Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Before the eCommerce growth, traditional stores were targeted with Point of Sale and general cyber security risks. This equation is different and more complex today. It is difficult to talk about the best security practices without discussing cyber security risks challenging eCommerce sector growth. It is also a recommended read if the reader is considering sourcing eCommerce solutions to improve their eCommerce business security. Customer data from eCommerce websites is not only critical for the sales and analytics team, it is also highly valuable for threat actors. You may find online retail and eCommerce words used interchangeably throughout this article.
eCommerce and drop shipping being profitable businesses not only provide opportunities for the big brands, but also benefits smaller retailers. Traditionally, eCommerce business could be B2C (Business-to-consumer), B2B (Business-to-business), C2B (consumer-to-business) and C2C (consumer-to-consumer). Business-to-government (B2G) is combined under B2B eCommerce business type. Cyber security risks post threat to all business types due to commonality of these elements: online transaction, websites and payment details.
The most valuable currency for an eCommerce business is Trust.
A good eCommerce website security ensures the following functions of CIA triad:
- Confidentiality of consumer data against unauthorised access
- Integrity relates to accuracy and completeness of data
- Availability is about the timeliness and reliability of access to use the data
A compromised eCommerce website can have far-reaching consequences for both the business and its customers. Understanding the eCommerce website security requirements of a business is important to analyse the security risks it is exposed to. Even the most secure (as per self-claims) eCommerce platforms don’t add any magic to your environment, ultimately, it is your efforts (working with multiple parties) that include a collective measure of layered approaches to keep your data secure. When it comes to eCommerce website security, almost all the underlying components of business tech stack are at play. Any of these digital points that offer relaxed approach could be targeted online and could be a stepping stone towards your production environment.
Why is cybersecurity critical for retail businesses?
During the pandemic, UK online sales showed record growth during May 2020 largely due to the closure of high street retail outlets, allowing online stores to grow by 129.5% compared to May 2019.
Multiple warning signs can highlight the presence of fraud in your eCommerce business transactions. Potential fraud indicators are the use of multiple payment methods from a single IP address, foreign billing or shipping addresses or large volume orders for a single item from new customers. Your development team may unintentionally introduce vulnerabilities while forgetting to differentiate between urgent and important fixes using secure coding practices. By ’re-inventing the wheel’ around critical aspects of an application such as session token generator algorithms or implementing new logic in registration processes could lead to vulnerabilities if not validated by an independent party. Rather than prevent the security attacks, a business may be exposed to worse security issues due to such risky practices. Therefore, it is important to standardise the security approach by following trusted sources.
The lifecycle of any eCommerce sale depends upon the internet, consumer payment and the retailer’s website. All three vectors are attack entry points for cyber-criminals launching eCommerce cyber security attacks. Consumers are targeted with phishing emails to steal payment information due to their internet presence (social media, emails, phone numbers). There is a sharp rise in this attack vector during peak shopping seasons. Cyber criminals find eCommerce websites as highly attractive targets because online retailers are seen as ‘watering holes’ for unsuspecting victims. Overall, Card skimming attacks, Point of Sale malware and Phishing are the top three eCommerce security threats.
The following image from idtheftcenter.org shows the breach count for 2020 (blue) against 2019 (yellow) in the retail sector.
The biggest eCommerce security risks
The following cybersecurity risks are amongst the top security vulnerabilities affecting retail and eCommerce businesses. eCommerce website security risks vary in attack vector based on the exposure of assets within the businesses and not necessarily target a website. eCommerce security challenges could relate to the employees of the business, third party security risks (payment, hosting, network and/or equipment) or customers. A few retail cyber security risks that are important but not necessarily amongst the top include Insider threats, Payment gateway cybersecurity, hosting provider compromises.
