From ATOs to SMS Pumping: eCommerce Cybersecurity Trends

February 13, 20237 min Read

As enterprises continue to navigate and realize their digital transformations, eCommerce offerings have become more important than ever. Consumers now expect a seamless, digital-first experience when it comes to shopping for products and services. Additionally, online shopping, once accessible only on websites, is increasingly popular on mobile devices through apps, which puts instant purchasing power in the hands of everyone with a smartphone. 

While these changes provide consumers with more shopping options than ever before, multiple user endpoints expand the attack surface. Cybercriminals know that apps and websites contain customer data and credit card information and actively work to steal this information for malicious and fraudulent purposes. 

In this blog, we’ll discuss how hackers and cybercriminals work to take advantage of vulnerabilities inherent in the eCommerce industry, and how the right solution will not only mitigate these vulnerabilities and protect customer data from breaches, but maximize an enterprise’s ROI as well. 

Why eCommerce is an Attractive Target to Attackers

While much eCommerce growth occurred as a result of the pandemic, online shopping for goods and services is here to stay. Consumers vote with their wallet and use a cashless eCommerce experience that gives them flexibility and convenience. As such, another important trend in delivering eCommerce options is through mobile devices. In fact, mobile commerce makes up almost 73% of total eCommerce sales.

The growth of eCommerce options is a double-edged sword, however. As more enterprises provide online services through website browsers and apps, the attack surface increases. This provides hackers, cybercriminals, and fraudsters more opportunities to steal valuable information, like credit card data, from enterprises by taking advantage of inherent vulnerabilities in e-commerce shopping experiences. 

Take for example the popularity of mobile commerce. Forty two percent of organizations report that mobile device and web app vulnerabilities have directly led to a security incident.

The fact of the matter is that eCommerce remains an attractive target to attackers not only because of the large attack surface, but because of the vast potential of valuable data they can steal and turn a profit. Think about your own eCommerce shopping experiences. What data do you often disclose to create an account or upon checkout? For many, the following information is necessary and is housed on an eCommerce site’s server:

  • Credit card numbers, including the security code
  • Direct deposit information (bank account and routing numbers)
  • E-mail address
  • First and last name
  • Home address
  • Login information (username and password)

Every one of those pieces of information is valuable to a cybercriminal, and strong data security has become an imperative for cybersecurity professionals charged with protecting their enterprises from attackers. 

While protecting credit card information rightfully gets the bulk of attention paid to it, including through PCI DSS (Payment Card Industry Data Security Standard), the fact is that cybercriminals can turn a profit with a variety of consumer data they can uncover on an eCommerce site. Cybercriminals can use this data, even seemingly innocuous data points like a first name, to steal a consumer’s online identity and either sell it for a profit or use these data “breadcrumbs” as part of a more sophisticated attack.

Making matters more complicated is that cybercriminals will often lurk in account creation or user login flows to steal data in transit. Attackers also have a variety of tools at their disposal to accomplish this, especially with the advent of cybercrime-as-a-service (CaaS) in which would-be cybercriminals can purchase solutions, like automated bots and phishing toolkits, on the market that enable them to commit crimes. 

Three Common Cybercriminal Tactics 

Cybercriminals are constantly looking for a way to make a profit, and their attacks often reflect this reality. They will usually go towards the path of least resistance to ensure they can maximize the impact of their investment of both time and money. Below are three common tactics that we have seen, and while they can be used across industries, including telecom and banking, they can have a massive impact on an eCommerce enterprise’s bottom line and hard-earned reputation if carried out successfully. 

Account takeover (ATOs) 

After a data breach, cybercriminals will often use leaked credentials and personal data as an opportunity to commit ATOs for monetary gain. Hackers want to gain access to user accounts, not only due to the sensitive data and financial information that they can steal, but also because they can use a hijacked account to commit other crimes like money laundering. The fact is that ATOs have become lucrative for cybercriminals and can cost businesses up to $4 billion in losses. 

For more information on ATOs, including some best practices on how to mitigate them, be sure to read our free eBook below.

Credential stuffing

Credential stuffing is viewed as a subset of ATOs. Like ATOs, the ultimate goal is to gain access to a user account and drain it of funds, steal data, or leverage the account to sell on the dark web or commit other crimes and financial fraud. Oftentimes cybercriminals will utilize automated bots to conduct credential stuffing attacks at scale while trying different combinations of login credentials, including email addresses, to gain access to an account. 

Did you know that Arkose Labs provides a $1 million credential stuffing warranty? This means that Arkose Labs will cover losses in the event of a successful attack.  

SMS pumping

More enterprises, regardless of industry, are relying on SMS text or voice messages as part of a strategy to secure user accounts. This is giving rise to a new threat called SMS pumping. SMS pumping, which is also referred to as International Revenue Sharing Fraud or SMS fraud, has become more popular as enterprises secure digital accounts using voice or SMS one-time passwords (OTPs). 

In this instance, attackers steal multi-factor authentication for their own financial gain. How it works is that cybercriminals infiltrate a telecommunications operator’s network, or use rogue carriers to redirect calls and texts to premium numbers. Cybercriminals then use automated bot attacks on digital touchpoints that activate fraudulent OTPs, which creates a transaction fee for the cybercriminal. While these fees may be low when looked at individually, this type of fraud can cost enterprises big money when fraudsters conduct these attacks at scale. 

How Arkose Labs Secures Your eCommerce Endpoints

The goal of eCommerce security is to protect the information that is exchanged between the customer and the company. A data-security strategy with real-time bot mitigation can be a key differentiator for eCommerce enterprises, fortunately there are security measures that you can take. While providing a frictionless, yet secure, customer experience may seem challenging, there are solutions like the ones provided by Arkose Labs that deliver just that while protecting against a multitude of cyber threats 

Cybercriminals commit attacks against e-commerce sites for a financial reward. At Arkose Labs, we raise the stakes for cybercriminals by making fraudsters invest more time and money into their attacks, eventually making them reach a tipping point where an attack is no longer profitable. 

What makes Arkose Labs a great solution for eCommerce enterprises is that while non-human or malicious users will be presented with increasingly difficult Arkose MatchKey challenges that frustrate their attacks, most good users will experience little to no friction while conducting business on your site. 

To learn more about how Arkose Labs can partner with you to secure your e-commerce enterprise from automated security threats like bots, while maximizing your savings and detecting fraud, book a demo with us today. 

Trusted by Global Brands

With 20% of customers being Fortune 500 companies, Arkose Labs protects the world’s leading enterprises in major industries such as financial services, e-commerce, travel, technology, and telecommunications.