The cybersecurity of online shops must be ensured, as we all learned two years ago from the example of Morele.net. A short recap: the data of almost 2.5 million customers was leaked and the store received a demand to pay a ransom of about PLN 200,000 (Morele decided not to give in). In the end, the Personal Data Protection Office imposed a penalty of almost PLN 3 million on the store.
Since then, it is probably pretty obvious to everyone that security issues in e-commerce should not be taken lightly. So let’s see what threatens stores and how to protect ourselves from these risks.
What threats do stores face?
Hackers are keeping busy. Year after year (or even month after month), new attack methods and tools are being developed. Why are we discussing this? First of all, we’d like to emphasize that the following list, although it touches upon the most common types of attacks at the moment, definitely does not exhaust the subject matter. It is a good idea to monitor security issues on an ongoing basis and regularly test your store for newly detected vulnerabilities.
This is one of the easiest attacks to conduct. DDoS stands for Distributed Denial of Service. Such an attack is carried out simultaneously from multiple devices. The goal of the hacker is to flood the site with so much traffic that the service is disabled or slows down dramatically.
In the case of DDoS, the hacker does not steal anything, but can still cause considerable losses. Don’t believe it? Imagine that your website stops working on Black Friday.
How can you prevent DDoS attacks? First of all, monitor website traffic using appropriate tools, such as CloudFlare. Knowing more or less how many customers visit your store every day will give you a clear indication of significant deviations. Often customers themselves notify the store about a DDoS attack when they notice that the site is working extremely slowly or completely unavailable.
The attack can be fended off by banning sources of unusually high traffic or connections which do not bring about further actions (the “user” enters the site but does not browse, add products to the shopping cart, etc.).
Data thefts and leaks
If you ask the average Internet user how data theft works, what will likely come to mind are the images embedded in our pop culture: a desk filled with computer screens, complicated algorithms, thousands of lines of code…
But reality can be much simpler… and sadder. Many companies are literally asking to have their data stolen by leaving them in plain sight. A good example is the data leak of thousands of McDonald’s employees. In an official statement, the chain stated that “The situation was caused by an incorrect, accidentally placed copy of the work schedule database in the public folder”. As you can see, mishaps occur even with the biggest players.
From an e-commerce point of view, the worst thing would be for a cybercriminal to get access to invoices, customers’ personal data, orders, logins and passwords. In the last case, the problem is exacerbated when the owner of the password also uses it outside the store, e.g. to log into their social media accounts. Then the hacker can use it to get into their profile and scam money from their friends by impersonating the victim.
Another vulnerability that can lead to a data leak is inappropriate password storage. Make sure that passwords are well hashed by using modern algorithms such as Bcrypt or Argon2. Unfortunately, old and not recommended hashing algorithms like MD5 are still popular. The increase of computing power in modern computers has made mass recovery of passwords stored in this way accessible to almost every Internet user.
Phishing attacks are a threat typically directed at customers. The attacker creates, for example, a fake customer login panel and, with the help of social engineering (manipulation techniques), prompts the user to enter their data. How? For example, by informing them that there were problems with their order and asking them to verify it. Sound cliché? Maybe, but it’s surprisingly effective!
How can you defend your customers from phishing? Well, in this case you can’t lead a consumer by the hand, but you can (and should) make them aware. There’s no such thing as too much education – many banks regularly remind their users to watch out for suspicious calls and text messages.
Some companies, like Google, also decide to buy domain names similar to theirs to prevent criminals from imitating them. So, entering goooooogle.com in the address bar will take you to the right search engine. A relatively simple solution (although hated by UX designers) is also a strong password policy, which forces the customer to use appropriately long passwords that contain different characters. You can also offer your customers two-stage verification, i.e. confirmation of log in with a second device, e.g. using a text message code.
Another solution is to limit the number of unsuccessful login attempts from a single user and make it impossible to create a password that is already out there in the net. How can you check that? It’s easy! Just have a look at services such as https://haveibeenpwned.com/.
Ransomware is malware that is installed on a computer through a gap found by hackers. The software encrypts data, and then the hacker demands a ransom for providing the key to decrypt it.
Garmin was recently the victim of a ransomware attack. Hackers encrypted almost all of the company’s infrastructure, and as a result, sports smartwatches bought from the Garmin store suddenly stopped working. The situation lasted for several days, until the brand finally decided to pay the ransom.
The question of whether to pay the criminals or not is controversial. Many people assume that you don’t negotiate with terrorists, but things are more complicated when this is a ‘live or die’ situation for a business. In many cases, paying the ransom costs the company less than restoring the data, dealing with potential lawsuits from customers whose data was leaked, being fined by the Data Protection Office and so on. However, before the company decides to comply with the hackers, you can look for a gap in the encryption yourself – sometimes it’s possible to recover the data without access to the key.