Web and mobile application vulnerabilities
eCommerce website security issues rank at the top of a CxO’s mind. Web and mobile applications are an attractive target for cybercriminals and pose one of the biggest eCommerce security threats. Attackers find it economically viable to target a large number of websites using bots and automated scripts, in order to siphon off payment details. Due to the increased use of mobile applications, consumers are at greater risk to vulnerable applications being targeted by criminals. Popular issues in eCommerce websites include SQL injections, iFrame attacks, Cross-Site Scripting vulnerabilities and brute force attacks. Hijacking interrupts a lot of eCommerce businesses by redirecting customers to a fake shopping cart and giving away payment information. These are the types of risks often picked up during technical security assessments as part of our eCommerce security services.
In this app-driven world, we are consuming more information via APIs ensuring fast processing times. API security risks are on the rise due to insecure deployment methods and is important for development teams to under the security risks and mitigation measures to ensure secure practices are used. Therefore, web and mobile application security in online retail is the most critical component to offer a safe and secure experience for their customers.
Moreover, we have come across a number of small businesses in eCommerce who have been compromised and are unaware, only coming to know why search engines like google have blocked their users access to infected websites. Platforms are playing a big reason behind eCommerce security landscape because traditional CMS was built without security baked into their core. Security as an after-thought is more like fixing things to avoid breaking them further, therefore, at the risk of introducing more risks. It goes without saying that business as usual (BAU) security assessment such as web application penetration testing, source code reviews and infrastructure security should be high on agenda.
Card skimming attacks are amongst the most popular criminal activities affecting eCommerce as an industry. A surprising number of businesses fall victim to these campaigns, simply due to the lack of proactive approaches towards retail cybersecurity. A specific example related to a popular eCommerce platforms is MageCart attacks. Magecart attacks are linked to online credit card skimming attacks, where attackers used a shotgun approach to mass compromise by modifying the mage.php code in Magento websites cart section. A few variations then evolved into more compromises around Magento, OpenCart or OSCommerce platforms. So much so that this cybercriminal group made it into the ‘most dangerous people’ list in Wired magazine’s 2018 edition. Just like other open-source software, the ability to edit your source code and make versions suitable to your platform could introduce security vulnerabilities. This customization comes at a price, where the right balance between in-house control of the code and cybersecurity is a delicate business.
Point of Sale Attacks
Point of Sale malware made it to the mainstream media when American retail giant Target was breached due to a basic network segmentation error. Cybercriminals uploading malware on Point of Sale (PoS) systems allowed data-stealing from cash registers using keyloggers, RAM scrapers, affecting millions of consumers. Due to a PoS compromise delivering instant results for threat actors, it is a lucrative attack vector, facilitating the sale of credit card data on the dark web.
What was previously a tick in the box activity, now requires a proactive approach towards data security. Compliance and regulations (SOX, HIPPA, PCI DSS) have introduced stringent requirements in-line with the increased malicious activity.
Insecure patch management is an eCommerce security vulnerability due to the availability of exploits in the wild. It is important to keep software updated to the latest stable version. This ensures that bugs, performance issues and security fixes are deployed in a timely manner, therefore, minimising the attack surface for an eCommerce website. With the example of Magento Version 1: support for Magento Commerce and Magento Open Source reached it’s end of life on 30th June,2020. When a software reaches end of life, it means:
- No active support will be available for the software.
- No security vulnerabilities will be addressed by the vendor.
All of the factors above contribute to lack of updates on third-party integrations, compatibility issues, bugs and effectively degraded performance for the eCommerce website. Publicly known exploits could add to the eCommerce security threats.
Vulnerable Third-party Modules
Vulnerable third-party extensions introduce bugs that could lead to compromise of core modules such as WordPress, Magento, OpenCart, etc. The most important issue to understand with third-party extensions is to keep up with the latest version releases. Some of the modules do not even have secure coding practices in use during development, they do not have formal security support in place. This introduces backward incompatibility issues and bugs where shortcut fixes have been put in place.
Discuss your concerns today
Ransomware is a targeted approach to take control of the victim’s website, systems or networks and locking the files until a ransom is paid to the attacker. Ransomware remains one of the biggest cyber security risks today. However, you are never sure if paying a ransom would help decrypt the affected files: “Should you pay the ransom?” It is possible that you could be targeted again, or data may not be decrypted and you lose either access or sensitive data. Malware and/or ransomware protection is one of the most important aspects of your retail cybersecurity strategy. Simply put, it’s an expensive problem to have.
