What does a digital commerce business have in common with English novelist Charles Dickens? To describe the digital commerce arena as “it was the best of times, it was the worst of times,” will resonate with many online business owners today.
In 2021, digital commerce generated about $768 billion in revenue, with estimates placing online shopping revenue in the US at $1.3 trillion by 2025. In the third quarter of 2021, online sales amounted to 13% of total sales in the US. Regardless, online sales revenue in the US exceeded $220 billion between April and June 2021, the highest quarterly revenue ever recorded.
Unfortunately, unprecedented revenue and success also attract unwanted attention, as online criminals become more skilled and organized every day. The Global Information Security Survey 2021 by Ernst and Young surveyed digital businesses around the world and found that 77% of respondents have experienced an increase in the number of online attacks over the last year. In contrast, only 59% of digital businesses noted an increase in 2020.
It’s important to note that all online retailers are at risk, regardless of the size of the business and the services or products for sale. Automated attacks don’t discriminate; if bad actors find a way in, they will reap the rewards.
We’ve rounded up the key ecommerce risks that your digital solution may face, along with possible solutions to each hazard.
Related Reading: Cybersecurity for Small Businesses
This risk features a bad actor injecting malicious software into an ecommerce website’s checkout page in an effort to swipe sensitive data in real-time, including personal and credit card data belonging to customers. This type of attack can bring repetitional damage to a business, as regaining the customers’ trust after a data breach is a difficult task.
Arm your system with a data breach scanner, such as Vaimo’s very own Data Breach Monitoring.
Related Reading: Magecart attacks: what are they and how to protect your business
“Malware” refers to a number of various programs that are all designed to attack your ecommerce store in different ways. Online criminals inject malicious programs into your website and/or systems without your knowledge or consent, with the goal of stealing private data from you and your customers. Malware includes software and programs such as:
- Viruses: Viruses infect and disperse through files and programs with the aim of damaging, corrupting, or destroying data.
- Ransomware: Ransomware blocks the performance of your online store or systems, usually until the criminals responsible for the scheme receive a ransom payment.
In the case of malware, digital merchants will find that the best defense is offense: a malware monitor or scanner will detect most attempts at breaching your systems.
The term “backdoor” applies to the unauthorized access achieved by an individual who bypasses the usual security protocols and gains high-level access to your system, network, or software application.
In some cases, software authors include backdoors intentionally, as a way to access their own software when providing assistance to their customers who lost access to their accounts or who experience software issues. Still, if cybercriminals locate and gain unauthorized access to your backdoor, they can use it to easily circumvent your online store’s authentication process, and steal your sensitive data.
Backdoor malware, or “Trojans” actually creates backdoors in the systems they infiltrate. Amongst the multiple malicious ways that bad actors can use Trojans, their main purpose is to literally open up a backdoor to your software or system for their creators to use to gain access.
There are a number of methods to safeguard yourself against bad actors using backdoors against you. First, bolster your password security by ensuring your passwords meet the required security standards. Second, carefully vet any third-party extensions or plugins before allowing your employees to use them. Third, use a WAF (web application firewall) to help monitor your network activity for any suspicious behavior. A malware scanner can also help fight Trojans from accessing your system.
Threat actors use malicious bots to scrape your online store to collect information about your inventory and prices. Bad actors often utilize bots to install malware, or even to spearhead targeted phishing campaigns.
Screen for bots by installing bot management software or CAPTCHA to your online store, so bots cannot register accounts.
A vulnerability refers to a weakness in your system or application, which often results from a flawed design or a bug that occurred during implementation. Cybercriminals look for vulnerabilities they can exploit for their own malicious purposes. Vulnerabilities may include:
- SQL injection: An online criminal gains unauthorized access to your query submission forms to hack their way into your database. From there, the bad actor injects your database with malicious code, swipes your data, and wipes their trail clean afterward.
Vaimo’s Data Breach Monitoring and a properly installed Content Security Policy will help prevent such attacks. Additionally, use a penetration testing service to understand the existing vulnerabilities in your system and how to fix them before cybercriminals have a chance to find them.
Risk: DoS and DDoS Attacks
Let’s break down the terminology here. “DoS” refers to Denial of Service, a concept that describes the prevention of access to a service, or the complete shutdown of service. When a customer searches for a product in your online store, the system reaches out to the database containing product data. The system then returns the result of the search to the customer. If a cybercriminal discovers a weakness in your system that enables them to make that search request take longer, they can then execute the same request thousands of times, consequently jamming up your database. As a result, all your legitimate customers must wait until the database processes the thousands of requests before they can receive their results. A DoS attack is an individual attack that exploits a vulnerability and uses it to degrade the functionality of your site.
