Ecommerce: between the crosshairs of cyber-attackers

It’s not easy being the #1 target of the world’s cybercrooks and purveyors of malicious software. Of all the industries that do business online, e-commerce is the choicest target for cyber-attacks. After all, e-commerce provides a straight line between valuable business information and cold, hard cash.

The unwanted attention of malware mongers and botmasters make constant vigilance an online business necessity. Here are three types of threats that e-commerce website owners must watch out for.

3 all-too-common threats to e-commerce sites

No, there isn’t a Most Wanted list of cybersecurity threats to e-commerce sites. In each case, IT is part of the problem and the solution. And in each case, vigilance and security awareness are the must-have ingredients that protect online retail operations.

DDoS attacks

There’s nothing like a distributed denial of service (DDoS) attack to grab headlines and make online merchants shiver. The threat to online retail operations lies in its ability to take down an online retail store by overwhelming its servers. Mountains of junk traffic can slow site traffic or make the site go offline temporarily.

It’s the downtime that does the damage. Downtime puts store services out of the customer’s reach. No online activity, no revenue. Loss of revenue—and the loyalty of customers—can put a massive dent into an online store’s profits.

And in advanced DDoS exploits, malicious bots can gather proprietary product, inventory, and pricing data by getting into an online website with stealth or brute force.

Prevention and mitigation methods. DDoS attacks can be a white-knuckle experience for online merchants. Fortunately, there are ways to detect these attacks and reduce the harm that they do.

Attack response planning. Assume nothing. Be ready for anything. A DDoS attack incident response plan will help you be prepared for attacks, which can happen at any time.

DDoS awareness. Make education about the broad range of automated (bot) attacks part of regular training. Make sure that web application architects, developers, testers, and executives know what DDoS means to IT ops and the bottom line.

Building defenses into platform applications. It’s possible to add defenses against automated attacks when you develop or customize online store applications. These methods include limiting the number of authentication attempts and randomizing the content and URLs of authentication form pages.

Deploying a DDoS mitigation product. Specialized software that detects and mitigates DDoS attacks is available commercially. These products can tell the difference between malicious (attack) bots, good bots such as search engine crawlers, and human visitors. Then, they manage or block attack traffic accordingly.

Credit card fraud

Credit card fraud involves the takeover of credit card accounts or the outright theft of card owner identity. SQL injection attacks corrupt stored data and force servers to divulge information such as credit card numbers. A study from the Identity Theft Resource Center reports that the number of credit card numbers exposed in 2017 totaled 14.2 million, up 88% from 2016.

There are lots of reasons why cybercrooks are having a field day with credit card fraud. There are more credit cards and more e-commerce site data breaches. Consumer data on the dark web has also become available and dirt-cheap. So cheap, that the cost of entry for these crimes is practically zero. This is a potent “open, sesame!” that enables criminals to submit fraudulent transactions, open fraudulent accounts, and take over legitimate ones.

Luckily, there are plenty of methods to detect and prevent credit card fraud. These include:

Credit card fraud prevention. Online merchants can prevent or mitigate credit card fraud by using methods described here.

Credit card fraud management software. AI and other machine learning techniques now try to match fraudulent behavior patterns of customers and known fraudsters.

Annual security audits. You should do this anyway—it’s the law. But the security awareness habit is as important as the actual task.

Data theft by deception: phishing and man-in-the-middle exploits

Data theft can create a painful loss of intellectual property like product or pricing information, initiative plans, or valuable customer information. Stolen IP is a loss of assets that give a company a competitive advantage. Its theft can stunt an online retailer’s growth. Stolen customer information can damage customer trust, which shrinks revenue and customer loyalty.

Phishing attacks. This is where thieves trick targets into giving them sensitive data by impersonating well-known and trusted websites, banking institutions or individuals. When targets enter user credentials, click links, or reply to phishing emails with financial details, they send information directly to the cybercrooks. In the Verizon Enterprise 2018 Data Breach Investigations Report, more than three-quarters of the companies surveyed experienced a phishing incident in the previous year.

You can stay clear of most phishing risks by:

Slowing down. Look—carefully—before you click.

Staying informed about the latest phishing methods. Ingenious cybercrooks come up with novel phishing ideas all the time.

Checking a site’s security status. If the URL doesn’t indicate “https,” think twice about entering a site.

Using firewalls. A software firewall is on your desktop. The hardware firewall protects your network. Use both for fuller protection from phishing scams.

Following all the usual security advice. Such as updating browser patches and passwords frequently.

Man-in-the-middle (MitM) attacks. In these exploits, cybercriminals intercept a legitimate communication and impersonate an authorized party. The goal: to get the target to provide sensitive or valuable information without knowing that anything is wrong.

There’s no way to prevent all MitM attacks. But you can drastically reduce the risk and level of damage that they do. Here are some bona fide ways to minimize potential damage:

Use https protection. Make sure the entire site (not just the payment area) uses https protocols.

Keep all SSL certificates updated. They create secure connections between users and servers.

Use a web browser that offers public key pinning support. This support enables https websites to resist impersonation by cyber-attackers.

Use a VPN service. A virtual private network is still the best way to keep the bad guys’ eyes and ears out of your communications.

In the world of cyberattacks, oldies are still goodies

Nothing stands still in the cybersecurity field. New products are rapidly developing solutions that use:

Cloud-based delivery to provide more flexible services.

Machine learning to perform simple security tasks.

Threat analytics to find and analyze patterns of malicious network behavior.

Although commercializing new security technologies is sexy, most of the value of cyber-attacks come from obvious vulnerabilities, the top choice of cybercrooks everywhere. The trick for IT security pros is eliminating the obvious vulnerabilities in their IT infrastructures.

You must be logged in to post a comment