Lack of security patches may lead to a breach of compliance to regulations such as PCI DSS, clearly making this risk finding part of non-compliance of PCI DSS requirement: “Requirement 6: Develop and Maintain Secure Systems and Applications”.
For example, PCI DSS standard explicitly states how PCI DSS penetration testing and vulnerability analysis are required to maintain compliance. Similarly, it states how segmentation affects in-scope systems or networks for PCI DSS compliance purposes.
“Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:
- The scope of the PCI DSS assessment
- The cost of the PCI DSS assessment
- The cost and difficulty of implementing and maintaining PCI DSS controls
- The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment.”
GDPR regulation states that any business that processes EU citizen data and experiences the breach must notify authorities within 72 hours, or risk facing heavy penalties. GDPR sets forth fines of up to 2% of global turnover or up to 10 million euros whichever is higher. A number of high-profile businesses have been fined under this breach. Examples include high profile businesses such as Marriott International (€20 million), Google (€50 m), British Airways (€21 m) and H&M (€35m). Data privacy is at the forefront of security challenges in eCommerce sector irrespective of business size.
ISO/IEC 27001:2013 penetration testing covers technical controls involved in an organisations’ risk management and helps reduce information security and data protection risks to an organisation. This supports the ISMS (Information Security Management System) maintenance and support for ISO 27001 certification.
Insufficient Logging and Monitoring
Insufficient logging and monitoring is in the top ten risks affecting web applications, as per OWASP top ten risks. Majority of the attacks start with initial probing by attackers, these are often the work of automated scripts or scanning software. Lack of logging and monitoring would encourage the threat actors to raise their attacking attempts to more intrusive levels without the fear of being blocked or caught. Lack of event logging to necessary levels causes complexities during incident response processes in the event of an attack.
Retail cybersecurity strategy without sufficient logging and monitoring controls will not only provide longer times for intruders in the network, but also creating complexities for post-incident response investigations. Without auditing of events, it is almost impossible to figure out what information is at play, who is misusing it and the likelihood of attacks and appropriate mitigations.
DoS and DDoS Attacks
Denial of Service is a cyber-attack allowing threat actors to render the website unusable for legit users. In the case of a distributed denial of service (DDoS) attack, it can be thought of as a gang of bots (a botnet) attacking the target with constant traffic, far more traffic than the target can handle. Due to lack of relevant controls, such attacks would render a retail cybersecurity flawed because of gaps in business resilience strategy and causing operational disruptions.
Best practices for eCommerce security
Just like the shared responsibility model in the cloud and other areas, security compliance, secure configuration and management is customer’s responsibility. Although this cyber security checklist for retail businesses is shared as groundwork , these practices are also a concrete step towards achieving compliance and regulatory requirements such as PCI compliance audit, GDPR, ISO 27001. In the case of cloud computing environments, methodologies differ based on the assets and the deployment (on-prem, hybrid or fully private cloud), the cybersecurity fundamentals remain the same to secure an eCommerce business. In any case, working around this checklist would ensure a solid ground for protection against cyber attacks.
Bare basics – reducing the impact
- Stay away from cybersecurity solutions offering all in one solution approach. Whenever, wherever, whoever talks about providing 100% security to your business, you must tell your brain it’s best to avoid the argument and be ready for next task in your schedule. They are not just too good to be true, you are also the soft target as an easy sell. Sorry, that’s the truth! We have multiple stories where CTOs and CIOs got sold to IT managed services providers (MSP) to take care of cybersecurity in their organisation, only to find it post-compromise that this was never agreed in pen and paper and nor delivered in substance.
- Sign up for security alerts from the vendor – they are the most authentic source to gain updates on the latest changes, alerts and software updates.
- Use separate credentials to regular staff logins for privilege tasks.
- Ensure secure backups are routinely carried out. Randomly audit and test backup restore to ensure it works when you will need it.
