Don’t Go Phishing at Walmart

Although recently overtaken by Chinese e-commerce juggernaut Alibaba as the largest retailer on Earth, Walmart still wears a massive target on its back for fraud-driven hackers, as evidenced by a new phishing scheme that looks at first glance to be unusually sophisticated.Blog-WalmartPhishing

While no stranger to these types of attacks, with large-scale identity theft attempts happening regularly — including a “voucher” scam in 2014, and another rather crude attempt in 2013, this attack is particularly troubling.

This type of phishing incident is actually quite common, with criminals usually using a disguised hyperlink to trick consumers into entering sensitive information such as passwords, credit card numbers or social security numbers into an external site unrelated to the supposed sender. In this case, however, the originating emails come from a legitimate Walmart.com “customer service” address, and arrive in the form of a password reset message. One customer received 1,088 emails in a single hour!

The thing about password reset flows is that they are backend processes, usually automatically initiated by a business’ identity management system when a consumer or employee requests a reset, or if a security threshold has been passed (i.e., too many login attempts). This means that whoever is responsible for this phishing attempt managed to gain access to what is normally a very secure part of Walmart’s digital infrastructure.

While it’s unclear exactly how this hack works at the time of this writing, the attack illustrates two important things about the current state of cybersecurity for large, customer-facing enterprises:

  1. Username and password processes are inherently insecure, since criminals can prey on the relative ignorance of individual consumers who may have a degree of unfounded trust in a familiar process.
  2. Any business, no matter the scale or complexity of their digital ecosystem, is vulnerable to inventive hackers, and in most cases the largest companies are actually the most at-risk.

For now, the best bet for Walmart customers is to change their passwords (again) and keep a close eye on their bank accounts. For the future, however, forward-looking brands would be wise to consider new ways of thinking about how to register and authenticate users. The rise of biometric technology for payments is a promising start, but there will undoubtedly be countless new innovations in the never-ending arms race against identity-focused fraudsters.

To learn more about next-generation authentication, see the results of our recent survey on passwords.

By David Kerin