11
4. Threat Intelligence
Following a successful attack, attackers will often share or sell customer account data they have stolen
or customer login credentials they have validated. Many third-party threat intelligence firms offer services
that monitor online messaging channels and forums for signs of a company’s compromised credentials or
accounts. Four of the companies the OAG contacted reported they used a threat intelligence company to
monitor the Internet for signs that customer accounts have been compromised.
C. Preventing Fraud and Misuse of
Customer Information
Every business should have effective safeguards in place
for preventing an attacker with access to a customer
account from making a fraudulent purchase using stored
payment information or stealing customer funds.
Most Effective Safeguard
1. Re-authentication at the Time of Purchase
One of the most effective safeguards for preventing
attackers from fraudulently using customers’ stored
payment information is re-authentication at the
time of purchase. For certain payment methods, like
credit cards, companies typically re-authenticate the
stored payment information itself. For example, online
merchants frequently require customers to re-enter
the credit card number or CVV code when an order is
placed to a new address using a stored credit card.
For other payment methods, including gift cards,
store credit, and loyalty points, companies often
re-authenticate the customer. For example, one
restaurant chain sends its customers an authentication
code when a customer uses loyalty points to place an order to a store location the customer has not
previously visited. The customer must then enter the authentication code to complete the order.
Critically, businesses should require re-authentication for every method of payment they accept. The OAG
encountered case after case in which attackers were able to exploit gaps in merchants’ fraud protections by
making a purchase using a payment method that did not require re-authentication.
Practice Tip
One tactic that attackers used
at several of the companies the
OAG contacted illustrates the
importance of securing every
method of payment.
At these companies, orders placed
to a new address would require
re-authentication if the customer
paid using a stored credit card,
but not if the customer used
store credit. The OAG found that
attackers that gained access to a
customer account would initially
place an order to an existing
address using the customer’s
stored credit card. The attackers
would then immediately cancel
the order, obtain a refund in store
credit, and place a new order to a
new address using the just-issued
store credit without completing any
re-authorization.