What does a current online retailer have in common with Charles Dickens? To describe the digital retail landscape as “it was the best of times, it was the worst of times,” may resonate with many eCommerce merchants today. Last year, overall online sales in the US exceeded $787.9 billion, a 32.3 percent year-over-year growth from 2019’s $595.7 billion. Exceptional sales and success, however, attract online criminals, who are becoming more skilled and organized by the day. The Global Information Security Survey 2020 by Ernst and Young shared that 59% of organizations encountered a material or a significant breach in the last year.
Keep in mind that most online threats are applicable to your eCommerce solution, regardless of the size of your business and the services and/or products you offer. Automated attacks simply do not discriminate; as long as a bad actor can find a way in, they will take what they can get.
We’ve rounded up the leading security risks that your eCommerce solution may face, along with solutions to each pain point.
E-Skimming
This threat sees a bad actor injecting malicious software into an online store’s checkout page in an attempt to steal sensitive data in real time, including personal and credit card data belonging to customers. This type of scheme can cause reputational damage, as it’s difficult to regain customers’ trust after a data breach. Be sure to bolster your system with a data breach scanner, such as Lokte’s very own Data Breach Monitoring.
Malware
The term “malware” refers to a number of different programs that are all designed to attack your online store in different ways. Bad actors inject their malicious programs into your website and/or systems without your knowledge or consent, with the aim of stealing private data from you and your customers. Malware includes software and programs such as:
- Viruses: Viruses infect and spread through programs and files with the intent of corrupting, damaging, or destroying data.
- Ransomware: Ransomware prevents the performance of your systems or online store (generally until a ransom payment is delivered to the criminals behind the scheme).
In the case of malware, the best defense is offense: a malware scanner or monitor will catch most attempts at breaching your systems.
Backdoors
A “backdoor” is any manner by which authorized and unauthorized users are able to bypass usual security protocols and achieve high level access to your network, system, or software application. In some cases, software creators install backdoors as an intentional and legitimate way to access their software, in order to assist their customers who have lost access to their accounts or who are experiencing software issues. However, if bad actors are able to locate and access your backdoor, they can use it to easily circumvent your online store’s authentication process, and thereby steal your data. The other type of backdoors are created by backdoor malware, or Trojans. Amidst the many malicious ways Trojans can be utilized, they can literally open up a backdoor to your system or software for their authors to use.
There are a number of ways to protect yourself against online criminals using backdoors against you. First, boost your password security — read more in our password hygiene blog post. Second, vet any plugins or extensions carefully before installing on your computer, or before allowing your employees to use them. Third, monitor your network activity with the help of a WAF (web application firewall). A malware scanner will also be a great help to combat Trojans in your system.
Bots
Bad actors utilize nefarious bots specifically developed to scrape your online store to gather information about your prices and inventory. Bad actors often use bots to install malware, or even to lead targeted phishing campaigns. Installing bot management software or CAPTCHA on your online store can help screen bots, so that they are unable to register accounts.
Vulnerabilities
A vulnerability is a weakness in your system or application, which results from a defective design or a bug that developed during implementation. Bad actors search for vulnerabilities that they can exploit for their own criminal purposes.
- SQL injection: Here, a bad actor hacks your query submission forms to break into your database. The bad actor then infects your database with malicious code, steals your data, and cleans the incriminating trail afterwards.
- Cross-site Scripting (XSS): Bad actors inject malicious JavaScript code into your online store to steal your customers’ cookies. We recommend our Data Breach Monitoring and a properly installed Content Security Policy to help curb such attacks.
DoS and DDoS attacks
We covered DoS and DDoS attacks in greater detail in one of our recent blog posts. In short, bad actors flood your servers with a wave of requests from multiple sources, including bots, that all utilize untraceable IP addresses. The aim of the requests is to overwhelm your online store so it can no longer function properly. Downtime for your online store can open your system up to more attacks, loss of revenue, and long lasting damage to your store’s reputation. Attackers behind this scheme will usually demand a ransom before they cease their attack. With DDoS attacks, it’s wise to monitor incoming requests and traffic on your servers. Blocking suspicious traffic will help prevent a flood of requests.
Brute Force
Hackers utilize brute force to attack your system and crack your admin password. Automated systems “guess” your password by trying thousands of different combinations until they arrive at the correct one. That’s why using appropriate password hygiene is so vital — read our latest blog post for more information.
Man in the Middle
Bad actors can intercept and monitor interactions between your online store and your customers. If your customer is using a compromised WiFi network, bad actors can use it to their advantage. Installing a robust encryption tool on wireless access points blocks unauthorized users from entering your network based on their proximity to your business. Without a strong encryption tool, it’s possible for a bad actor to use brute force to “break” into your network and carry out man-in-the-middle attacks.
Scraping
Scraping involves bad actors stealing information that exposes important internal metrics that companies try to keep private, especially from competitive firms. This can include details such as inventory, price lists, business strategy, performance results, and market research. Bots are often used for scraping, but human attackers also perform scraping attacks manually. To prevent scraping, it’s important to monitor the activity and traffic on your online store. If suspicious activity is flagged relating to private internal data, we recommend you quickly block access and immediately patch the known vulnerabilities; bot management is a great solution to combat scraping.
Credit Card Fraud
Bad actors may use stolen credit card details to make purchases on your online store. To decrease the risk of credit card fraud, we recommend installing an address verification system along with card payment. Online criminals can commit credit card fraud by stealing personal details from a victim and applying for a credit card in the victim’s name. Bad actors may also gain unauthorized access to a customer’s account, wherein they can make purchases with stored payment details. Install tougher password requirements for your customers and don’t make it easier for hackers by providing password hints. Even better — require your customers to utilize two-factor authentication to access their accounts. Introduce additional security measures around your payment process, such as requiring the buyer’s credit card’s CVV and ensuring this information is not stored in the customer’s account.
Phishing
Phishing occurs when bad actors utilize social engineering techniques to glean information from your customers, such as data or money. They may call or email your customers posing as a representative from your business, such as an email asking them to update their password details. Phishing techniques boil down to generalized, or targeted. In the first case, the attacker pretends to be a random figure, in need of assistance. The other variant is called spear phishing, and entails posing as someone the victim knows. To curb phishing, it’s important to train employees and be sure that stakeholders also vet the emails they receive carefully. Assure your customers of the information you would NEVER ask of them via email or over the phone to help protect them while shopping with you.
To Conclude
Again in the words of Charles Dickens, “be sure to install a web application firewall” as an effective first step to protect against common attacks, such as SQL injection and Cross-Site Scripting (XSS). Okay, we made up that last quote, but it’s still solid advice. To recap, spend time practicing strong password hygiene and two-factor authentication for yourself, your employees, and your customers. Consider malware monitors and data breach scanners. To continue your “best of times,” prioritize the security of your online business — spend the time and effort required to install better security protocols and measures, and instate a security-centered culture in your business. It may seem like a daunting task, but remember, many eCommerce businesses are lagging in their security posture; Ernst and Young found that only 20% of the businesses they surveyed are extremely confident in their security measures.
It’s never too late or too early to bolster the safety of your business and your customers. Read more about our security services here, and get in touch with us today!
