When the valet attacks the wallet

The guest gets out of a nice car, swivels a swanky fob of keys on a finger and approaches a well-dressed valet. The smiling attendant takes down a few details and walks off with the car keys. Only to vanish into thin air!

It hurts if you are the car-owner, but it aches more and deeper if you run that swish hotel that the guest confidently walked into. Your hospitality arrangements were just trying to make the process easy, swift and smooth for a guest. Alas, who could have thought that these very services would cost you a customer’s trust, bad PR and consequentially, lost revenues?

The irony of ensuring frictionless customer experiences, which cause unexpected wreckage in the form of fraud, belongs to a ‘form’ today. Yes, a new fraud valet has already made many organizations suffer. Let’s see how and where:

Formjacking – How and How Much?

This is how it works – an attacker can inject any malicious script or look-alike tools on the targeted web page, so that when the user loads this page and proceeds for shopping or any payment transaction, the form that comes up works as the real con-man. The user innocently enters information that s/he supposes is going only to the merchant. But what actually happens is that this payment data falls right into the lap of the attacker. The payment gate and the checkout desk, in other words, become new points of vulnerability.

Ticketmaster, British Airways and Newegg – these enterprises have paid dearly to this daunting menace of form-jacking in the last few months. From an Australian fashion retailer, to a French accessory supplier, to an Italian fitness shop, to a third-party payment service supporter – a lot of clobbered examples came up as victims of formjacking. The big one, of course, was the Ticketmaster-breach wherein attackers (via a malicious JavaScript code) compromised even a chatbot that was used for customer support on these websites. The result, a lot of payment card data was stolen from customers thanks to these front-end vulnerabilities. A lot of (as many as 800 as per the last count) e-commerce sites were hit fiercely by Magecart by leveraging these very areas like analytics, customer support, etc.

More Thieves on Their Way

There is more to the problem than what appears on the surface. While identity fraud may have been shrinking 15% annually to 14.4 million US adults in 2018 (as per a Javelin's 2019 Identity Fraud Study); while EMV (Europay, MasterCard, Visa) and POS (Point of Sale) card-fraud may be flattening out; attackers are, however, galvanizing forces around other vulnerable points like e-commerce and digital channels. These avenues now make up for two-thirds of all payment fraud. This is a nightmare-in-the-making because adoption and traction of digital means is only going to proliferate further.

Reckon what Experian’s report ‘The 2018 Global Fraud and Identity Report’ highlighted.  There is a surge in digital commerce as a way to purchase goods and services (90%).

And now the killer-catch. As many as four out of five consumers trust that businesses are taking care of the protection of their personal information. This is quite a contrast when the same study shows 72% of businesses putting fraud as a growing concern over the past 12 months.

Time to bell the bell-boy

The scariest part about formjacking is that it can go unnoticed by victims for a long time, as seen in the Ticketmaster case. What enterprises need is a proactive stance along with areas like.

• Continuous and sharper testing of new updates, in small test environments or sandboxes for early detection of any fishy behavior
• Readiness and wherewithal in picking patterns and watching third-party updates with a fine-toothed comb. Time for Artificial Intelligence and smarter analytics
• Attention to the human role and amplified vigilance and monitoring
• Collaboration among the payment-ecosystem players
• Augmented security, anti-fraud and data protection policies

IBM’s team of researchers and practitioners is working passionately on these areas. The nail to hammer here well is the paradox between customer experience and payment security. Making the whole process fast and friction-free should not mean cracks that allow formjackers to get steam and speed. That is what is keeping IBM busy in working hard on areas of collaborative defense and deeper security-foundations. 

It’s tough - Park your customers fast. But park them safe too. The key is – preparedness.

Air Jordan