There is an old adage in the business world: 'what has gotten us this far, will get us no further'. To remain competitive, companies must constantly adapt and evolve. The same applies to cyber security. Cyber threats are increasing in complexity and scale as attackers seek new ways to compromise valuable data.
According to an in-depth analysis by the magazine Tech Radar, the retail sector is now a favourite target of cybercriminals. An analysis of this year's retail attacks highlighted a number of key threats, including data theft, compromised accounts, reputational damage and downtime.
There are common threats such as digital skimming and malicious bots, while others, such as account appropriation attacks (ATO) and abuse of business logic, are growing in frequency. What lessons can we learn from 2023? And how can retailers respond to an evolving threat landscape?
One of the biggest threats to all retail businesses this year has been account takeover (ATO) attacks, in which cybercriminals use automated bots to try to compromise online accounts by testing stolen passwords and usernames. For customers, a successful ATO attack can have serious financial implications, while for businesses it can lead to reputational risks and lost revenue.
ATO attacks are a year-round threat, accounting for nearly 1 in 6 of all access attempts. Malicious activity is particularly rampant during the holiday season. This year, the volume of malicious access attempts increased by an incredible 85% during Black Friday, surpassing even last year's 66% increase. And it is not only Black Friday that is a problem: the number of ATO attacks increased by 82% between October 2023 and November 2023. These figures underline how important it is for eCommerce platforms and businesses to have defences in place to identify and mitigate malicious automated traffic that could be involved in ATO attacks.
Business logic refers to the rules or algorithms that determine how an application or programme operates and interacts with a database. It can be thought of as the decision-making process of an application or API - the 'if' and 'then' scenarios that are designed to maximise ROI. For example, a retailer might decide that 'if' a customer orders more than £200 worth of goods, 'then' they get a discount of 20%. Such conditional logic allows business decisions to be automated and more efficient.
In the last 12 months of 2023, attacks targeting the business logic of retail sites almost doubled from 26% to 43%. Attacks on business logic can be used to steal money or sensitive data, commit fraud or simply cause chaos by crashing a business-critical application. They are increasingly popular among hackers because they do not exploit a technical flaw, but abuse an existing application or system functionality. As a result, they often go undetected by traditional security tools.
For example, if a retailer allows a customer to send digital gift cards to another customer, hackers could use faulty logic within the system to 'gift' themselves thousands of euros in vouchers from another account. Such an attack could have serious consequences for both the consumer and the company.
Addressing these two issues - not to mention the many other threats retailers face - requires the involvement of both parties. For consumers, practising good password hygiene (such as not reusing passwords on different sites) is essential to reduce the chances of falling victim to an ATO attack. Meanwhile, businesses need a coordinated and comprehensive defence strategy, with a suite of capabilities that can cover all access points, including websites, mobile apps and APIs. This means going beyond a simple bot management solution to include tools such as attack analysis, client-side protection and application runtime protection (RASP).
Furthermore, responsibility for security must be more widespread within the organisation. Combating the abuse of business logic requires that developers and product owners map and incorporate security measures from the outset and at every stage of the process to minimise potential risks. This should be accompanied by regular audits and code reviews to identify any problems that may not have been detected initially. Identifying business logic vulnerabilities is not a 'one-off' process - software updates happen all the time and each has the potential to introduce a new weakness in the application logic.
Due to the constantly changing threat landscape, IT security requires constant adaptation. New threats can emerge from one day to the next and become critical problems for businesses. In 2023, ATO attacks and abuse of business logic were two of the top threats to retailers. With the growing adoption of generative AI, the technology could help cybercriminals modify their attacks. As a result, 2024 could see a surprising increase in the volume of attacks, especially around business logic, as attackers train AI systems to detect and exploit such vulnerabilities.