News roundup 5/6: Fraudsters target e-commerce, hackers find an ADP loophole, & more

By 2020, online payment fraud could be worth $25.6B

We’ve heard it (many times) before, but new findings from Juniper Research are raising warning bells again: the introduction of EMV in the U.S. is pushing more fraud online. A new study from the research firm claims that by the end of the decade, the value of fraudulent online transactions could double – from $10.7 billion to $25.6 billion. To put it another way, $4 out of every $1,000 will be fraud.

E-commerce retailers, we’re afraid the news isn’t pretty. Juniper predicts that eRetail will make up 65% of fraud by value, at $16.6 billion. E-gift cards are a particularly vulnerable area (sounds familiar – at Sift Science, many of our customers, like OpenTable, use us to prevent exactly this type of fraud). Meanwhile banking will make up 27% ($6.9 billion) of fraud by value in 2020, and airline ticketing will be at 6% ($1.5 billion).

Crafty fraudsters get a hold of ADP tax and salary data

There’s always a loophole, right? That’s what fraudsters and cybercriminals are banking on when they go in search of data they can exploit and resell. This time, hackers used a public-facing corporate ADP website – plus some handy personal data – to get a hold of tax and salary data, security researcher Brian Krebbs reports.

So, what happened? Basically, ADP offers an external website to corporate clients – and employees access it for the first time using a special code. In the case of more than a dozen clients (including U.S. Bank), hackers got a hold of these codes, and then used them – in conjunction with personal information from other sources – to register as first-time users. They were then able to view and download W-2 forms.

For the record, ADP told CNN Money that “publishing unique registration codes to an unsecure website is not common practice.” The payroll company added, “ADP actively advises against this practice, notifies clients of the potential risks, and has temporarily disabled access to the registration portal for those clients that continue to publish company registration codes in this fashion.”

Cybersecurity? People are the problem

Speaking of which…technological advances can only do so much when it comes to cybersecurity. According the Verizon 2016 Data Breach Investigations Report, the biggest vulnerability is good ol’ human nature.

First of all, the average company is not staying on top of fixing stuff. In fact, 85 percent of successful breaches resulted from the top 10 known vulnerabilities. Yikes. Another area where most folks continue to fall short is passwords – 63% of exploits could be traced to using weak, default, or stolen passwords.

Although ransomeware was highlighted as a rising area of concern (up 16%), some tried-and-true methods of attack are gaining strength. For example, phishing. Despite multiple warnings about suspicious emails, Verizon reveals that recipients opened 30% of phishing messages they received – and 13% even clicked on the attached file or link. Surprised? There’s been more research lately suggesting that phishing isn’t just for fooling the n00bs or easily duped. Never let down your guard!