Let’s not forget that every successful ransomware attack is also a data leak. Even when the company recovers the data, there is still no guarantee that hackers will remove it from their databases or that no one will ever use it. So it’s not a good idea to sweep the matter under the rug if you don’t want it to come back to haunt you – this time without your control and a well-thought-out PR campaign. It is a good idea to play fair: present a statement about the leak and ask customers to change their passwords, or reset them yourself as the admin.
“Data leaks in online stores will usually come to light sooner or later. Apart from legal consequences (after all, the GDPR is there for a reason), there are also reputation issues that are problematic in that they have no expiry date. Even years later, some e-stores have to live with the label of being ‘unsafe’ or ‘unreliable’. At a time when Internet users are relatively well-educated on security, adequate protection of their data is a necessity. It is worth remembering that the famous saying “the only thing worse than being talked about is not being talked about” absolutely does not apply to this type of situation. And not even the greatest response from the company will cover it up.”
– Marek Kich, CEO of X-Coding IT Studio
Penetration tests – what are they and how often should you perform them?
Penetration tests (pentests) are, simply-put, cybersecurity tests of a website (store included). Pentesters, also known as legal hackers, comb through the e-commerce system for vulnerabilities and security gaps – and usually find them. After the tests are completed, the company receives a report with a description of the tests carried out, any detected vulnerabilities and recommendations for fixing them.
How often should you perform penetration tests?
First and foremost, security is not a product that you pay for once that stays with you forever. One example: when a company invests in antivirus software and believes the matter of cybersecurity to be closed.
It is much better to see security as a process starting with penetration tests, but as part of a larger project.
Penetration tests should be repeated regularly. Hackers are constantly searching for new vulnerabilities and creating new attack strategies. What does that mean in practice? Well, a shop which a few months earlier might have been considered secure may not be today.
It’s a good idea to perform the tests:
- after a software change,
- after adding new features,
- after a layout change,
- after every major change.
You don’t necessarily have to test the whole shop right away, but it’s certainly worth checking out the areas that have changed.
What else can you do?
Awareness is key.
Make your customers aware of the threats, so that they create unique, strong passwords and use password managers. Let them know about social engineering techniques that hackers use.
Do the same with your employees – for starters, you can suggest they read this article. Consider also limiting the permissions of accounts according to the principle of the least privilege – grant only the permissions necessary for work and limit the number of people with administrative rights.
Moreover, it is worth safeguarding the shop against careless customers. If you allow customers to upload their own files to the server (for example, a profile photo), limit the size and type of accepted files and have them scanned before they are saved to the server.
How to convince your boss to invest in cybersecurity
Sometimes the person in charge of the store is perfectly aware of the gravity of the situation, but the final decision on the budget is up to someone else. How can you convince your boss that it is worth investing in cybersecurity?
We find nothing has as much persuasive power as figures! The data usually speak for themselves. It is enough to look at how often companies fall victim to hackers – unfortunately, these figures are increasing year on year:
- Since May 2, the FBI has recorded a 300% increase in reports of cyber incidents (Source: IMC Grupo);
- 46% of global companies have encountered at least one cyber threat (Source: Dark Reading).
We might also draw an analogy to brick-and-mortar shops. No one questions the need to invest in locks, anti-burglary grating or a security guard in a physical store. So it is all the more surprising how often the cybersecurity of an online store comes in last on the priority list.
Purely financial arguments are often just as convincing. An example is the Morele.net store mentioned at the beginning of this article: the data leakage cost the company almost PLN 3 million, not even taking into account the costs of handling the failure or its PR activities. It makes more financial sense for large companies to take care of cybersecurity on an ongoing basis by spending a smaller amount of money every month than to cover all the costs of responding to an unfortunate situation.
Remember that the costs a company incurs when it falls victim to a hacker do not only involve payment of a ransom or a financial penalty imposed by the Personal Data Protection Office. When a cybercriminal blocks access to a website (e.g. during a DDoS attack), the business stops. An online store does not earn money when customers, unable to make a purchase, turn to the competition. Add to that the loss of trust when it comes out that the company has fallen victim to a hacker, and we already have a recipe for falling revenues.
What’s more, if the customer has at least minimum technical knowledge (which most Internet users have), they will notice at first glance that the shop does not look safe. No SSL certificate, suspicious advertising and other warning signals are not difficult to spot. It works both ways: a safe shop gains the trust of customers while one whose vulnerabilities are clearly visible loses it.
The cybersecurity of an online store is worth prioritizing – that should be clear by now. I hope that after reading this article, you also know what threats your e-commerce might be subject to and how to avert them. We can only wish you good luck and encourage you to continue exploring the subject of cybersecurity.