A “Distributed Denial of Service” attack is a DoS attack at a much larger scale, which means attackers execute the attack with the use of multiple entities, computers, and more. For instance, a DDoS attack occurs when several systems try to deluge the resources or bandwidth of a target system, commonly one or more web servers. A threat actor usually performs a DDoS attack with the help of multiple computers, oftentimes from hundreds or thousands of hosts containing malware. Online criminals are able to buy DDoS services and botnets (remote-controlled computers) with untraceable IP addresses from the black market, and then they are able to instruct the bots to attack a specific website. The attack may cause the targeted site to crash, depending on the resources and bandwidth present.
Downtime for your ecommerce store can leave your system open to further attacks, loss of profits, and lasting damage to your brand’s reputation. Hackers behind DDoS attacks generally demand a ransom in exchange for ceasing the attack.
Combat DDoS attacks by monitoring your incoming requests and traffic on your servers and ensure you survey both virtual and physical cloud environments. Blocking traffic anomalies will help prevent a flood of requests. We also recommend implementing a DDoS recovery plan that includes monitoring, and testing, mitigation.
Risk: Brute Force
Bad actors use brute force to attack your system by “guessing” your admin password. Automated systems “crack” your password by attempting thousands of different combinations until they try the correct one.
That’s why practicing password hygiene is vital — luckily, it’s an extraordinarily simple measure to put into practice.
Hackers intercept and monitor the interactions between your site and your shoppers. Cybercriminals can easily spot a customer using a compromised WiFi network, and spring into action.
Block unauthorized users from entering your network based on their proximity to your business by implementing an encryption tool on your wireless access points. A robust encryption tool prevents bad actors from using brute force to hack into your network and perform a man-in-the-middle attack.
Scraping occurs when cybercriminals steal data that exposes important internal metrics that businesses try to keep private from competitors. Such information can include price lists, inventory, business strategy, market research, and KPIs (key performance indicators). Bad actors often use bots for scraping, but human attackers may carry out scraping manually as well.
Once again, we recommend monitoring the activity and traffic on your online store. If you detect suspicious behavior related to private internal data, quickly block access and patch the known vulnerabilities immediately. Bot management is another effective tool against scraping attacks.
Risk: Credit Card Fraud
Digital criminals use stolen credit card details to make purchases online. This isn’t necessarily an advanced hacker — it may be a case of an individual physically stealing a credit card, or using stolen personal details to apply for a credit card in the victim’s name. Thieves may gain unauthorized access to a legitimate account on your website, wherein they can make purchases with stored payment details.
To lessen the risk of credit card fraud, use an address verification system along with your card payment. Implement tougher password requirements for your customers, and don’t make it easy for thieves by providing password hints. In fact, make it downright difficult by installing mandatory two-factor authentication for your customers to access their accounts. Establish additional security measures around your payment protocols, such as requiring the shopper’s credit card’s CVV and ensuring this data is not stored in the customer’s account with you.
Phishing takes place when the bad guys use social engineering methods to gather data from your customers or gain access to your virtual or physical space. They may call or email your customers posing as employees from your business, such as an email requesting customers to update their password details. Phishing methods boil down to either targeted or general. In the targeted variant, often called spear phishing, the bad actor poses as someone the victim knows. In a general case, the attacker pretends to be a random representative from your company.
Bad actors also utilize social engineering to gain access to your company by targeting your employees virtually or physically. If your employees use a key card to enter the office, the imposter may use their kindness to their advantage by pretending to be a delivery man carrying a heavy box and requiring assistance with the door. Virtually, a bad actor may pose as a member of the board and email an assistant in the finance office, asking to change their payment details in relation to receiving their salary to a bogus account.
To prevent phishing attacks, train employees and encourage stakeholders to vet emails they receive with care. Reiterate to your customers the data you would absolutely never ask of them over the phone or via email to help protect them while shopping with you.
Once more in the words of Charles Dickens, “utilize a web application firewall” as an efficient first step in preventing common attacks, such as Cross-Site Scripting or an SQL injection. We may have made up that last quote, but it’s still solid advice. To reiterate, cover your (security) bases by fixing the “easy” ways that criminals can take advantage of your business: practice strong password hygiene and implement two-factor authentication for yourself, your employees, and your customers. Consider implementing malware monitors and data breach scanners.
To continue your “best of times,” prioritize the safety of your digital business by performing a risk assessment. Invest in the future of your business by spending the time and effort needed to install robust security measures and protocols, and train your staff members accordingly. While it may seem like a daunting task, consider that many ecommerce businesses are lagging in their security posture; Ernst and Young found that only 46% of the businesses they surveyed are confident in their understanding and anticipating of cyber attacks today.
Related Reading: Cybersecurity Education for your Business
It’s never too soon to consider the safety of your business and your customers. Security is integral to the future of your online business, and we hold years of experience and expertise in keeping our clients and their online stores safe. By performing a Security Audit or a Penetration Test with Vaimo, you will gain a deep understanding of the assets you should safeguard, and the best methods for doing so.