As shoppers whip out the plastic for online deals, the holiday angst only heightens when it comes to threats to your credit card accounts and other personal information.
Even consumers who shop online through a major retailer, like Macy’s, can fall victim to some of these incredible hacking incidents.
During a one-week period in early October, for example, sophisticated intruders targeted online shoppers at Macys.com to secretly collect addresses, emails, names, credit card numbers and other personal information.
As a shopper, you would have had no idea there was any sort of trouble when you used your card to buy merchandise. Later down the line, though, you likely received a letter from Macy’s explaining that you were a victim of this limited data breach.
The Macy’s breach mirrors a proliferation of specific e-skimming attacks outlined earlier by the Federal Bureau of Investigation.
The FBI said in October, before news of the Macy’s breach broke in November, that the bureau was seeing a number of e-skimming cases open up.
The danger of this latest cyber attack: Cyber criminals are getting our data in real time, which can make that information more valuable in the underground market.
Such theft can happen whether you’re buying something online through a legitimate website or mobile app.
“We are aware of a highly sophisticated and targeted data security incident related to Macys.com that affected a small number of customers during a one-week period in October,” according to an emailed response from a Macy’s spokesperson.
“Our security teams quickly engaged a leading forensic firm to remove the threat,” according to Macy’s.
“Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat. Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost. Security and privacy remain our priority.”
The unauthorized computer code was on the Macy’s site from Oct. 7 through Oct. 15.
How e-commerce attacks work
Fraudulent websites, apps, emails and texts are particularly dangerous on big shopping days, such as Black Friday and Cyber Monday, when everyone’s in a rush to quickly snag the best bargains.
The attack on e-commerce sites, like the one experienced by Macy’s, is known as Magecart, a scam that skims card numbers of online shoppers using widely distributed malicious software. In the Macy’s breach, the criminals were able to access information when customers used credit card data at the checkout page and the “place order” button was hit.
Experts say the Macy’s incident is similar to the digital skimming techniques and code used in a number of other Magecart attacks lately.
The skimming code would capture your information in real time and send it to remote server where the data is collected by the criminals behind the scene. The consumer’s credit card data would either be sold or used to make fraudulent purchases from that point going forward.
The e-skimming incident at Macy’s won’t be the last that we’re likely to hear about this holiday. Unfortunately, it’s not something that a consumer can readily spot or avoid while shopping online.
“E-skimming is easy to deploy, hard to detect and extremely lucrative,” said Adam Levin, founder of CyberScout.
He noted that e-skimming victims often are none the wiser because the attack doesn’t interfere with the processing of the credit card.
“The first sign of trouble is usually a notification from a credit card company or bank regarding a suspicious transaction.”
Data from initial hack can be used later
Given that the Macy’s attack exposed customer names, addresses, email addresses and phone numbers, those customers could see more phishing attempts later, Levin said.
Scammers may try to get more information on these calls to be used in further identity-related fraud.
Levin also suggested that given the breadth of the personal information stolen in the recent Macy’s attack, it is possible that data could be connected to other stolen information readily available for sale on the Dark Web. If so, that would make it possible for a criminal to open new accounts in a victim’s name.
“Be on the lookout for suspicious activity,” he warns.
What you can do to protect data, money
The proliferation of cyber crime gives consumers more reason to lock their doors, if you will, to their personal information.
Consider the following tips:
— Nearly half of Americans admit to using one password when logging in to various accounts, according to a new study from PCI Pal, a payment compliance provider. Changing your password — and using different passwords for different accounts — becomes even more important if you are planning to shop online during the holidays. You can check out various password managers online that can help ensure unique and random passwords.
— It should be obvious but you don’t want to use information that could have been obtained elsewhere for your passwords. Don’t use your birthday, phone number or even the last four digits of your Social Security number.
— Another obvious point: Change your passwords if you are alerted that you’ve been involved in any sort of data breach or identity theft. Attackers who steal data from companies know that you’re only using the same password over and over again.
— Impulse purchases are the name of the game on big bargain days, like Cyber Monday. Yet you don’t want to access sensitive information, such as payment information, by using the free Wi-Fi at the coffee shop. There’s a risk that such information could be stolen “in transit.”
— As much as they tell us not to click on links or attachments, people keep doing it anyway, according to the PCI Pal research. Almost a third of those surveyed admit they can’t resist on clicking on attachments — which could explain why the scammers keep sending them.
— Unusual purchases often can often be spotted by credit card companies as part of their fraud flagging process. But Levin warns that the holidays generate unusual charges galore, which makes it easier for fraudulent charges to go unnoticed.
— Use credit cards when shopping online. “There is generally more protection with a credit card because when using a credit card, it’s not your money,” Levin said. “When using a debit card, it is. Your bank account can be frozen during an investigation of bogus charges, and unlike a credit card, it also provides a gateway directly into your bank account.”