“Fraudsters are building complex criminal machines”: Interview with Brian Krebs

What do the alleged hacks by Russia into databases of the Democratic National Committee (DNC) and the U.S. voting registrations mean for e-commerce merchants? While they’re not good news when it comes to preserving the integrity of our democracy, these hacks are also not a good sign for the security of your online retail business.

According to Brian Krebs, a former Washington Post reporter and computer security expert whose popular blog Krebs on Security covers cybercriminals and online fraud, Russia turns out a fair share of savvy hackers, and recent events like these are indications that hackers worldwide are getting even better at it.

“Russia and most of the former Soviet Union place a strong emphasis on math, science and technology in education. However these countries lack a decent pipeline for converting those skills into good-paying jobs, so many turn to cybercrime,” explains Krebs.

Remember the infamous hack into Target a few years ago? Turns out, the far-reaching breach of some 40 million consumer credit card accounts in 2013 was perpetrated by a Russian teenager who then sold the personal information on the black market. Krebs, who broke that story to the public, doesn’t see this type of crime slowing down.

Credential fraud reuse rising

“For online retail the biggest trend and problem we’re seeing now by cybercriminals is credential reuse,” says Krebs. “When one big shop or site gets hacked, the fraudsters take that list of email addresses and passwords and try those at many, many other sites, knowing that a small percentage of users will reuse the same password across multiple sites.”  

As a result, he says, many merchants are starting to put stricter policies in place to defeat this type of activity, and using tactics such as velocity checks, CAPTCHAS, and timeouts.

However – according to Krebs – that doesn’t entirely solve the problem. “Some of the fraudsters are building large, complex criminal machines for getting around these security measures,” he says. “They’re essentially outsourcing the password tries across tens of thousands of hacked computers in a botnet—with different browser users and different IPs. It’s an arms race for sure, but the criminals are well ahead.”

So, what’s the solution?

Spend more money on security, says Krebs. “Most businesses don’t properly account for fraudsters, or try to understand how the attackers are trying to compromise the system,” he explains. “They are mainly contracting with companies who claim to block a lot of things they don’t.”

Krebs thinks the best ammunition against this type of retail fraud is employing more humans. “There’s no substitute for the human at organizations when it comes to security, and yet so many companies under-invest in having an adequate number of well trained staff on hand to help triage a break-in before it metastasizes into a much bigger problem,” he says. “This is because security professionals are generally quite expensive and very often beyond the reach of salaries offered by these firms.”

Beware of shopping cart vulnerabilities

Small online retailers are more susceptible to crime than the larger ones, he says. “A big vulnerability for many small e-commerce firms is their shopping cart software,” says Krebs. “Shopping cart software is notoriously full of exploitable bugs that bad guys can use to siphon card data. Just look at the history of shopping cart software to see what I mean.”

He points to the recent incident on eBay’s Magento ecommerce platform – a platform that bills itself as “powering more Internet Retailer Top 1000 merchants than anyone else.” In May 2016, Magento quickly had to patch their software system to prevent hackers from accessing all of their user’s retailer accounts. In an announcement, thousands of Magento administrators were told to update their installations to the new patch.

So what does Krebs do while online shopping?

Since he knows so much about the dangers, does Krebs take extra precautions when shopping? He says he doesn’t do anything too special. “No more protections than I take just for browsing the web,” he says. “I do most of my browsing in a virtual machine, which is basically a Linux virtual machine without Flash or other plugins installed.” This gives him a layer of protection against cybercriminals. “Browser plugins are favorite targets for malware and miscreants,” Krebs explains, “because they’re generally full of unpatched security holes that cybercrooks can use to seize control over vulnerable systems.” 

He’s also leery about using smaller retailers. Unfortunately, says Krebs “Most e-commerce firms do not have the resources to keep out hackers. The biggest ones do, but smaller firms tend to rely on shopping cart software, which is a big sign for me to run away.”