in the theft of at least 40 million customer records containing sensitive financial data such as debit and credit card information. The data theft was caused by the installation of malware on the company’s point of sale machines (POS), thought to be accessed via third-party vendors with security flaws in their systems.
IN 2014, eBay has asked its users to change their passwords after attackers compromised employee credentials and gained unauthorized access to a database that stored personal information.
In 2016, Oracle has confirmed that its MICROS division – the retail systems vendor that Oracle acquired in June 2014, has suffered a security breach. It emerged that hackers had likely installed malware on the troubleshooting portal in order to capture customers' credentials as they logged in. These usernames and passwords could then be used to access their accounts and remotely control MICROS POS terminals. The major security breach was believed to have been masterminded by Russia's notorious Carbanak cybercrime group that had been previously accused of stealing more than $1 Billion from banks and retailer stores in past.
In October 2016, DDoS (distributed denial of service) attack left people without access to such global e-commerce websites as Shopify and Etsy Inc, among others. More recently, phishing attacks were used to cheat Amazon customers: fraudsters created fake seller accounts or took control of genuine vendors, tricked users into purchasing expensive items by offering very low prices and then could steal their credentials or make them transfer money to criminal’s accounts.
India has its own records of cyber-attacks harried out against banks, payment systems and e-tailers, although the scale of such attack as well as the damage to the businesses and individual customers are not quite clear given that there is no mandatory public disclosure procedure prescribed in such cases by our country’s laws.
Last year, India has witnessed a massive breach of more than 3.2 million Indian debit cards allegedly carried by infecting the systems of Hitachi Payment Services, the provider of ATM, point of sale (PoS) and other services, enabled criminals to steal sensitive debit card information which could be used to steal the funds. According to various reports, around 2.6 million compromised cards were associated with Visa and Master-Card platform while remaining 600,000 with the RuPay platform.
It is important to note that despite hackers are working on enhancing their attacks and developing new attack vectors, most of the attacks that lead to credit and debit card records being compromised are carried through attacking POS terminals and ATMs, especially in India where ATMs, for example, still run on outdated Windows XP operating system.
Although phishing and using malware to compromise POS machines remains the most popular methods used by hackers to target e-commerce companies and consumers till date, security experts observe new trends such as, for example, injecting a keylogger directly into an e-commerce website.
The discovery of Magecart malware that compromised over 100 online stores in 2016 by secretly logging data entered on checkout pages and sending it to the attacker's server is one of such worrying trends. Cybercriminals are also believe to aim at creating fake e-wallet apps to misguide users, although such instances are yet been discovered.
“As usage of smartphones for mobile payments is increasing rapidly, payment apps and -wallets are at a greater risk than ever and these emerging companies should be adequately investing in security of their applications, ensuring they not only establish tokenization system that protects users’ credentials, but store sensitive data securely. Consumers, on the other hand, should realize the threat and watch out their own behavior online”, says Rajiv Warrier, Managing Director at AV Soft.
As India is driven towards digitization at all levels, some of the most acute security concerns emerge in the field of digital payments and cashless financial transactions. Frauds related to payments are not new, however, while globally the trend moves away from cloning credit and debit cards or creating counterfeit cards of existing accounts to opening new fraudulent accounts through identity theft, hijacking internet-banking accounts and payment systems that accept payments, in India both trends are likely to continue and evolve simultaneously.
Given the rise in digital transactions in India post-demonetization of 500 and 1000 rupee bank notes in November 2016, the security of such transactions has to be taken more seriously as cyber-criminals are likely to target the emerging new modes of payments, including new digital wallets, mobile payment and e-commerce platforms that have recorded a surge in transactions recently.
And not only payment companies, bank card issuers and regulators, but the users themselves should be the most concerned. Provided that such transactions are most often carried from mobile phones and other smart devices, the users need to be sure that their devices are secured and the applications they use for these transactions are genuine.
