American consumers just wrapped up another Black Friday shopping season, and cybercriminals were out in force trying to steal credit and debit card numbers. Rather than accept this as a seasonal annoyance, treat the threat as an opportunity to teach your employees better security awareness tips and techniques.
‘Black Friday’ just happened here in the USA. The holiday extravaganza started in the 1950s as an unofficial kick-off to the Christmas shopping season and evolved in the 1970s into a barometer for the entire American economy. Retailers are said to count on robust Black Friday and holiday sales to meet their sales targets for that year. If Thanksgiving Week consumer spending doesn’t meet or exceed economists’ expectations, that supposedly bodes poorly for the economy’s end-of-year performance. If I’m honest, I don’t put much stock in the theories that Black Friday sales accurately reflect the health and/or direction of the U.S. economy. Chalk it up to weary cynicism or perhaps to too many years of flawed predictions, but I just don’t buy the premise.
What I do believe is that the Black Friday shopping frenzy is an excellent time for cybercriminals to stalk American consumers and steal loads of cash and goods. Why? It’s because of a rich field of targets. A good hunter knows that it’s easier to pick off one victim in an immense, distracted herd than it is to stalk one wary, isolated animal that’s actively on-guard. Black Friday involves significantly-increased crowd sizes at shopping centres, malls, and online. Most of those shoppers will be tired, cold, stressed, and over-focused on their goals. Many of them will be overwhelmed by the bustle and noise. All of this makes for perfect hunting conditions.
So, what might have gone wrong for consumers this last week? Let’s talk about the various ways that cybercriminals will try to separate a shopper from his or her money:
First, card skimmers. These are small, stealthy devices that criminals affix to ATMs and gas pumps that record your payment card number (and sometimes your PIN) when you use a self-pay system. With the marked increase in consumers traveling to and from shops, the number of consumers stopping to refuel increases proportionately. For a criminal, this is an excellent time to harvest a large batch of unique card numbers before their skimmer hardware is discovered.
A well-made skimmer fits flush over the real card reader and doesn’t interfere with it. The skimmer captures your card data without you knowing that it’s there.
Next, there’s the old fashioned ‘double swipe’ or ‘double charge’ method. A waiter, cashier, or clerk takes your payment card and takes multiple swipes (one for your actual purchase, and other swipes for unrelated purchases). Other times, the criminal might simply capture your number for later use. It’s usually safer and faster for the thief to sell or transfer the stolen card numbers to someone else to prevent the theft being traced back to them, so any method of recording your card data will likely be sufficient.
Another more modern technique is to ‘sniff’ your card number, sort of like invisible pickpocketing. The criminal gets reasonably close to you – often idling in a queue – and then activates the ‘Near Field Communication’ chip on your card with a device that simulates a real point-of-sale terminal. Your card isn’t smart enough to recognize that it’s still in your wallet and gives up its information. The criminal gets away with your data and you never realized they were there.
A criminal could steal your actual, physical cards by swiping your wallet. Or they could ‘dumpster dive’ your receipts. Or phish you and get you to turn over your payment card number(s). Or install malware on your personal computer and copy down your card numbers when you make a legitimate purchase. Or compromise an online merchant and then steal your card number when you go shopping there. The bottom line is that it’s awfully easy to steal payment card numbers these days.
We could do an entire piece on how advanced criminals use phishing emails to send unwary consumers to a fake ‘customer service’ call centres to steal their critical financial information.
Regardless of the techniques employed, once a payment card number is stolen, a cybercriminal can make online purchases with a stolen number and have the goods or gift cards sent to an easily-abandoned location. Or they can ‘clone’ the card and have cut-outs use the duplicate cards to purchase goods or gift cards in other cities and then drop off the goods. Either way, the goods purchased on your stolen card then get shifted to another party who sells them for untraceable cash. The person who initially stole your card number gets some cash and disappears. The people who bought the easily re-sellable goods likewise get some cash and disappear. The people who orchestrated the whole game keep most of what’s left and disappear. It’s a well-understood (criminal) business model.
Ideally, we’d all employ aggressive countermeasures to pre-empt the baddies and stop them from stealing our card numbers in the first place. People would check for card skimmers and yank them out. They’d keep their cards in Radio Frequency (RF) shielded wallets and refuse to let their cards leave their sight. They’d watch store clerks like hawks to detect multiple swipes. In a perfect world, sure; we would be hyper-vigilant all the time and nothing bad would ever befall us.
More realistically, the experts’ recommended solution for this style of card theft is to detect improper charges after they post. People are expected to monitor their account statements, to notice unauthorized charges, and to report sketchy activity to their bank or card issuer immediately. Their bank then shuts the stolen card number(s) down before significant damage can be inflicted. We’ve been told to accept this approach as the more practical and cost-effective way of doing business when it comes to protecting our credit and debit cards, but … is it? Really?
Of course it isn’t! Go read the rest of my columns from the past year and you’ll see a pretty clear pattern forming.
From a corporate Security Awareness training perspective, I argue that this approach is ill-advised. Imagine if we didn’t teach users how to spot potential phishing emails and instead only taught them to report malware infestations or lost sensitive data after falling for a real phishing attack. Imagine if we ignored teaching users the signs and indicators of a facility intruder and instead only taught people how to fill out police reports after an intruder escaped with an armful of expensive kit. How do you think a company’s auditors, regulators, and shareholders would feel about a ‘response-instead-of-prevention’ strategy? I’d wager that they’d find it unacceptable. We certainly do at OCC.
We know that we can’t stop Black Friday from dominating our lives every November. The holiday rush is too deeply engrained in our culture. We also can’t really stop the legions of cybercriminals from pouncing on the once-a-year opportunity to hunt their prey in overcrowded malls. We can, however, prepare our people for the annual hunt and help them make adversaries’ attacks significantly more difficult to pull off.
That’s why we advocate creating and delivering pre-emptive cyber-defence training for users (and their families!) on the various threats, indicators, and countermeasure associated with consumer payment card theft techniques in the weeks before Black Friday. It doesn’t take a ‘perfect world’ to make a meaningful difference. We accept that it takes a lot of effort. Our people are worth it.
Over the long run, we see cybersecurity education as an investment in our colleagues. As we teach users how, when, and why to defend themselves, we create stronger, sharper, and more confident enterprise defenders. This heightened defensive awareness extends out to all aspects of a user’s life, not just their time in the office.