12th November, 2021
There is a data breach every hour now. Are such cyber attacks inevitable? Have all passwords been compromised?
Merchants have no option but to prepare and act in their best capacity. What matters is how they assess vulnerable areas. And in case, a cyber attack takes place, then how the fraud department responds and how customers are alerted about the same is going to be of importance.
Five recommendations:
- Assessment of digital assets – Travel merchants need to be wary of vulnerable authentication methods and must look into issues even though their digital assets are seemingly well-protected. Even if the website and app are well-protected, the question that one must look into are – How to protect customers when you do not have control over the devices they use? How to track risky user behaviour?
- Testing of IT setup/data infrastructure – The significance of evaluating where data resides and how an organization ends up suffering because of the same can’t be undermined.
Speaking during The Loyalty Security Association’s LSA Fall Conference 2021, Nicola Gandy, Director, Azacus.io referred to penetration testing. It is a series of simulated, scheduled cyberattacks that help to detect, identify and exploit weaknesses within any aspect of a business that’s facing the internet. Focus on web application testing, external infrastructure testing, cloud auditing, vulnerabilities in infrastructure and Internet footprint of an organization etc.
- Internal Fraud – Another area that has been discussed during Ai’s sessions is related to internal fraud. Certain illegitimate activity is being triggered by remote workers. Point to remember: one cannot misuse or leak they don’t have access to. So either limit access by default or control the size of the potential leak. Limit employee access to all loyalty program data on a strictly need-to-know basis.
- Credential checking – According to Threat Status’ Jon Inns, it is imperative for companies to work on real-time vulnerable credential checking services. He stated that the company has worked out a mechanism to evaluate whether a particular username and password combination input by customers are leaked on criminal forums or not. “By comparing it with the information already in Arc (credential stuffing protection offering), a merchant gets to know whether an account is vulnerable and accordingly protect the customer account (for instance, their loyalty currency),” said Inns.
- As quite often is the case, the big picture regarding fraud isn’t visible to those who matter. Vanessa Horwell, CSO, ThinkInk PR recommended that organizations must assess whether a process and policy is in place if the fraud team gets to know there is an issue with customer data. Make sure the same is communicated to the relevant team so that apt measures can be taken, including being in touch with customers to at least ensure that same isn’t too late!
Decentralized infrastructure, user data and fraud – what to expect?
Companies need to ensure they are on the top of the game when it comes to counting on multi-layered defence, featuring real-time intelligence, detection engines etc., to combat databreaches. If they are not prepared, they will have to bear fines, penalties in addition to their reputation taking a beating. Chris Kameir, Managing Partner, Sustany Capital highlighted how companies of Facebook, Amazon and Google’s stature, too, have been at the receiving end and paid “digital abuse” fine.
Kameir added that the blockchain technology is building the Internet, removing centralized, single point of failure infrastructure, in favour of decentralized solutions. He spoke about Web 2.0, which is inherently centralized, versus Web 3.0 browser, more about a personalised browsing experience and it interconnects all the data in a decentralised way. It is being highlighted that blockchain, in conjunction with headway in machine learning and the Internet of Things (IoT), is set to play a vital role in the evolution of the Internet.
By Ritesh Gupta
Ai Team
