The Most Common Cybersecurity Risks of an eCommerce Business

Cyber Security

Written by:

Reading Time: 7 minutes

Hackers, as well as their methods and techniques, are changing but one thing remains the same: e-Commerce businesses are “a bonne bouche” for cyber-attacks. 

Even such giants as eBay and Starbucks are vulnerable. For instance, the Starbucks app was hacked twice in a few months. Criminals gained access to the linked credit cards of several Starbucks customers using a vulnerability in their app. The hackers stole hundreds of dollars in a few minutes. Needless to mention that small retailers are even more vulnerable as they can’t invest millions of dollars to shield their systems against cybercrime. 

Given this, entrepreneurs must build out their security maturity. The first step is understanding the risks. It will help retailers to develop strategies to mitigate them. 

For this purpose, we’ve gathered the list of the most common cybersecurity threats eCommerce businesses face. 

DDoS attacks

Some retailers do not treat the DDoS threat seriously. How wrong they are!

During peak sales periods (Black Fridays, for example), the frequency of these attacks is on the rise. For instance, e-businesses experienced a 109% increase in DDoS attacks on Cyber Monday 2018 compared to the rest of the month. 

This “old-fashioned” threat can costs some e-commerce businesses millions in lost revenue. However, the damage is often reputational – losing your customer’s trust and bad PR for a company. 

It has been said that the prime targets of DDoS attacks are big organizations, banks, media holdings, financial and healthcare companies. Among the recent DDoS victims are GitHub, DYN, BBC, and Bank of America. However, small businesses are easy targets. Even though small DDoS attacks don’t seem ruinous, sometimes they mask deleterious security breaches. 

Intruders aimed at attacking servers and networks overwhelming them with a huge amount of traffic. This makes servers unable to serve users’ requests. Hackers benefit from LOIC (Low Orbit Ion Cannon) and other denial-of-service attack applications which flood the victim server with HTTP, UDP, TCP packets. 

What is to do?

The easiest way to protect your e-business from DDoS attacks is to build strong IT architecture. Lots of eCommerce retailers have already migrated to cloud-based hosting such as AWS, as these services include robust tools for DDoS protection. 

Backing up data is also vital. In case hackers succeed in damaging your server, at least you will be able to recover everything. 

Man-In-The-Middle Attack

With these attacks, intruders place themselves between the user and the server in order to modify, intercept or collect data. The attack is performed in such a way that a hacker can talk to the user and the server separately, while they think that they are talking with each other without deviation. 

The common targets of MITM attacks are e-commerce and SaaS businesses, as well as those who use financial apps. One of the most prominent MITM attacks occurred with the AT&T DSL vendor website. Hackers sent emails to DSL customers informing them that their cards couldn’t be charged as they need to provide more information to their bank. These emails looked believable as they contained personal information such as the last 4 digits of the customers’ credit cards. After clicking on the link, recipients were redirected to a fake site where they were expected to “update” their credit card info by supplying data to the hackers. 

What is to do?

Sadly, there is no sole solution to combat this threat. Thus, responding to these MITM attacks requires a complex approach including countermeasures both on the server and on the client sides. As such, even if an online retailer makes everything possible to protect an end-user, the end-user on the client side doesn’t play their part, routinely ignoring pop-up windows warning of security issues.

Most eCommerce applications implement SSL and TLS protocols to authenticate the server and protect the communication channel with cryptography. It is widely believed that these measures are enough for the complete protection of Web-based e-commerce apps against MITM. Keep in mind that some advanced MITM attacks can work around SSL and TLS certificates. Therefore, some additional measures should be taken:

  • Public Key Infrastructure (PKI), a set of rules, policies, software, and hardware required to establish the identity of devices, services, and people. However, the PKI implementation process is often expensive and complex. That is why some entrepreneurs opt for traditional user authentication mechanisms – PINs, passwords, and so on. Keep in mind that these techniques are less secure than PKI with respect to MITM attacks.
  • HSTS (Strict Transport Security) aimed at blocking any unsecured HTTP connection and preventing cookie theft. 
  • TLS-SA (session-aware user authentication). TLS-SA provides a lightweight alternative to the usage of public key certificates. 

SQL-injections

The prime target of SQL-injection attacks is a database of a web application and more specifically, vulnerabilities in a database. Hackers take benefit of loopholes in back-end coding to insert and execute malicious code and get access to database information. 

The main idea of the attack is to give unauthorized access to the database by providing input with malicious code included in the query. This malicious query is treated as a valid one and executed. As a result, a hacker gains full control over the database of the infected e-commerce website. 

