Researcher: Thousands of shopping sites hacked, card data skimmed
- Dutch security researcher Willem De Groot said that almost 6,000 online shopping sites have been hacked since he began tracking them last year, with hackers leveraging malicious software to gain access customer payment details.
- In a blog post, De Groot — co-founder and head of security at Dutch ecommerce site byte.nl — said that multiple culprits likely were able to skim credit cards used at online stores run by retailers, consumer brands, automakers, government entities and other parties, and that the number of shops where malicious code was found grew from about 3,500 in November 2015 to 5,900 in September 2016.
- DeGroot, who started his analysis after his own card data was stolen, suggested that buyers from online stores only enter their card details through payment providers like PayPal, which he said would have dedicated security teams, while individual stores may not have anyone on their own IT team watching for hacks or bad code.
At a time when we are seeing so many new e-commerce technology innovations, from chatbot applications to voice-driven shopping and everything in between, the biggest e-commerce story of 2016 could very well be the rampant growth of e-commerce security attacks and threats.
Retail store payment terminal hacks, like the one just reported by retailer Vera Bradley, may still be getting more attention, but in some cases card data stolen in these types of incidents can lead to "card not present" fraud incidents at online shopping sites. In other cases, criminals may be setting out from the start to target online sites because EMV chip cards and terminals are making it harder to compromise in-store payments.
DeGroot's analysis uncovered some big-name brands, though it is unclear if the sites hacked belonged to any major retailers. Some of the companies mentioned are companies from other sectors that have an online store, though they may not keep an eye on the back door as well as some of the biggest retailers. It's also likely that many of them are smaller stores that likely would not have the security knowledge or team workforce talent to monitor and stop these episodes. DeGroot also notes in his blog post that some operators of online stores have made the foolish mistake of not upgrading security software on a regular basis.
Perhaps one of the most ominous things to learn from DeGroot's analysis is that multiple parties appear to be responsible for these thousands of hacks, and that at least a few different kinds of malicious software were used. E-commerce players are facing a big threat, growing larger and more varied as we speak. It's time to start playing tougher defense.