Online sales during the season are expected to soar, with recent estimates projecting gains of 14 percent over last year to $143 billion. It’s no surprise, then, that fraudsters go where the valuable data goes, focusing their attacks on eCommerce sites. Where brick-and-mortar had once been their hunting ground, card-not-present transactions are increasingly in the crosshairs.
In a 21st century bits-and-bytes version of the card skimmer (a device that marks many ATMs or POS devices, designed to steal card information), now comes Pipka — a new threat to consumers and merchants, nestled at the point of checkout … and a bit sinister. That is because, once the card data is stolen, the traces of the crime are erased.
The emergence of Pipka reflects, as Capezza said, a “more developed normalcy from the criminal perspective,” where bad actors are finding new ways to target the eCommerce space.
The Top-Down Approach
Against the backdrop of this new development, Capezza said a comprehensive approach is warranted in combatting eCommerce fraud.
What The Merchants Must Do
Web application firewalls and patches need to be updated with speed, and firms should monitor whether their sites are in communication with command and control systems linked to fraudsters. It’s important, too, Capezza added, to implement best practices, as outlined by the PCI Security Standards Council. Through such efforts, patching and monitoring might be thought of as low-hanging fruit.
“I would not underestimate the importance of low-hanging fruit. The reason why they are so vital is that we see criminals going after these key core security issues,” Capezza said.
Beyond the external threats, he noted that best practices include limiting access to the administrative portal, putting multi-factor authentication processes in place and consistently reviewing logs to see who has accessed the site and when. These practices may give insight into whether external or anomalous IP addresses are accessing the sites.
“All of these things come into play in a ‘holistic defense,’” said Capezza, “and it applies not [only] to a major enterprise, but … to maintaining a secure payment page as well. It’s just a different scale, but all the same processes.”
Where We’re Headed
Though there has been no disclosure yet as to whether Pipka has been successful or not, there may be a progression. Capezza told PYMNTS that the first logical extension one would expect to see with such malware is a “broader victimology.” As he noted, the only Pipka identifications, thus far, have been in North America, but the reach could broaden — don’t expect the recent news surrounding Pipka to be a one-off.