HOLIDAY HOAXES
Massive breach set to hit retail accounts
The Equifax hack is threatening to create a massive holiday headache for shoppers and retailers alike.
The trove of personal data from 143 million Americans that got exposed at the creditmonitoring giant is a gold mine for criminals, who can use it to break into the checkout profiles shoppers have created on retail sites, security experts say.
That’s because one particular brand of cybercrime against shopping sites, called “account takeover,” thrives on exactly the kind of data that’s been spilled at Equifax — namely, shoppers’ names, e-mail addresses, credit card information and preferences.
“Consumers tend to use the same e-mail and password for all of their accounts, and fraudsters are running millions of bots on those accounts to try to log in as the consumer,” said Michael Reitblat, chief executive of Forter, a fraud protection service. “If you have any credit cards on file or loyalty points, they can monetize them.”
Earlier this year, Toys ‘R’ Us locked 4,000 of its online customers out of their accounts and told them to reset their passwords after the retailer saw unusual activity on the accounts — an indication that someone was trying to access them in multiple ways, said a cybersecurity expert at Toys ‘R’ Us who asked not to be identified.
“Every Web site is being bombarded by bot attacks,” said the security executive. “What they’ll do is take 10 million stolen e-mails and passwords to see which accounts will let them in, and then they’ll change a customer’s e-mail account so they don’t know they’ve been hacked.”
To make matters worse, most retailers won’t notice a problem until customers call to complain about charges on their account that they didn’t make.
Sometimes, shoppers are forced to eat the cost if they don’t notice the charge quickly. But retailers typically bear the brunt of the scams as they’re forced to refund customers.
“I’m worried that we will be losing money and spending time fighting fraud instead of selling clothes,” Ovadia Labaton, vice president of strategy at Kidbox, a subscription clothing service, said at a recent panel discussion on retail fraud.
Typically, a cybercriminal uses hacked information to pose as a customer at his or her favorite store and make charges against that person’s account. Over the last six weeks, Forter has seen a spike in account takeover incidents that are likely a result of the Equifax data breach, according to Reitblat.
The rich Equifax data that are now in hackers’ hands make it especially easy for fraudsters to decipher consumers’ passwords because most people use family members’ names, birthdays and phone numbers — all basic information that’s frequently contained in the Equifax reports.
“Retailers usually don’t have good authentication technology, and consumers make it easier for the fraudsters by using the same combination of e-mail and passwords,” according to Reitblat.