- Do not spend on high fee consultancies where basic hardening can be done without large investments of time and money. These include use of security plugins from trusted parties offered on WordPress and other CMS plugin stores. Change default usernames for administrator to something difficult to guess, and utilise strong non-dictionary, hard to guess passwords generated randomly.
- Enforce the use of SSL/TLS encryption measures. These are easy to install and configure. For example, in the case of WooCommerce it is WooCommerce – Settings and Enable ‘Force Secure Checkout’. In the case of Magento Commerce Cloud, you may need to wait for a few hours based on hosting providers support ticket system and processes.
- Undertake regular security assessments such as in-depth application penetration testing to identify vulnerabilities affecting web applications, API, mobile applications.
- Keep multiple backups at secure sites.
- If short on security resources, arrange for continuous security scanning exercising utilising managed security services that provide you regular updates on whether attack surface is shrinking or expanding with time. Any new threats are dealt with time to avoid large exposure windows for attackers.
Ensure that the hosting providers actually value cybersecurity and not just ‘sell’ it via their marketing campaigns. For example, security measures built into BigCommerce, WooCommerce, Magento or WordPress are not sufficient, and you would require a reliable and reputed hosting provider to add safety and security to your eCommerce business. This can be easily identified from the practices they follow, a quick sure-fire way of finding whether they are proactive in their cybersecurity approach or not would be:
- Ask for retail cybersecurity assurance exercises, and how often they do it for their platform.
- Ask for a technical report that highlights evidence of their annual or frequent security assessments.
- Check if their developers follow secure coding practices and what standards they adhere to during the development?
- Ask for examples on how they have previously supported the security of eCommerce websites or security incidents on their customer’s websites
- Do not rest under the feeling that your eCommerce is hosted on Amazon , Azure or another cloud provider and security is taken care of. You have to provision your own eCommerce security services to constantly identify and mitigate risks, ensuring safety for your website users.
- Deploy jump boxes that act as a middle layer between the corporate (where staff are located or connect to) and the production environment (where the website is hosted). Jump boxes are securely hardened systems hosted in DMZ or private cloud for secure access to production systems. This ensures access to users is allocated on a need to know basis without exposing the production environment. Ensure that jump boxes are checked against secure hardening practices to ensure no breakout opportunities are available and to minimise insider threat attacks.
- Mandate the use of password managers for all staff and ensure that they do not mix passwords for corporate and production environments, implement with separate domain security policies.
This is one of the most effective and cheapest (mostly!) controls without a significant investment of resources. Having networks segmented reduces the risk of compromise by increasing the difficulty for an attacker to find information in more than one place in an organisation. For example, segmentation can separate sensitive information stored in a database away from segments containing user accounts, network equipment or other digital assets of an organisation. By implementing access restrictions using network segmentation ensures minimal exposure internally. Network segmentation is one of the core elements while discussing PCI DSS scope and how access is managed between in-scope systems or networks.
Enabling multi-factor authentication at various checkpoints such as server access, and website administrative panels offer an extra layer of protection. Think of this approach as adding difficulty for threat actors, where even with a compromised password they may not be allowed access without a one-time code used as the second factor.
Discuss your concerns today
Third Party Extensions
This is one of the popular threats facing eCommerce websites. Be sure to install extensions from trusted sources only. DO NOT use paid extensions from p2p or torrent websites. Do not install any extensions, or software links through suspicious emails. Ask for advice on trusted extensions from any security experts you may liaise with. We are happy to provide free advice. Similarly, any internal APIs or dashboards integrated with the website must be thoroughly reviewed. With online retailers, warehouse solutions are often integrated with the corporate environment and the website without due-diligence around the solution in use.
Secure Hardening Tips
- Never mix and match any components between the corporate and production environments. One environment can act as a bridge for threat actors to attack the other environment. For example,, a retailer with an office and remote based web development and marketing teams support the company website hosted in the production environment at a data centre. For marketing and web development teams, there is direct access available to the website through FTP, SSH, RDP, CMS to transfer data fast and efficiently whenever required. In the case of an attack on a marketing employee’s laptop via social engineering/phishing methods, a threat actor may have a direct route into website panel access which could be exploited leading to defacement of the website, information theft or any of the worst scenarios imaginable. Implementing a jump box, allocated with secure hardened baselines defined for users, may make the scenario above difficult for threat actors to exploit.
