08 Feb Cyber security threats and measures for eCommerce companies in 2021
Who does not shop online in this day and age to purchase products and services? Who does not want to be able to choose from a myriad of options, compare shapes, sizes, colours, and prices, all from the convenience of the home without having to physically go to a store? Add to that the accessibility to products globally! Well, I believe, almost everyone does online shopping today, and numbers are increasing each day!
Worldwide eCommerce sales are expected to reach $4.9 trillion (USD) in 2021! The Covid-19 pandemic drove people to start purchasing everyday goods online and forced even non-online shoppers to move to online shopping.
So, what do eCommerce companies need to do to stay current, competitive, attract new customers, and provide their customers with a seamless and satisfying shopping experience?
As much as it’s critical for eCommerce companies to focus on making new products available, maintain their competitive edge, stick to delivery commitments, improve the quality of products and customer service, it’s equally important and necessary to safeguard their websites and their customers. As the entire eCommerce business is digital and online, the primary source of threats to the companies is cyber-attacks.
To understand what kinds of information security measures eCommerce companies should adopt, let us first look at few of the common and harmful cyber threats plaguing these businesses.
CYBER SECURITY THREATS TO E-COMMERCE
Credit card fraud
This is the most common affliction of an online shopping website and is increasing day-by-day. Hackers frequently use the dark web to purchase stolen credit card information. They then attempt to locate accounts of the persons whose card information they have stolen on various eCommerce websites, attempt to hack into them, and use the card information to make fraudulent purchases.
If the company is not able to identify and prevent such transactions, it results into loss of valuable products and angry customers. There is also loss of significant amounts of money as they need to pay back the scammed customers, and damage to reputation to deal with.
E-skimming is another attack method that hackers use to steal credit card and other personal information from eCommerce transactions, but this happens during the payment process. This threat exists if the payment process stages are not seamless, or if there are misleading links on the screen to an external site or payment portal where hackers are waiting to capture the card information in real-time as the customer enters the details.
This type of attack is on the rise; attackers use a variety of methods like misleading links, phishing, cross-site scripting, etc. In September 2020, hackers took advantage of a zero-day vulnerability to insert skimming code into nearly 2000 eCommerce websites that were running an older version of Adobe’s Magento software. Hackers have also begun to use automation techniques to run the skimming operations.
Distributed Denial of Service (DDoS) attacks
In a DDoS attack, a hacker floods the servers of the eCommerce website with thousands of requests from potentially untraceable sources i.e., IP addresses. The purpose of this attack is to make the shopping platform unavailable to customers by disrupting services between the website and the servers. The occurrence of this attack increases during popular sales periods like end of year offers special holiday discounts, launch and heavy discount of an awaited product etc.
If customers cannot avail the products and services at such times, they lose trust and confidence in the company and subsequently, the company is poised for heavy damage in reputation and financial losses.
eCommerce websites are continually also threatened by malware. Malware are software designed to achieve malicious results against a target. Malwares are extremely diverse in the outcomes they are designed to generate; some are listed below:
- Impersonating to be the eCommerce business and sending emails on their behalf
- Taking control of the platform and architecture
- Accessing databases and tampering with or stealing data
- Gaining complete access of the system and locking the owners out, that is, essentially holding the system at a ransom (ransomware)
We can see how malware can have far-reaching, expensive, and destructive impacts on eCommerce businesses if they are not constantly vigilant and do not adopt updated preventative information security measures.
Automated algorithms or bots
We mentioned above how hackers today are using automated techniques for credit card skimming operations. These elements are called “bots”; they are automated programs designed to carry out specific tasks within a system. They are also designed to behave like real users, in that, they can progress through a transaction exactly like a person. It can be very difficult to tell a bot apart from a real person.
Bad bots have made hacking activities easier and more intense as they can perform the same action repeatedly thousands of times within seconds. They are used to perform attacks on eCommerce platforms such as:
- Credit card fraud: Bots are programmed to use stolen credit card numbers and then test them against CVV number combinations until a match is found. Once successful, the hacker can use the information to make purchases by impersonating someone else.
