Among other threat vectors, formjacking has come up as a serious dent on businesses that depend on online shopping and payment. If you have not started watching out for this new Houdini, you are already late
The guest gets out of a nice car, swivels a swanky fob of keys on a finger and approaches a well-dressed valet. The smiling attendant takes down a few details and walks off with the car keys. Only to vanish into thin air!
It hurts if you are the car-owner, but it aches more and deeper if you run that swish hotel that the guest confidently walked into. Your hospitality arrangements were just trying to make the process easy, swift and smooth for a guest. Alas, who could have thought that these very services would cost you a customer’s trust, bad PR and consequentially, lost revenues?
The irony of ensuring frictionless customer experiences, which cause unexpected wreckage in the form of fraud, belongs to a ‘form’ today. Yes, a new fraud valet has already made many organizations suffer. Let’s see how and where:
Formjacking – How and How Much?
This is how it works – an attacker can inject any malicious script or look-alike tools on the targeted web page, so that when the user loads this page and proceeds for shopping or any payment transaction, the form that comes up works as the real con-man. The user innocently enters information that s/he supposes is going only to the merchant. But what actually happens is that this payment data falls right into the lap of the attacker. The payment gate and the checkout desk, in other words, become new points of vulnerability.
More Thieves on Their Way
There is more to the problem than what appears on the surface. While identity fraud may have been shrinking 15% annually to 14.4 million US adults in 2018 (as per a Javelin's 2019 Identity Fraud Study); while EMV (Europay, MasterCard, Visa) and POS (Point of Sale) card-fraud may be flattening out; attackers are, however, galvanizing forces around other vulnerable points like e-commerce and digital channels. These avenues now make up for two-thirds of all payment fraud. This is a nightmare-in-the-making because adoption and traction of digital means is only going to proliferate further.
Reckon what Experian’s report ‘The 2018 Global Fraud and Identity Report’ highlighted. There is a surge in digital commerce as a way to purchase goods and services (90%).
And now the killer-catch. As many as four out of five consumers trust that businesses are taking care of the protection of their personal information. This is quite a contrast when the same study shows 72% of businesses putting fraud as a growing concern over the past 12 months.
Time to bell the bell-boy
The scariest part about formjacking is that it can go unnoticed by victims for a long time, as seen in the Ticketmaster case. What enterprises need is a proactive stance along with areas like.
- Continuous and sharper testing of new updates, in small test environments or sandboxes for early detection of any fishy behavior
- Readiness and wherewithal in picking patterns and watching third-party updates with a fine-toothed comb. Time for Artificial Intelligence and smarter analytics
- Attention to the human role and amplified vigilance and monitoring
- Collaboration among the payment-ecosystem players
- Augmented security, anti-fraud and data protection policies
IBM’s team of researchers and practitioners is working passionately on these areas. The nail to hammer here well is the paradox between customer experience and payment security. Making the whole process fast and friction-free should not mean cracks that allow formjackers to get steam and speed. That is what is keeping IBM busy in working hard on areas of collaborative defense and deeper security-foundations.
It’s tough - Park your customers fast. But park them safe too. The key is – preparedness.