It pays to be cautious in a world of online shopping and e-payments

TL:DR: With better connectivity and widespread mobile penetration, e-commerce is now a trillion-dollar global market. However, scammers and hackers are also cashing in on the lucrative trade. From building cybersecurity features into mobile apps to being wary of fraudulent QR codes, GovTech’s Mr Andrew Chong suggests ways to deter cybercrime.

Remember when shopping was an activity that involved leaving the house and lugging merchandise home? Now, with online shopping, you can simply browse and make payments online, and have your order sent straight to your doorstep. This convenience has led to a burgeoning e-commerce sector, accounting for approximately US$2.3 trillion in sales globally, according to an eMarketer report. But what is the true price of convenience when transacting online?

At the CyberSafe CyberReady conference on 20 September 2018, Mr Andrew Chong, principal cybersecurity specialist at the Government Technology Agency of Singapore (GovTech), described how hackers are taking advantage of the e-commerce and e-payments boom.

Defence in depth

With the arrival of smartphones, mobile e-commerce became wildly popular. In 2017, 58.9 percent of online sales were placed on mobile devices, and this number is expected to increase to 72.9 percent by 2021. As such, Mr Chong urged cybersecurity specialists to pay close attention to the security of mobile apps.

“While mobile apps have a very basic layer of security, it is not enough as to prevent intellectual property theft, malware infection, privacy information leakage and reverse engineering—where attackers reverse the security code to figure out how it works. There is also no closed-loop system to alert developers to attacks,” he said.

Hence, cybersecurity cannot be an afterthought when building mobile apps for e-commerce. Methods to monitor app activity and react to hacking attempts on the app must be built in during development, he advised.

Bad cookies and scripts

Mr Chong also noted that many people log in to e-commerce sites using their social media accounts. Often, these sites embed mobile cookies into users’ browsers. “When you log out of the e-commerce platform, you’re not logged out of your social media account, and compromised cookies on your browser could grant hackers access [to private information],” he said.

Another vulnerability lies in tag manager scripts—pieces of code that allow marketeers to track user behaviour on websites. “Marketeers can insert third-party scripts which may contain phishing codes, exposing credentials or sensitive information,” he explained, adding that these scripts may even make their way to login, password reset and transaction pages.

He warned cybersecurity specialists to look out for these corrupt third-party scripts and remove them wherever possible. For marketeers, he recommended that they have individual tag manager accounts rather than a shared one so that their actions are traceable, and any illicit activity can be detected more easily.

QR code quackery

Finally, on the e-payments front, Mr Chong highlighted the recent proliferation of fake quick response (QR) codes in China, citing attempts by hackers to phish or transmit malware via fake QR codes pasted over actual ones on shared bicycles, job postings and water bills.

“With online web tools, it is very easy to create QR codes nowadays. But with such ease comes cyber risks, as scammers can now create QR codes for nefarious means,” Mr Chong said. For example, fake QR codes could redirect users to phishing websites which are difficult to distinguish from legitimate ones.

Hence, consumers need to be vigilant when scanning QR codes, he added. Some measures to avoid falling victim to QR code fraud include using only the correct apps to make payments, as well as verifying the name of the merchant.

“There are many security controls put in place nowadays, but you can never be sure, as hackers and scammers are very creative,” he said.