- Account access: Hackers can steal account details or acquire them from the dark web. Armed with this information, they can program bots to try username and password combinations on various eCommerce sites. Where an account login is successful, the hacker gets free and complete access to all information stored within the user’s account as well as to make unauthorised and fraudulent purchases.
- Price scraping: It is not a surprise that bots are also used by competitors. An eCommerce business can insert bots into their competitor’s platform to get access to sensitive data such as product pricing, marketing plans, product lines, suppliers, pricing strategy, inventory levels, and more.
INTEGRAL REQUIREMENTS OF AN E-COMMERCE BUSINESS
Any eCommerce business must meet four basic principles that are fundamental for conducting secure online transactions. These are:
Privacy: Any information exchanged or saved on the online shopping platform must be safeguarded against unauthorised entities. This includes personal account information, passwords, addresses, card details, even shopping history. The company should have a policy as to how they utilise this information and make it known to their customers, however, any external and unauthorised party should not have access to the data.
An example of privacy breach in eCommerce is hackers getting unauthorised access to customers’ accounts and stealing personal and payment information.
Integrity: The saved and exchanged information cannot be altered by an unauthorised third party. During exchange or display of information, data should remain original between the sender and receiver.
An example of an integrity breach in eCommerce is an e-skimming attack where a purchaser gets directed to a fraudulent payment gateway from the eCommerce website.
Authenticity: The transacting parties should be able to prove their identities to each other. An eCommerce business should know the identity of every customer. From the customers’ perspective, they should be assured that they are dealing with a genuine business. This includes instances of exchange of information on the website, via email, or via phone.
An example of an authenticity breach in eCommerce is a phishing attempt by an attacker where they impersonate to be the company and send newsletters, offers, etc. via emails to customers with embedded links that customers may click and enter their online shopping account credentials.
Non-repudiation: For any eCommerce transaction, proof should be available that the exchanged information was received. There should be no scope for any of the parties participating in the transaction to deny their actions.
An example of lack of non-repudiation is no order history in a customer’s account which allows them to deny placing any order. Or missing payment confirmation like a tax invoice or e-receipt that would allow the company to deny the customer paid for their order. If an eCommerce website is lacking in this tenet, an attacker can exploit this vulnerability and create havoc between customers and the company.
CYBER SECURITY MEASURES THAT E-COMMERCE BUSINESSES SHOULD ADOPT
Some fundamental cyber security measures can go a long way for an eCommerce business to protect its data, systems, customers, and reputation. These include but are not limited to:
- Implementing strong and unique passwords. Enforce users to do the same on the website and encourage them not to use the same credentials as any other online account.
- Implementing CAPTCHA on the login screen. CAPTCHA essentially is a Completely Automated Turing test to tell Computer and Humans Apart. This is an effective first step to prevent bad bots from creating fake accounts and accessing customers’ details.
- Implementing 2-step verification, 2-factor authentication, or multi-factor authentication to include the extra level of assurance that only authorised users are logging into the eCommerce website.
- Installing a firewall system to monitor and control website activity and investing in a robust anti-virus protection system. Regularly installing all software and operating system updates.
- Keeping sensitive information on the website as limited as possible. Companies should store business confidential and sensitive data within their company’s systems which would be protected by more rigorous security measures.
- Storing customer data that is absolutely needed to operate an account and make purchases. Privacy issues of personal data are in a major spotlight today, and eCommerce companies should steer away from asking for data that is not required.
- Having protocols and alert systems in place that can identify possible fraudulent purchases. For e.g., an order of a much higher value than is normally received, an order where the shipping address is different to the billing address, multiple unsuccessful attempts to place orders during a period, and many other parameters.
- Training and retraining employees to watch out for phishing emails that could possibly give a hacker entry into the company’s systems.
- Backing up data regularly. In case there is a breach, and the eCommerce business loses data or access to the systems, they can restore the backed-up data and resume operations as quickly as possible.
- Regularly carrying out penetration testing of the company’s systems and eCommerce website and/or mobile app to identify if any vulnerabilities exist that could be exploited by cyber attackers.
Contact us at Secure Triad to know how we can help you with penetration testing to up the cyber security defenses of your eCommerce business.