Online Retailers at Increased RiskExperts Say E-Commerce Transactions Easy Targets for Hackers
The breach of e-commerce retailer LaCie is the latest indicator that more fraudsters are targeting online merchants because card-not-present transactions are particularly vulnerable (see Retailer LaCie Confirms Breach).
The retailer did not specify how many payment cards are suspected to have been exposed, nor did it say how the site was compromised. And company officials declined to comment further.
In another recent e-commerce attack, food company Smucker's reported that a breach of its online payments system likely exposed 23,000 online customer accounts.
Some industry experts say e-commerce breaches likely result from an array of vulnerabilities. That's because online retailers, by their nature, aren't as secure as their brick-and-mortar counterparts, says Al Pascual, senior analyst of security, risk and fraud for consultancy Javelin Strategy & Research.
"The financial industry has done a respectable job of protecting their systems and data from compromise, but online retailers have neither the oversight of a feared regulatory regime, or the budgets, to match this level of success," he says.
E-commerce transactions need stronger dynamic authentication or tokenization, similar to what chip cards promise to provide for card-present transactions, Pascual says.
Retailers need to enhance authentication methods to ensure only legitimate customers are able to make purchases, online or otherwise, with payment cards. But Dave Jevans, chief technology officer of online security firm Marble Security Inc., says many online retailers have been reluctant to implement additional forms of user and transactional authentication. "Gas stations implemented the 'enter your ZIP code' secondary authentication for mag-stripe cards, and it has proven highly effective," he says. "Online CNP transactions need something similar."
The increase in e-commerce breaches highlights why card-not-present fraud is a growing worry.
Migration to chip-card technology, such as the Europay, MasterCard, Visa standard, better known as EMV, does not mitigate card-not-present fraud, Jevans notes. "Almost all stolen cards are used in a CNP fashion, and so EMV does nothing to fix this situation," he says.
But Seth Ruden, senior fraud consultant for payments systems provider ACI Worldwide, says that while EMV is no "silver bullet," new security technologies such as chip cards will help the payments industry in the U.S. advance its fraud-fighting efforts.
"Further down the road, tokenization might be to e-commerce what EMV chips are to card-present POS [transactions] today," he says. "While we continue to piece together the framework, the gaps will continue to be exploited."
Online Retail Weaknesses
The breach of LaCie is believed by some security experts to be linked to the exploit of a vulnerability in Adobe's ColdFusion software, a Web application development platform used by many e-commerce sites, according to Jevans and John Zurawski, vice president on online security firm Authentify.
CVE Details, a security vulnerability data-source site, lists 61 ColdFusion vulnerabilities have been identified and documented so far.
"Attackers could have used [a ColdFusion] vulnerability to get code running on the server," Jevans says. "At that point, even if they patched the server with newer versions of ColdFusion, the attacker is there and running code to exfiltrate credit card details."
Zurawski says problems with ColdFusion hacks have plagued numerous websites. "This all goes back almost a year, which would coincide with the length of time LaCie believes they have been breached," Zurawski says. "Adobe has published patches, but website developers and their security teams have to stay on top of the patching and updating to be protected."