Asia’s online retailers urged to beef up measures to safeguard customer data

Online merchants in the Asia-Pacific’s e-commerce market are being urged to shore up their protection of consumer data amid a rising tide of cyberattacks.

Transactions being made on various online retail platforms across the region need to be safeguarded from increased attacks used for identity theft, as well as for validating and augmenting credentials of stolen identity to perpetrate even more online fraud, according to cybersecurity experts.

“Small retailers can get compromised very easily, as sometimes even the user names and passwords [of their customers] are not encrypted,” said Bryce Boland, the Asia-Pacific chief technology officer at US cybersecurity company FireEye.

These retailers would be not aware that they had been breached, as cybercriminals tend to leave little evidence behind, Boland said. So the breach may only be discovered after the stolen data is used against the retailer in a fraudulent transaction, tarnishing the reputation of the business.

“Many merchants’ focus is often not on security, it’s on how they can maximise their return on investment, their margins,” he said. “But as fraud levels go up, so do credit card transaction processing fees which can eat into the margins of retailers.”

A recent report by security firm ThreatMetrix, which provides online authentication services, found 11.8 per cent of e-commerce transactions in Asia-Pacific are made up of fraudulent login attempts, as cybercriminals leverage patched-together stolen identities to carry out attacks on digital transactions.

Alisdair Faulkner, the chief products officer and co-founder of ThreatMetrix, said in December that e-commerce sites are often “sitting ducks” for such hackers, who compile “dossiers of information” for future use.

“With your identity, [hackers] could access your medical record, insurance, even your bank accounts. They could collect enough information, impersonate someone’s identity and apply for a loan at a bank … or commit tax fraud,” Faulkner said.

These cybercriminals are likely not to slow down any time soon since they have a fertile and rapidly growing territory for their attacks.

Online retail sales in Asia-Pacific are forecast to reach US$1.4 trillion by 2021, up 63 per cent from an estimated US$861 billion last year, according to data from Forrester Research.

Mainland China, the region’s largest online retail market, is forecast to record sales of more than US$1 trillion by 2021.

Nasdaq-listed cybersecurity specialist Fortinet, which was founded by Beijing-born entrepreneur Ken Xie, suggested that online retailers implement more authentication measures to prevent e-commerce fraud.

“Computer security experts agree that password-only authentication is no longer good enough, even if users make their passwords very complex,” said David Maciejak, the Singapore-based manager for Fortinet’s Fortiguard security services.

“We expect evolving technology to further reduce the friction of the authentication process. In the last few years, for example, various new authentication methods ... have emerged, including fingerprint scanners on smartphones and laptops, and facial recognition technology on embedded cameras.”

Many companies often choose to forego stronger security measures to make transactions more frictionless for customers, but such a mindset may backfire, according to Michael Gazeley, the managing director and co-founder of Hong Kong-based cybersecurity services company Network Box.

“When presented with a choice between perceived convenience and security, perceived convenience, historically, has almost always won. But with major data breaches now seemingly part of modern life, this has to change,” Gazeley said. “Maybe a better way to look at cybersecurity, is that, ultimately, it is a lot more convenient not to be compromised.”

FireEye’s Boland, meanwhile, pointed out that online retailers should refrain from collecting plenty of data from their users to minimise the damage of a cybersecurity breach.

“If you don’t need to collect data about people, don’t collect it. Because by collecting it, you are implicitly taking responsibility for protecting it,” Boland said. “As soon as it’s stolen or used or abused ... you’d have enabled a crime to take place.”