Customers of The Iconic at risk of being defrauded due to lack of payment verification measures
On Tuesday, The Iconic confirmed it had seen an increase in customer accounts being accessed by unauthorised users, resulting in fraudulent orders being made and leaving some customers thousands of dollars out of pocket.
The retailer said it had not suffered a data breach, but affected customers had been victims of a cyber attack known as “credential stuffing”, where their email address and password used for their account with The Iconic matches accounts on other websites that have been accessed by hackers.
A spokesperson for the company told the ABC that unauthorised third parties who access customers’ accounts could not gain access to their card details.
However the online retailer also confirmed that a transaction “may be made” as it does not require a customer to verify their CVC numbers (the three digits on the back of debit and credit cards) when placing an order if they have saved their payment details to their account.
Professor Richard Buckland, a cybersecurity expert at the University of New South Wales, told the ABC that the payment process used by The Iconic is not best practice, and makes it easier for customers to be defrauded if their accounts with the retailer are breached.
“Best practice, from a cybersecurity point of view, is to prove that the person is actually authorising the transaction right now … something like multi factor authentication, when you go to buy and you get a message to your phone, and you have to respond,” he said.
“That’s a good practice, not to just allow some sort of information that was gathered ages ago to authorise transactions on an ongoing basis.”
The easier it was for customers to make purchases online, Professor Buckland said, the easier it was for customers to be scammed.
“Anything that allows you to easily buy something with as few clicks and steps as possible, unfortunately, also makes you more vulnerable to being scammed or have your data stolen, because it makes it easier for the bad guy to buy something, too,” he said.
“Every bit of friction in the way, every bit of red tape protects you, but also slows you down.
“It’s not in any organisation’s interest for it to be hard for you to buy something, they like it to be as easy as possible.
“The easier it is for you, the more of a red flag it is.”
In response to questions about their cybersecurity measures, a spokesperson for The Iconic told the ABC that the company does not hold card details in its systems.
“This information is stored with the third-party payment processors,” a spokesperson said in a statement.
The online retailer partnered with Stripe in 2021 to provide its payment infrastructure.
At the time, head of growth for Stripe’s Australia and New Zealand branch, Hayley Hopwood, said the partnership “enables The Iconic to capture more revenue by reducing transaction abandonment“.
The ABC contacted Stripe with a list of questions about their payment security options for their clients, including CVC verification.
A spokesperson for Stripe said the company does not comment publicly on individual users due to privacy.
By requiring CVC verification before making purchases, Professor Buckland said that allows banks to be aware of potentially fraudulent transactions after a set number of incorrect attempts, similar to how an ATM “swallows” a debit or credit card after too many incorrect PIN attempts.
However, he said that comes with its own potential security issues.
“That’s a great defence, but unfortunately [CVC numbers] can be stolen from inside,” he said.
“If you’re required to enter it during the purchase process, it can be checked. The problem is that malware on your system can grab it, so criminals can also get your CVC.
“[The] best practice there is [having] a dynamic CVC that changes every day or every couple of hours, even if it’s been stolen, they only have a short window where it can be used, and you don’t have to wait until your card expires to get a new one.”
‘Foreseeable’ and ‘easily preventable’
The Consumer Action Law Centre, a consumer advocacy group, said the fraudulent transaction issues some customers of The Iconic have experienced could have been avoided.
“The recent frauds involving The Iconic show the risks of ‘frictionless’ payments and failures in data security, resulting in criminals easily stealing from customers online,” said Rose Bruce-Smith, the centre’s policy officer.
“This kind of fraud is foreseeable and easily preventable through better data security measures by online businesses.
“In an environment where fraud, scams and scam losses are increasing every day, we need to see businesses and financial institutions do more to protect consumers’ data, privacy and money.
“Consumers should check their accounts for unauthorised charges and report any to their bank — unlike a scam, this type of fraud should be refundable through a bank charge back or by The Iconic.”
The Iconic has not disclosed how many of its customers have been affected, or when it first became aware of the issues.
A spokesperson for the retailer said the investigation into the matter is ongoing, and customers who have had their accounts breached will be notified.
On Tuesday, The Iconic committed to refunding those who have had fraudulent purchases made using their payment information.
The company has also been proactively emailing customers encouraging them to change their passwords regularly to ensure their account remains secure.
SOURCE: ABCNEWS