By Erik Gaston, Vice President of Global Executive Engagement, Tanium
Cyber-criminals are nothing if not opportunistic. While the e-commerce industry is far from the “Wild, Wild West” – where infamous masked highway robbers ganged-up and ran rampant – today’s outlaws are still seeking to exploit loose security and regulation to prey on vulnerable targets and make a quick buck.
For those in the market of selling counterfeit or stolen products online – their confidence may be wavering – and consumers can now hope to see a greater crackdown on scammers.
The aptly named INFORM Consumers Act – or the rather long-winded Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act – was signed into law after the bipartisan legislation was passed by Congress in December 2022 and has been in effect since June 27, 2023. The goal of the INFORM Consumers Act is to provide greater transparency in online marketplace transactions and ultimately, to protect buyers.
The reason for this Act is clear – in 2022, the Federal Trade Commission received over 350,000 complaints stemming from online fraud. Clearly, something had to be done, but these changes won’t be easy to navigate for what the act defines as “online marketplaces,” especially given noncompliance carries hefty penalties, with fines that can exceed over $50k for each violation.
What’s changing?
The Act defines “high-volume third-party sellers” as those in online marketplaces with more than 200 transactions at $5k per year. This is significant because although it affects the Amazons and eBays of the world, there are a number of smaller marketplaces that will also be impacted. The e-commerce market accounted for 15.1% of total retail sales and reached $272.6 billion in Q1 2023 alone, so Amazon is by no means the only game in town.
The Act requires that the online marketplaces collect, verify, and disclose certain information about third-party sellers within 10 days of them qualifying as a “high-volume third-party seller.” If they are unable to do so, they must suspend activity for that seller. While this sounds simple enough, the information included is sensitive banking and financial data – known targets of malicious cyber criminals. Suddenly, these marketplaces must protect substantially more data and are being forced to assume increased liability brought on by the INFORM Act.
The challenges for marketplaces
Ultimately, the whole dynamic of online marketplaces is going to change. Originally, online marketplaces were established to bring buyers and sellers together. The INFORM Act changes this relationship significantly, as the marketplace itself is now an intermediary that must police its sellers and ensure that high volume marketplaces are safe for the consumer. The implications of this are clear – the cost of doing business for these marketplaces will inevitably go up and they will have to adopt robust, yet efficient, cybersecurity practices.
By having to collect and retain specific data like names, legal entities, bank accounts, tax IDs, and general contact information, online marketplaces will need to revisit their strategies for multi-factor authentication, Zero Trust, antivirus, etc., and establish an asset lifecycle-based program. It now becomes essential that these companies truly understand what their security posture is and recognize that they are a prime target for bad actors. This presents the necessity for an “outside-in” vantage point that places data management architects in the shoes of the scammers.
Complicating matters is the reality of the sudden shift in buying and working habits brought on by COVID-19. In response to the pandemic, many new infrastructures were hastily built to accommodate the online-only marketplace, and despite the recent resurgence in brick-and-mortar sales, online shopping remains much more prevalent than it was before COVID-19. This means many of the marketplaces haven’t had the breathing room to ever really catch up – but they will have no choice with the INFORM Act. It is truly an adapt or fail situation for many businesses.
In summary…
It is not all doom and gloom for marketplaces – they can certainly make the necessary changes to efficiently recognize, collect, and retain data on the identity and whereabouts of third-party sellers. Doing so, though, will require a well thought out and organized plan with cybersecurity at the core.
Some questions for online marketplaces to consider:
- How many assets do I have and what is the scope of my network from the outside-in?
- What is running on ALL devices in my network? (Do I need better version control and to deprecate assets per my lifecycle program?)
- What is going in and out of our network at any given time?
- What do I look like to an attacker/scammer?
- Are our controls present and effective?
- Where does our data come from and where is it stored?
- Are our teams properly training the way they “race?” And do we have a common language across security and IT operations?
Implementing cybersecurity programs can achieve the goal of being able to ask and answer these questions in real time, at any time, 24/7. Once this is done, it will undoubtably be an effective way to reduce the prevalence of online fraud.
[Image by rawpixel.com on Freepik]
