GBQ认识到,通过网站和移动应用程序等数字手段,餐厅顾客与餐厅之间的联系日益紧密. 这是一个来自该领域的故事,该公司匿名分享了他们所经历的事件, in the hope others might learn.
“We received our monthly statement from our processor like we always do. 我的会计把它拿给我,说它看起来有点不对劲. 我看的时候,小数点好像有问题. It was 10 times our normal statement amount! Certainly, a mistake. We called the processor and the statement was correct.”
这家餐厅公司在很大程度上依赖于在线订餐的收入,为遍布其地理足迹的客户提供服务. This had the potential to be devastating.
After investigating, 这家餐厅的电子商务供应商发现,黑客对这家餐厅的在线订餐网站进行了机器人攻击. 在攻击中,机器人试图确定被盗VISA信用卡的完整信用卡数据. 他们通过使用各种信用卡号码组合来推动成千上万的授权来做到这一点, AVS and CVV codes.
This kind of attack is called an enumeration attack. 枚举攻击是一种欺诈攻击,犯罪分子系统地提交带有诸如支付卡主帐号(PANS)等枚举值的交易。, expiration dates and CVV codes. 其目的是测试一系列被盗的具有其他值的pan,以识别可用于其他目的的卡. 通常,这些机器人攻击是分布式的,并不只针对一个电子商务网站.
The restaurant company does not actually incur a direct loss. Nothing is ordered for delivery. If the card becomes authorized, 黑客成功了,很可能使持卡人在另一个非法行动中受害.
But indirectly the impact can be huge as this restaurant company discovered. 授权尝试会从电子商务处理程序和VISA那里产生少量的处理费. 这里或那里的几美分可能看起来没什么大不了的,但经过数十万次自动尝试后,该公司发现,这是一个足够大的数字,足以留下印记. “Of course, for each of those authorizations, we were charged a fee by VISA (and our eCommerce provider). Our total loss was close to $100,000.”
Under their contract with the eCommerce provider, 每次执行AVS/CVV验证尝试都会产生VISA通行证费. Those fees were multiplied by the total volume of these validation attempts.
最后,我们的客户通过谈判获得了VISA的部分(但不是全部)费用减免.
The company reflected on what they learned from the experience, reviewed their controls in place on their website, and made some improvements to protect against these attacks in the future.
Key takeaways and learning points
Items to consider to protect yourself from this type of bot attack:
- Read your payment card processing agreements closely. Identify all the fees associated with card transactions.
- Overall, 防止僵尸攻击需要多层的方法,包括实现各种保护措施和监视站点的异常活动. 重要的是要及时了解最新的威胁,并与支付提供商和其他专家合作实施必要的保护措施.
- Coordinate with your web developer, POS provider, web hosting provider, marketing management, IT管理层和您的安全专家确保控制措施到位,以防止枚举攻击.
- Routinely assess the vulnerability of your web and mobile apps. 漏洞扫描和渗透测试可以帮助在攻击者之前找到弱点. 如果应用程序是由第三方构建和维护的,请他们保证它们以安全的方式运行. At a minimum, 要求他们提供一份SOC报告的副本,并证明他们进行了常规的漏洞和渗透测试.
- Implement CAPTCHA. CAPTCHA, which by now we have all experienced, 是一种要求用户通过完成机器人难以完成的任务来证明自己是人类的安全措施吗. 这可以帮助防止机器人访问网站并试图窃取信用卡数据.
- Use rate limiting or throttling. 速率限制是一种限制在特定时间段内可以向站点发出的请求数量的技术. 这有助于防止向站点发送大量请求的僵尸程序攻击.
- Ensure your POS provider monitors for unusual activity. It is important to monitor the site for unusual activity, such as a sudden increase in the number of requests or authorizations. 这有助于及早发现bot攻击,防止它们造成太大的损害.
- Implement fraud detection tools. Fraud detection tools can help identify suspicious activity on the site, 例如来自同一IP地址的多个授权或不寻常的活动模式. These tools can help prevent fraudulent transactions from being processed.
- Implement Geofencing. 地理围栏可以利用基于位置的技术来加强安全措施,以保护网站免受欺诈. 没有来自其他大陆的人会合法地在你美国的餐厅网上订餐.
Consider the customer experience
在选择保护站点的方法时,必须考虑客户体验. 这家餐厅公司对其网站进行了以下安全升级:
- 他们打开了节流,每个IP地址每天只允许多达30个卡验证请求. 他们为了接受大企业的多笔订单,选择了30笔, schools, hotels, etc. where multiple people during the day might place an order.
- 为了防止离岸攻击,他们开启了IP地理围栏,检查支付请求的原产国,阻止美国以外的请求.
- As some card testing happens from US-based IP addresses, 他们还为网络订购添加了谷歌的企业静默验证码,并为移动订购应用添加了共享秘密认证.
Staying ahead of cybersecurity risks can be very difficult to do in today’s business environment; however, 我们必须努力了解各种不同的风险. 知识就是力量,确保你拥有可用的技术专长来设计一个减轻这些风险的计划,这将有助于每个人在晚上睡得更好. 如果您对此类网络安全事件有疑问,或者想了解更多有关您可以采取的准备步骤, please reach out to Doug Davidson or your GBQ contact.
