ThreatMetrix last week reported that it had detected and prevented more than 90 million attempted cyberattacks in real time across industries from July to September.
The attempted attacks covered fraudulent online payments, logins and new account registrations, and represented a 20 percent increase over the previous quarter, according to ThreatMetrix Cybercrime Report: Q3 2015.
The increase is largely due to the growing sophistication of cybercriminals and the amount of customer data available for interception, the report stated.
Fraudsters are using bots and botnets to run massive numbers of sign-ons testing different identities in order to defeat defenses against fraud, ThreatMetrix said.
Botnets Are Back
In past years, advanced persistent threats — attacks launched over a long period of time — had been a major cause of concern. It now appears that botnets have made a comeback, after dying down when several of the largest and most prominent ones were taken down.
Botnets are the new data breach threat, according to ThreatMetrix. They target networks from the outside through the use of digital identities, with cybercriminals signing in to networks as customers or employees.
Leading retailers that are being hit by low-frequency attacks from botnets have very high daily traffic, ThreatMetrix said.
These attacks use slow traffic that appears legitimate and bypasses triggers set around protocols and rules in IT cybersecurity systems. Not only does this technique get attackers into networks, it drains victim enterprises’ resources because it causes a spike in traffic.
Cybercriminals have used low-and-slow attacks for some years now.
“Midsize to large companies are deploying tools like fraud platforms, IP geolocation tools, device recognition solutions and identity verification tools,” remarked Tom Donlea, director of e-commerce at Whitepages.
“The issue is that small and growing e-commerce companies need tounderstand risks before a big fraud scam,” he told the E-Commerce Times. “They need to understand their options from the above tools and choose one or a combination that allow them additional security that’s affordable.”
E-Commerce Sites at Risk
The United States is moving to EMV cards — credit and debit cards with chips embedded in them — but EMV technology “protects only retail merchants, and increases liability for e-commerce sites since fraudsters will try to attack websites that are vulnerable,” said Suresh Dakshina, a co-founder atChargeback Gurus.
The risk level for e-commerce businesses “will remain high” until credit card issuers introduce PIN debits for EMV cards that let merchants request that customers enter their PINs when making online transactions, he told the E-Commerce Times.
Kaspersky Lab estimates businesses spend on average between $38,000 and $550,000 to recover from a cyberattack, depending on their size.
How Companies Can Protect Themselves
Automating the order review process lets companies integrate and access identity data they need within their existing workflow and platform, speeding up the clearing of good orders and freeing up time to look into troublesome ones, Whitepages Pro’s Donlea said.
Also, “use the best identity data in the industry, including mobile phone and email information, to be confident and accurate,” he said. “Use real-time data so you have the latest information in today’s world of constant change.”
Companies should implement Card Verification Value and address match when accepting cards and have a dedicated resource to review fraud alerts and block suspicious orders, Chargeback Gurus’ Dakshina said. They also should “pay closer attention to overnight and express shipment orders, and educate teams to identify fraud orders and on what steps to take to mitigate fraud.”
Invest in big data solutions, suggested Mike Jude, a research manager at Frost & Sullivan.
“Generally, robust fraud detection requires an investment in purpose-built data analytics,” he told the E-Commerce Times.
The difficulty of dealing with cyberthreats is a systemic issue.
“In China, the consumer is liable for any fraudulent credit card transactions, whereas in the United States the merchant takes the financial hit,” Yinglian Xie, CEO ofDataVisor, pointed out.
That makes Chinese consumers more accepting of security controls and verification technologies e-commerce sites use, she told the E-Commerce Times. and “until that changes in the U.S., don’t expect to see a dramatic increase in authentication measures.”