- Ensure that secure communication protocols such as SSH authentication follow certificate-based authentication and any sensitive information (passcodes, keys, PIN, passwords) are stored in password managers. Disable all FTP, clear-text channels in favour of secure equivalents.
- Follow secure hardening practices on the underlying operating systems such as limiting access to cron.php, patch management, secure configurations of a database, PHP, memory caching systems. Refer to our eCommerce cybersecurity service offerings in case you require an independent evaluation.
- Restrict access to admin or non-user areas of the website to trusted IP addresses only. This includes SSH ports, CMS panel, administrative and management interfaces.
- Periodically perform permission reviews on all directories that could pose threats from data leakage perspective. In cloud security terminology, insecure S3 configurations in AWS cloud is linked with bucket data leakages leading to data thefts. In the traditional sense, this could be equivalent of directory listing or insecure permission vulnerabilities.
Web Application Firewall
Utilise a Web Application Firewall (WAF) to filter unnecessary noise such as bots. Protect against brute force attacks, admin pages and related content enumeration, discover and block suspicious patterns. Modern content delivery networks offer caching, DoS protection and WAF under the same banner, hence, providing peace of mind and protection against online attacks.
Encryption is more than a certificate on a website. It is about ensuring data at rest and data in transit is secure. It is considered one of the complex security challenges in eCommerce due to lack of skill-set depth needed to ensure secure encryption configuration.
Data in transit relates to securing transport channels (HTTP). Having a secure SSL/TLS certificate ensures strong gaining user trust and maintaining PCI compliance. Data at rest relates to securing data stored in a database. There are privacy regulations (GDPR, DPA 2018, California Consumer Privacy Act) applicable to the businesses based on the location and processing guidelines, these must be followed to avoid fines. Ensure that no sensitive information is stored unless necessary for business purposes, for instance, use username and passwords instead of storing user’s National Insurance or Social Security numbers. If such PII (Personally Identifiable Information) is not needed, do not collect it. Where required, use strong encryption schemes such as one-way hashing and salts to force uniqueness and increasing passwords complexity. Salting is a way of adding random data to ensure a unique hash output even if two input are the same.
Logging and Monitoring
Review auditing levels for applications, APIs and underlying components and ensure that necessary error types are logged with sufficient detail in case of an event. For instance, input validation failures, access control failures and related events should be logged with user context information. By logging everything, an organisation runs the risk of high-volume logs that pose analysis as well as storage challenge. Therefore, the right balance should be defined and reviewed for audit trail and incident response plans.
Have a data breach response plan HANDY!
Be prepared. It might sound like the worst recommendation in this article; however, it is important that an incident response plan covering data breach response is in place. This can help you limit the damage in the event of a breach by helping you decide on the next course of actions.
Successful eCommerce is a win-win for all parties, i.e., businesses and consumers. Covid-19 has forced businesses to adopt new approaches, especially mobile growth for eCommerce businesses and forcing brick and mortar stores to adopt online business models. Just like the changing patterns of consumers, cybersecurity strategy requires improvements for eCommerce businesses.
Cybersecurity is an ongoing process. The recommendations listed throughout this article are not a silver bullet approach to cybersecurity to make your business impenetrable. A risk focussed prioritised approach may be necessary based on the cyber security maturity of your organisation. Retail Businesses need to focus on cybersecurity as a holistic solution to protect people, process and technology in addition to consumer information. If a corporate environment is compromised, theft of IP or consumer information may still impact the business in the short to medium term. Aligning cybersecurity to act as an enabler for business growth is less costly in the long term.
Your business may benefit from our offerings around web and mobile application and services, specific infrastructure areas or holistic IT security health check to identify gaps in your current state of infrastructure. Get in touch for non-salesy chat for your primary security concerns.