The holidays are fondly recognized as “the most wonderful time of the year” and for hackers it is prime time for an attack. As online shopping continues to rise, it’s becoming a higher priority for retailers and banks to prevent hackers during the holidays.

While online retailers are an obvious target, those businesses aren’t the only ones susceptible to being targeted during the holidays. Banks are also common targets as they process thousands of transactions every day during the last two months of the year.

The Rise of Holiday Hacking

According to the Banking & Financial Services Cyber Threat Landscape Report (April 2019), more than 25% of all malware attacks hit banks and other financial services organizations and year-on-year increases of 212% in the number of compromised credit cards.

While businesses are susceptible to a variety of different cyber-attacks, there are a few common threats that are prevalent during the holidays. Phishing email campaigns are one of the most common as attackers try to lure their victims with promises of Christmas sales and promotions. The two primary goals of a phishing attack are to obtain account credentials that could be used to access the target systems or to install software that could be used to manipulate the environment or exfiltrate sensitive information to the attacker.

Fraudsters are also active attacking banks by placing card skimmers on ATMs and POS terminals. A cleverly designed and installed skimmer is nearly unnoticeable by most users and will allow the attacker to capture the information on the magnetic stripe of the card as well as the PIN code that can be later used to access the victim’s bank account.

Another holiday threat is DDoS. A distributed denial-of-service attack is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. A DDoS attack may not result in a data breach, but unplanned downtime of its eCommerce site could cost the affected merchant lots of money in lost sales during the busiest season of the year. DDoS attacks were up 37% in the first half of 2018, according to the NETSCOUT Threat Intelligence Report 1H 2018.

So how can retailers and banks prepare for the surge in cyber attacks around the holidays? Below are a few tips.

Holiday Hacking Tips for Retailers

    1. Ensure your eCommerce systems are up-to-date on patches and that they have been configured to disable unnecessary services and eliminate default settings. Unpatched systems and vulnerable default settings are common vectors of attack. The bad guys often find they don’t need to resort to sophisticated attacks if the basic security issues haven’t been addressed properly.
    2. Protect your POS terminals with a dedicated security solution by confirming the version of the POS solution you are using is certified to the Payment Application Data Security Standard (PA-DSS) and that you have configured it as specified in the PA-DSS implementation guide. Also, be sure to periodically inspect POS systems for tampering to identify attempts at installing skimmers.
    3. Monitor your environment for attempted intrusions and other anomalies. Be sure that you have an incident response process in place to respond to suspected security issues before they become major incidents.
    4. Don’t leave anything to chance. Hire an independent third-party provider to conduct a comprehensive audit of your website to validate your security posture and ensure that you are sufficiently protected before the busy transaction season begins.

Holiday Hacking Tips for Banks

    1. Conduct a security audit and penetration test of your network and systems. Sometimes the best defense is a good offense. By conducting a penetration test, you’re able to identify any holes in your systems before the bad guys do.
    2. Use a multi-layered security approach to protect against fraud. A layered, defense-in-depth strategy utilizing multiple security controls and protections eliminate the need to rely on a single control to provide sole and complete protection against a particular type of attack. With a layered approach, if one control fails or is circumvented, other protections may still prevent the successful attack.
    3. Train your employees to be aware of potential cyber threats. Helping your employees know how to identify a potential attack and taking the appropriate steps to help stop attacks is key. The more eyes, the better!
    4. Just as online retailers should, monitor your environment for attempted intrusions and other anomalies. Be sure that you have an incident response process in place to respond to suspected security issues before they become major incidents.

The last thing you want to deal with during the busy holiday season is a cyber-attack. Connect with our team today with questions about protecting your business during the holidays.