How Can Retailers Cyber-prepare For The Most Vulnerable Time Of The...

The holiday season compresses risk into a short, high-stakes window. Systems run hot, teams run lean, and attackers time automated campaigns to get maximum return. Multiple industry threat reports show that bot-driven fraud, credential stuffing and account takeover attempts intensify around peak shopping events, especially the weeks around Black Friday and Christmas.

Credential stuffing and password reuse are attractive to attackers because they scale: leaked username/password lists are tested automatically against retail login portals and mobile apps, and successful logins unlock stored payment tokens, loyalty balances and shipping addresses. These are assets that can be monetized immediately. Industry telemetry indicates adversaries “pre-stage” attack scripts and configurations in the days before major sale events to ensure access during peak traffic.

Retail history also shows how vendor or partner credentials expand the blast radius. The 2013 Target breach remains a classic case: attackers used credentials stolen from an HVAC vendor to gain network access and install malware on POS systems, leading to large-scale card data theft. That incident is a clear reminder that third-party access must be treated with the same rigor as internal accounts.

Retailers can’t afford to over-friction checkout flows, but they also can’t ignore the fact that most account takeover attempts start with weak, reused, or compromised passwords. Adaptive (conditional) MFA is the best compromise: prompt for a second factor when the login or transaction is risky (new device, high-value change, anomalous location) but keep the common customer journey smooth.

NIST’s digital identity guidance and major vendor recommendations suggest blocking known compromised credentials, focusing on password length and entropy rather than archaic complexity rules, and moving toward phishing-resistant passwordless options such as passkeys where feasible.

Being careful with staff and third-party access can reduce the operational blast radius. Employee and partner accounts often have more authority than customer accounts. Admin consoles, POS backends, vendor portals, and remote access all deserve mandatory MFA and strict access controls. Use SSO with conditional MFA to reduce friction for legitimate staff while protecting high-risk actions, and require privileged credentials to be unique and stored in a vault or PAM system.

Peak season requires layered defenses that stop automated abuse without cr

Source: The Hacker News