Customers Of The Iconic At Risk Of Being Defrauded Due To Lack Of Payment Verification Measures

16 Jan

Written By SECedu

by Simona Badita | The Australian Business Journal | Jan 13, 2024
READ THE FULL ARTICLE HERE

Online retailer The Iconic has failed to provide basic security measures to verify its customers’ payment details when placing an order, putting its 2.1 million customers at risk of being defrauded, cybersecurity experts say.

On Tuesday, The Iconic confirmed it had seen an increase in customer accounts being accessed by unauthorised users, resulting in fraudulent orders being made and leaving some customers thousands of dollars out of pocket.

The retailer said it had not suffered a data breach, but affected customers had been victims of a cyber attack known as “credential stuffing”, where their email address and password used for their account with The Iconic matches accounts on other websites that have been accessed by hackers.

A spokesperson for the company told the ABC that unauthorised third parties who access customers’ accounts could not gain access to their card details.

However the online retailer also confirmed that a transaction “may be made” as it does not require a customer to verify their CVC numbers (the three digits on the back of debit and credit cards) when placing an order if they have saved their payment details to their account.

Professor Richard Buckland, a cybersecurity expert at the University of New South Wales, told the ABC that the payment process used by The Iconic is not best practice, and makes it easier for customers to be defrauded if their accounts with the retailer are breached.

“Best practice, from a cybersecurity point of view, is to prove that the person is actually authorising the transaction right now … something like multi factor authentication, when you go to buy and you get a message to your phone, and you have to respond,” he said.

“That’s a good practice, not to just allow some sort of information that was gathered ages ago to authorise transactions on an ongoing basis.”

The easier it was for customers to make purchases online, Professor Buckland said, the easier it was for customers to be scammed.

“Anything that allows you to easily buy something with as few clicks and steps as possible, unfortunately, also makes you more vulnerable to being scammed or have your data stolen, because it makes it easier for the bad guy to buy something, too,” he said.

“Every bit of friction in the way, every bit of red tape protects you, but also slows you down.

“It’s not in any organisation’s interest for it to be hard for you to buy something, they like it to be as easy as possible.

SECedu https://sec.edu.au

Customers Of The Iconic At Risk Of Being Defrauded Due To Lack Of Payment Verification Measures

Professor Richard Buckland, a cybersecurity expert at the University of New South Wales, told the ABC that the payment process used by The Iconic is not best practice, and makes it easier for customers to be defrauded if their accounts with the retailer are breached.

“Anything that allows you to easily buy something with as few clicks and steps as possible, unfortunately, also makes you more vulnerable to being scammed or have your data stolen, because it makes it easier for the bad guy to buy something, too,” he said.

The Iconic isn't the only one saving your payment details. Here's how to protect your bank account when shopping online

VIDEO: The Project - 20 Nov 2023

Become a friend of the SECedu network