Bad Santa! When Hackers Steal Your Holidays

The holidays mean food, family, friends, gifts…and potential for cyber crime. As the holiday retail season nears its peak, consumers are scrambling to take advantage of Black Friday deals and put a dent in their shopping lists. This concentrated melee means abundant data will be available for criminals to exploit. Cybersecurity experts from global consulting and technology firm Booz Allen Hamilton have identified five ways cyber criminals will attempt to hijack the 2016 holidays.


Tis the season … to disrupt sales

Consumer payment data is clearly a major concern during the holidays, but the prospect of sales disruptions will be bigger. We know from recent years that criminals have extorted organizations by threatening to knock them offline with distributed denial of service (DDoS) attacks. The likelihood of this impacting a major retailer during its peak months became very real in October when an Internet of Things (IoT) botnet caused disruptions at a major domain name system service provider and rendered many websites inaccessible on the east coast of the US and in Europe. Ransomware is another fashionable, disruption-based attack, and while the means is entirely different, the end is the same: block access to systems and demand payment to restore that access.

Cyber Grinches: Hackers will be more clever as they steal consumer data from payment terminals

The threat landscape is broad, and retailers have concerns beyond payment terminal breaches that afflicted some large retailers in recent years. Given security updates around this particular part of the shopping experience, criminals may start stealing payment data from chip-enabled transactions in real time. This would be possible by renting access to compromised payment terminals — as the tokens that validate such transactions are short-lived.

Do you hear what I hear? Some big retailers are doing better

The wide adoption of technologies (like real time transaction verification tools and payment data encryption) substantially decreases the likelihood that retail outlets will fall victim to mega breaches. However, there are many stragglers who haven’t yet adopted these vital new pieces of tech, so we may see smaller scale breaches grow.

Holiday cards with a message: With more online buying, card-not-present (i.e. digital) fraud will grow

Web-based attacks targeting card-not-present online transactions, which are not encrypted, will continue to be a vulnerability. Criminals could leverage email and SMS-based phishing attacks to steal payment data or login credentials — the latter of which could fuel account takeovers and fraudulent activity affecting retailers. As always, account takeover activity will certainly be exacerbated by consumer credential reuse and the plethora of usernames and passwords, gleaned from prior data breaches, available on the open and deep Web.

Similarly, malicious mobile applications masquerading as banking, retail, and payment services (known as “Trojans”) could further perpetuate malicious activity. These schemes, meant to trick users into giving up their information, will only grow in risk.

Grandma got run over by a scammer: Attackers will keep taking advantage of human error

The hectic holiday months provide unique opportunities for business email compromises (BEC). Scammers masquerade as business partners and dupe finance professionals into transferring funds into bank accounts controlled by the criminal. There is no reason to believe that retailers will be immune to this kind of attack that capitalizes on human-error.


Year-around mindfulness of cybersecurity attacks is important, but the holiday months provide particular chaos which malicious actors are sure to take advantage of. Retailers and shoppers must make concerted efforts to arm themselves with accurate, up-to-date information around cybersecurity to reduce risk and assure a safe holiday season.