Cybercriminals set their sights on holiday shoppers and travelers

(Image credit: Image Credit: RawPixel / Pexels)

The holiday shopping season is in full swing which means that retailers will be dealing with a huge influx of shoppers both online and in store. However, it’s not just the retail sector that sees an increase in online activity around this time of year, so to do the travel and hospitality industries.

TechRadar Pro spoke with Arxan Technologies VP of Product Management Rusty Carter to learn how both businesses and consumers can help protect their security online during the busiest shopping season of the year.

1. What are the biggest threats to the travel and hospitality industry this holiday season?

As we’ve seen, breaches leading to theft that result in loss or identity theft are already happening this season in travel and hospitality. Another risk businesses in the industry should be focused on are system disruptions. While ransomware has been most prominent in healthcare, the risk of service disruption due to ransomed data or applications held hostage should not be overlooked. Additionally, things like Magecart that are stealing data could also be used against businesses to change reservations, destinations, and cause travel disruptions for users and businesses.

2. Can you explain how Magecart operates and shed some light on the businesses its creators have targeted thus far?

Magecart is an effectively malicious JavaScript used to quietly steal user credentials and banking information while transacting on a site. By hiding the script in a legitimate location, things like cross site scripting detections are not triggered, and since the transactions still go through the correct site, the server and end-user view things working as expected. As a result, in many cases, the attacker is able to exfiltrate a large amount of data before being detected. This attack has been used against some very high-profile targets including British Airways, Newegg, Sotheby’s, Ticketmaster and others.

3. Which industries is Magecart likely to target next?

Retail and ecommerce are already getting hit by Magecart, and I suspect that healthcare is not far behind. Any industry operating significant or valuable transactions online with large numbers of users will be or become prime targets.

4. What advice would you give to retailers and businesses in the hospitality and travel industries to help protect them from these and other threats online?

Treat your customer’s data like cryptocurrency - once someone else has it, it’s gone. Businesses that take this view on data protection quickly realise that datacenter infrastructure is not sufficient to truly secure data from the user’s fingertips to the system. Businesses need to look at the application running at the endpoint, including web or browser-based applications that are vulnerable to attack and loss of customer data.

5. How can consumers know the sites they are shopping on are secure?

I wish there was an easy answer to this. Unfortunately, until companies are protecting the application accessing their servers, the “site” and the user’s interaction can’t truly be protected. The best things that consumers can do now is:

Be educated - read and learn about sites and companies that have been breached or found vulnerable.

Vote with your time and money. Be much more cautious about transacting or interacting with online businesses that have had a breach or loss. Let them know that not truly securing your interaction with them is not acceptable.

Be prepared to have your data lost or stolen. This is an unfortunate reality today. Don’t transact online with debit cards or uninsured payment methods, secure all online accounts with different credentials and leverage a reputable password manager to use unique and complicated passwords, make up false answers to security questions (and store those securely), and where possible, check the credit reporting agencies often and/or freeze your credit so new accounts cannot be fraudulently opened up against you.

(Image credit: Pixelcreatures/Pixabay)

6. What tips would you give to companies trying to protect themselves this holiday season?

Protect your business’ future, because consumers’ tolerance for data theft and loss is quickly coming to an end. Hire or retain experts not in particular security technologies such as WAF or IPS, but in protecting entire applications and systems. Attackers are looking for the easiest victim and if you properly defend both your services / data in the datacenter and deploy technologies to protect applications where users interact with them, you will reduce your likelihood of breach. And finally - as is the case for many if not most businesses, do what you can now, and continue through the new year to develop a comprehensive approach to security and protecting applications all the way from where the user interacts with them, to where the data is stored.

7. What emerging threats are on your radar for 2019?

With the tremendous amount of personal data hemorrhaging from businesses this year, sometimes in spectacular fashion, I expect there will be a significant uptick in spear-phishing and targeted attacks against individuals, including identity theft. As more detailed pictures of individuals are assembled and data resold, so-called lower level, individual attacks will take place.

I also expect that some of the data leaking this year will be resold back into legitimate advertising networks. While not the most interesting or seemingly nefarious vulnerability, the loss of personal data culminating in more personalised spam and targeted advertising is a likely nuisance we will see next year.

On the deeper security front, we’ve seen a marked increase in organisation around attacks and electronic crime. I believe that will result in a continuing increase in the sophistication and ability to defeat weak defenses. This combined with the ongoing componentization of applications and reliance on APIs for multi-system interactions and separation of application logic from data, the attacks against cryptographic and API keys will likely increase, especially as they are not well protected in many if not most instances within mobile and consumer IoT applications.

Rusty Carter, VP of Product Management at Arxan Technologies 

  • We've also highlighted the best antivirus to help you stay protected this holiday season
Rusty Carter
Rusty Carter is a security software executive with over 20 years experience, and the current Vice President of Product Management at Arxan Technologies, an application security company that provides application shielding and protection against reverse-engineering and tampering to the world’s largest companies. Prior to Arxan, Mr. Carter led product management at Symantec, McAfee, and Pulse Secure (formerly Juniper), and was responsible for the introduction and growth of multiple new products and lines of business.