Cybercriminals set their sights on holiday shoppers and travelers

As we’ve seen, breaches leading to theft that result in loss or identity theft are already happening this season in travel and hospitality. Another risk businesses in the industry should be focused on are system disruptions. While ransomware has been most prominent in healthcare, the risk of service disruption due to ransomed data or applications held hostage should not be overlooked. Additionally, things like Magecart that are stealing data could also be used against businesses to change reservations, destinations, and cause travel disruptions for users and businesses.

Magecart is an effectively malicious JavaScript used to quietly steal user credentials and banking information while transacting on a site. By hiding the script in a legitimate location, things like cross site scripting detections are not triggered, and since the transactions still go through the correct site, the server and end-user view things working as expected. As a result, in many cases, the attacker is able to exfiltrate a large amount of data before being detected. This attack has been used against some very high-profile targets including British Airways, Newegg, Sotheby’s, Ticketmaster and others.

Retail and ecommerce are already getting hit by Magecart, and I suspect that healthcare is not far behind. Any industry operating significant or valuable transactions online with large numbers of users will be or become prime targets.

Treat your customer’s data like cryptocurrency - once someone else has it, it’s gone. Businesses that take this view on data protection quickly realise that datacenter infrastructure is not sufficient to truly secure data from the user’s fingertips to the system. Businesses need to look at the application running at the endpoint, including web or browser-based applications that are vulnerable to attack and loss of customer data.

I wish there was an easy answer to this. Unfortunately, until companies are protecting the application accessing their servers, the “site” and the user’s interaction can’t truly be protected. The best things that consumers can do now is:

Be educated - read and learn about sites and companies that have been breached or found vulnerable.

Vote with your time and money. Be much more cautious about transacting or interacting with online businesses that have had a breach or loss. Let them know that not truly securing your interaction with them is not acceptable.

Be prepared to have your data lost or stolen. This is an unfortunate reality today. Don’t transact online with debit cards or uninsured payment methods, secure all online accounts with different credentials and leverage a reputable password manager to use unique and complicated passwords, make up false answers to security questions (and store those securely), and where possible, check the credit reporting agencies often and/or freeze your credit so new accounts cannot be fraudulently opened up against you.

Protect your business’ future, because consumers’ tolerance for data theft and loss is quickly coming to an end. Hire or retain experts not in particular security technologies such as WAF or IPS, but in protecting entire applications and systems. Attackers are looking for the easiest victim and if you properly defend both your services / data in the datacenter and deploy technologies to protect applications where users interact with them, you will reduce your likelihood of breach. And finally - as is the case for many if not most businesses, do what you can now, and continue through the new year to develop a comprehensive approach to security and protecting applications all the way from where the user interacts with them, to where the data is stored.

With the tremendous amount of personal data hemorrhaging from businesses this year, sometimes in spectacular fashion, I expect there will be a significant uptick in spear-phishing and targeted attacks against individuals, including identity theft. As more detailed pictures of individuals are assembled and data resold, so-called lower level, individual attacks will take place.

I also expect that some of the data leaking this year will be resold back into legitimate advertising networks. While not the most interesting or seemingly nefarious vulnerability, the loss of personal data culminating in more personalised spam and targeted advertising is a likely nuisance we will see next year.

On the deeper security front, we’ve seen a marked increase in organisation around attacks and electronic crime. I believe that will result in a continuing increase in the sophistication and ability to defeat weak defenses. This combined with the ongoing componentization of applications and reliance on APIs for multi-system interactions and separation of application logic from data, the attacks against cryptographic and API keys will likely increase, especially as they are not well protected in many if not most instances within mobile and consumer IoT applications.