eCommerce websites are at the forefront of cyber attacks that can impact websites, breach customer confidentiality and damage a business’ reputation in the short and long-term.
As more and more of our private data is stored online - from credit card information we upload ourselves to healthcare data that our healthcare providers store for us - cybersecurity risks are likewise increasing. The dark web is often the ultimate repository for stolen information with cyber-attackers selling people’s confidential data on to willing buyers who then go on to perpetrate further attacks, including those of the most serious kind such as stealing another’s identity. As the Internet of Things (IoT) proliferates further from smart fridges to home alarms - these ‘things’ are also vulnerable to being taken over remotely and manipulated to damaging effect.
Website owners and users need to be aware of these risks, both the worst case scenarios and the more everyday security challenges. For eCommerce sites, website security is a particularly relevant topic. Online stores are becoming increasingly popular: the U.S. Commerce Department reported that e-Commerce represented 13% of total retail sales last year with over $450 billion spent on retail purchases made on the web. Amongst people under the age of 30, 90% have made an online purchase.
eCommerce sites (from small to large businesses) are attractive to hackers because they process personal information, including credit card details and passwords often used across multiple accounts. If websites are not secured properly and successfully attacked, hackers can benefit from not only the use of credit card numbers, but also email/password combinations that can be attempted on other websites for use in further attacks.
Cybersecurity Threats to Be Aware Of
Some of the most significant security threats to eCommerce sites include:
Exploiting Known Vulnerabilities
All software, including your eCommerce platform itself and any extensions built thereon, has certain vulnerabilities known to attackers, such as how to access your site via a back door, inject malicious SQL statements in what appears to be a legitimate-seeming SQL inquiry or cross-site scripting, in which an attacker will insert a JavaScript snippet on a vulnerable web page that looks like a normal script to a browser and is therefore executed, enabling for example, the theft of customer credit card data. Even though this type of attack doesn’t directly target the website, it is still targeting your website’s users and could negatively impact your business.
Security Hacks & Phishing Attacks
Security hacks have made high-profile news for multiple years from the potentially election-swaying hack into the Democratic National Committee last year by suspected Russian agents to the Sony Pictures hack in 2014, which led the Obama administration to impose economic sanctions against North Korea for its suspected role in the attack. Businesses have been just as much under attack, however. In September 2017, Equifax disclosed probably the worst corporate data breach in history. The hack exposed the personal information of 145.5 million U.S. users (including birth dates, addresses and Social Security numbers), meaning that almost half the entire population of the U.S. had their crucial identifying data exposed to cyber-attackers. Small businesses are often even more susceptible to hacks because they have lower defenses.
Hacks are often perpetrated via phishing scams, which typically take the form of emails that are made to look legitimate so that the recipient will open them. They usually include a link or direction to a page that if followed can then take over an email account and/or install malware on your computer without your knowledge. If an employee falls victim to a phishing scam, they could unintentionally provide access to not only their computer, but your entire network.
Ransomware and Malware
Recent ransomware attacks that have stolen the headlines include Magecart, WannaCry, Petya, NotPetya and BadRabbit, all of which used exploits explicitly aimed at compromising corporate networks. According to Kaspersky Lab, 26.2% of ransomware targets last year were business users, up by 4% from the previous year. Fedor Sinitsyn, senior malware analyst at Kaspersky Lab hypothesized why, saying, “business victims are remarkably vulnerable, can be charged a higher ransom than individuals and are often willing to pay up in order to keep the business operating”.
Malware is malicious software that attackers will insert into your web pages or files after they have gained access. Popular eCommerce platforms such as Magento are especially vulnerable to widespread malware infections due to their widespread popularity. Malware can perform a wide range of activities from making your computer into a botnet that can be unwittingly used as part of a DDOs attack to stealing your website user’s account information. Malware can also perform spam activities such as the creation of false links or inserting pop-up ads onto your site.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks also continue to rise, both the volumetric kind such as Mirai and the more sophisticated that target the application layer. Both need to be vigilantly protected against as they are equally damaging in terms of potentially slowing down site speeds and/or knocking websites offline altogether, which can lead to a significant loss of profits in both the short and long-term.
How to Protect Your eCommerce Site
There are multiple ways in which you can protect your eCommerce site and website security is never a one-size-fits-all approach. Some large eCommerce sites may require the presence of an internal security team to monitor and manage potential threats whilst smaller to mid-sized sites can handle cybersecurity without a dedicated internal team. Bigger sites tend to require more security as the larger a site, the more attacks it will face. However, as smaller sites typically have fewer defenses they also represent an attractive target to attackers.
Everyday ways in which you can protect your website from vulnerabilities include the following activities:
- Regular audits for potential vulnerabilities: using tools that will scan your site for malware and other likely vulnerabilities to particular platforms
- Examine your logs for potential threats to see where suspicious or unusual requests come from and potentially then set up traffic blocking measures for particular regions
- Deploy SSL/TLS encryption on all website pages
- Update security patches regularly - make a maintenance schedule
- Always use strong passwords and 2-factor authentication for administrator accounts, which are especially vulnerable to hacking attempts by both individual attackers and bots
- Abide by PCI-compliant regulations on all elements of your platform, including third-party payment gateways, such as Stripe or Authorize.net
- Only use trusted extensions, platforms and themes - According to WP Scan, a black box WordPress vulnerability scanner, 52% of known Wordpress vulnerabilities last year came from plugins and 11% from themes. Download directly from your platform’s marketplace and be particularly cautious of free tools.
Larger security measures to take include:
- Setting up a Web Application Firewall (WAF) to protect against application-specific attacks, including cross-site scripting, SQL injections, known platform vulnerabilities, and others. You can either use a classic rules-based WAF such as ModSecurity or a next-gen firewall such as Threat X and Signal Sciences that deploy heuristics and AI to detect attacker patterns and automatically block threats. At Section, we offer all three as options.
- Deploying a bot blocking solution such as ShieldSquare to protect your site from bad blocks through blacklisting, providing alternate content, using CAPTCHA forms, and other customized actions.
- Working with a CDN such as Section, which can provide two layers of protection and website optimization to your website: a DNS layer, which routes your traffic to the nearest global server in the CDN’s network, and a reverse proxy layer, which intercepts traffic and blocks threats, in addition to speeding up performance. Reverse proxy software typically performs many different security and optimization functions including blocking bots, acting as a WAF, caching content and performing image optimization.