Death, taxes and data breaches – those are perhaps the only sure things in life, and new evidence is emerging that hackers are finding increasing profit in targeting online retailers. The news comes amid yet another online retail cyberattack, this one targeting Japan’s Fast Retailing, the company that owns the Uniqlo retail chain.
A recent report from KrebsonSecurity said that “until quite recently, credit card data stolen from online merchants has been worth far less in the cybercrime underground than cards pilfered from hacked brick-and-mortar stores. But new data suggests that over the past year, the economics of supply and demand have helped to double the average price fetched by card-not-present data, meaning cybercrooks now have far more incentive than ever to target eCommerce stores.”
According to that analysis, criminals could, on average, fetch between $2 and $8 per account for credit card data stolen from online retailers – stolen goods that hackers reportedly call “CVVs.” By contrast, what hackers reportedly call “dumps” – that is, “card data swiped from compromised retail stores, hotels and restaurants with the help of malware installed on point-of-sale systems,” according to the report – generally go for $15 to $20 per card. That said, “over the past year, the demand for CVVs has far outstripped supply, bringing prices for both CVVs and dumps roughly in line with each other,” the report said.
One big reason, according to the report? “The United States is the last of the G20 nations to make the transition to more secure, chip-based payment cards, which is slowly making it more difficult and expensive for thieves to turn dumps into cold hard cash,” it said. The increasing value of those CVV data thefts is likely behind what KrebsonSecurity has called the “huge uptick over the past year in eCommerce sites getting hacked.”
For the Uniqlo retail chain, the company said “it was confirmed on May 10, 2019 that an unauthorized login by a third party other than the customer occurred on the online store site operated by our company.” Hackers obtained names, addresses and contact details for the customers. The company said partial credit card info “may have been browsed,” but that there is “no possibility of leakage” in credit card security codes. The retailer has asked customers to create new passwords that are harder to guess to lower the chances of getting hacked.
That’s hardly the only recent hack involving online retail activity, nor the only form of such criminality. In April, news emerged concerning the QSR chain Chipotle. The reports told of Chipotle users’ accounts being pirated, with hundreds of dollars’ worth of food charged to customer cards that those customers never saw. In many cases, according to reports, the delivery addresses on the fraudulent orders were to states different from the home addresses on the accounts.
There is a bit of a twist in this often-told tale of breached consumer data: Chipotle maintains that the company itself has not been breached. Consumers often repeat passwords across sites, the firm noted, and fraudsters use a technique known as credential stuffing, wherein they take email addresses and passwords gleaned from other attacks and use them to brute-force their way into customers’ Chipotle accounts.
The reality is probably more complicated, and underscores not only the complex nature of retail hacking and data breaches, but also the challenges of defending against criminals who are increasing sophisticated and organized. In a recent PYMNTS interview, Rich Stuppy, chief customer experience officer at Kount, said the wrong assumption to make about the recent Chipotle breach news is that it’s an either/or situation, when the breach could mean more of a both/and situation.
“There is no reason to believe that multiple things aren’t going on here. It could easily be credential stuffing,” Stuppy said. “It could be a unique password that is being taken over with credential stuffing in email [application programming interfaces (APIs)] or other activities. That’s why this is such a difficult problem. These attacks are not one-time events, one particular way. These are multiple events coming at these business[es] and putting them in a really tough spot.”
No matter the reason or method, it seems fraud prevention for retailers continues to get more challenging.