SQL-injections are very powerful and may have a devastating effect on online stores. As such, in May 2019, a critical SQL Injection cheat sheet vulnerability was discovered in Magento. PRODSECBUG-2198 (the vulnerability) has put more than 300,000 e-commerce websites at risk of credit card-skimming attacks. 

Online store owners have been strongly recommended to migrate from the first Magento version to the second (if they haven’t done this yet), upgrade the second version to Magento Commerce or Open Source 2.3.1 and install patch PRODSECBUG-2198.

What is to do?

As we can see from the example above, it is essential to upgrade your CMS whenever a new update is released. With Magento stores, it may be difficult to move from one version to another, avoiding pitfalls. So, we recommend e-commerce business owners to hit up a professional company providing Magento 2 migration services

Additionally, developers and database administrators can implement further steps both to minimize the risk of these attacks and reduce the impact of successful attacks: 

  • Use parameterized statements with bound, typed parameters to run database queries for SQL-injection prevention. 
  • Use ORM frameworks (Object Relational Mapping) for making the translation of SQL results seamlessly sets into code objects. 
  • Use character-escaping functions for user-supplied inputs provided by each DBMS to make sure that the database management system never confuses them with the SQL-statements provided by a developer.  
  • Hiding info from the error message helps to prevent hackers from learning more about your database architecture. 
  • Keep all your software and applications including extensions, plug-ins, add-ons, libraries up to date with the latest security patches. 
  • Using additional tools for scanning websites to identify whether your store has been attacked (for example, Qualis or WP Security Scan).

Malicious Bots

Bad bots are a new form of malicious software targeted primarily e-commerce websites with large-scale credentials. According to the latest survey, AuthBots comprise 17.7% of all e-commerce website traffic, in comparison with 13.1% generated by good bots, and 69.2% generated by humans. 

A bot is a small script that is designed to perform specific tasks and report to a botmaster. They may be sent not only by criminals looking to take over customers’ accounts. There are other sources from which malicious bots are sent:

  1. Competitors may steal product information and prices to get a shopping comparison advantage.
  2. Investment companies which are interested in discounts offered, delivery terms, and product pricing. 
  3. Resellers may buy limited editions items ahead of real customers in order to sell them at a higher price. 

The ongoing impact malicious bots have on the e-commerce ecosystem shouldn’t be underestimated. 

What is to do?

The latest generation of bad bots (4th gen) can connect through millions of IPs based in various countries. Detecting and mitigating bots requires a complex approach:

  • Use the CAPTCHA method to block bots before they perform their activity on your website.
  • Use a “dummy” field to capture a bot and hide the trap with a CSS. 
  • Log files to identify and stop the bot activity on your site. 
  • Use an automated anti-bot solution that employs a powerful algorithm to differentiate a bot from a human.  

Cross-Site Scripting (XSS)

Cross-site scripting can affect any organization which uses forms and any other administrative back-end in their websites. Even an e-commerce giant eBay became a victim of an XSS attack. The hackers injected a JS code into several listings for inexpensive iPhones, which redirected customers toward a fake page designed to compromise their credentials. 

This attack targets authentication user data such as names, passwords, tokens. When an intruder gets access to those, they can log in as the user and use the account to its full extent. 

For instance, a hacker could use the user’s credit card linked to the website to make fraudulent orders or change the shipping address for an order. Once the hacker logs in to the system, it becomes impossible to understand the difference between the real user and the intruder.

As compared to SQL-injections which harm a server, XSS affects a site on the user side. The threat is so important that Google is ready to pay $10,000 to those developers who detect an XSS vulnerability. 

What is to do?

The vast majority of XSS vulnerabilities can be detected by using a web vulnerability scanner. 

However, another actionable way to prevent XSS attacks is to execute “input sanitizing”. It means cleaning up all data entered by a user in order to remove any JS or HTML files from a user. Some e-commerce platforms offer this feature by default. 

Another barrier to XSS attacks is creating session IDs with information specific to the user. By this, a session will be expired right after 2 separate IPs attempt to use the same session data. Even though this barrier can be overcome if a hacker uses “IP spoofing”, it provides the additional security level. 

Summarizing

With tech advancements, e-commerce security threats will continue to grow. In order to protect their stores against cyber-attacks, business owners have to invest in this field as much as they invest in sales, marketing, design or customer support. 

Have you ever experienced a hacker attack on your business? How do you protect your online store? Tell us about it in the comments below.