Woman smile and point finger on mobile app showing cyber threats during holiday shopping

Retailers Push Mobile Holiday Shopping as Cyber Criminals Capitalize on App Insecurity

The COVID-19 pandemic has revved up again as the weather gets colder in the Northern Hemisphere and many countries wait for a vaccine to be approved and distributed. In many U.S. states, there has been another major wave of lockdowns and restrictions put into place.

For retailers with a brick-and-mortar presence, this means, to garner holiday sales, they need to be thinking online-first. Many retailers have recognized the enormous potential of mobile apps and mobile shopping to drive revenue while allowing consumers to purchase holiday gifts safely.

But while it may be safer from a public health perspective to shop from the comfort of one’s home, that doesn’t mean it’s safer from a privacy and security perspective. In fact, cybercriminals have seen opportunity amidst the pandemic to take advantage of the increase in mobile app usage. Already in the first week of November of this year, illegal credit card usage was up 110%, and the number of stolen credit card user credentials for sale on the Dark Web was up 290% the same week.

For retailers who want to balance their short-term revenue needs with the long-term need to maintain customer trust, the 2020 holiday season brings unprecedented challenges. Here’s what we know about retail apps when it comes to security and some recommendations for tightening up security postures before it’s too late.

Why criminals target retail mobile apps

Mobile shopping has been increasing for a while, with growth expected to continue for the foreseeable future. In fact, by 2024, around 187.5 million people in the U.S. will have made at least one mobile purchase, whether via browser or app. Already as of 2020, mobile buyers account for 60.9% of the U.S. population.

The global pandemic has only intensified the usage of mobile e-commerce (a.k.a. m-commerce). Buyers are using their phones to schedule pick-up curbside or have items delivered, aiming to avoid the risks of in-person shopping. For consumers, this is convenience. For criminals, this is opportunity.

Retail apps handle sensitive customer data like credit card numbers, personally identifiable information, contact details, and purchase history, making them a high-value target for criminals looking to exploit and sell this data. The apps are also appealing targets for competitive threats as the retail landscape grows ever more fierce.

The unfortunate truth: Retail apps are highly insecure

Unfortunately, history has shown that retailers are often less concerned about the security protections of mobile apps and more focused on user experience and pushing apps and app updates out quickly to collect revenue.

To better understand what’s going on here, in September of 2020, my team conducted an analysis of more than 50 of the top Android retail mobile apps. Of the apps we analyzed, 14% belonged to companies who had filed for bankruptcy. Those apps were consistently less protected than their competitors who have not filed for bankruptcy: 43% of apps in the bankruptcy category had zero runtime application self-protection or code hardening in place, compared to 22% overall who lacked these key protections.

Another report found that of 250 popular Android mobile apps, including those of retailers, 70% leaked sensitive personal data. Retail apps were in fact the worst offenders, with 82% of brick and mortar retail apps actively leaking sensitive data and 92% of online retail apps doing so.

Clearly, there’s a major problem at hand—one that will only be exacerbated while holiday shopping kicks into high gear.

How to spot fake retail mobile apps

There are two sides to this coin. For consumers, it’s all about protecting yourself from active threats and not falling prey to criminals’ schemes. One common threat in the world of mobile retail is the fake app.

Fake apps have grown in lockstep with the increase in mobile shopping. Research showed that, during the 2018 holiday season, 54% of orders were placed via smartphones. Alongside that growth, we saw a 6x increase in fake mobile apps over just six months. This means retail brands and consumers need to be more vigilant than ever.

So how can you spot fake retail mobile apps? Often they contain suspicious anomalies. For example, an app may have very few reviews or a lot of five-star reviews with barely any content. The app publisher’s name may also be slightly different from the official company’s name. The publish date is also likely to be fairly recent, and there may be spelling errors. Fake apps also commonly use “Black Friday” or similar in their titles, as hackers know shoppers looking for a deal make for better targets.

Finally, keep in mind that, while staying off third-party, non-official app stores is a good way to avoid many fake apps, the official app stores (including the Google Play Store and Apple App Store) have also been known to carry copycats that harbor malware, adware, and trojans. In other words, just because you downloaded it from somewhere legit doesn’t mean the app is safe. So when you’re making that list and checking it twice, make sure you also check retail mobile apps twice before downloading.

What retailers can do to improve security and privacy protections

Of course, the burden should not be on consumers alone to protect themselves online. There’s a lot that retailers can do to avoid releasing insecure apps and even to prevent fake versions of their official apps from being created.

For starters, mobile app developers should always follow a secure software development lifecycle process when building and updating their applications.

In general, mobile apps require a layered approach to security. Developers should use code hardening to protect code at rest and RASP to protect apps in use. They should also employ mobile threat intelligence tools to understand when malicious actors are targeting apps. They should then aim to stop these attacks as quickly as possible through blocking or vulnerability management strategies. Many industry standard best practices are well-known and fairly straightforward to implement. Good places to start researching best practices include NIST and the OWASP Mobile Top 10 project.

Increasing #cyberthreats during #holidayshopping season. Illegal credit card usage up 110% in Nov, and number of stolen credit card user credentials for sale on Dark Web up 290%. #cybersecurity #respectdataClick to Tweet

The holiday season will be over and done before we know it, but any missteps when it comes to properly handling customers’ sensitive information could haunt retailers for months and years to come. It pays to do your due diligence when it comes to securing mobile apps, as this is the best path to both capitalize on consumer spending around the holidays and maintain valuable trust for the future.

 

Chief Scientist at Guardsquare