.jpeg)
The National Retail Federation’s National Retail Security Survey 2020 found that over the past 5 years, 29% of retailers have realized that ecommerce crime is now one of the most pressing security issues they have, ahead of organized retail crime and internal theft. As a result, implementing measures to combat cybercrime and increase data protection has become higher priority items for retail executives in the United States.
In this article, we cover the most common cybersecurity threats that online businesses face. We also recommend a number of solutions that retailers can implement in order to protect themselves and their customers’ data.
Finally, for each solution, we also provide an example solution of how we handle security for our customers.
The most common ecommerce security threats retailers face
Verizon’s 2020 Data Breach Investigations Report surveyed over 150,000 cybersecurity breaches and found that hacking and malware accounted for 62% of the attacks. In fact, external cyber-attacks against online stores form the majority of these breaches.
In order to combat these threats, we must first understand how these attacks happen and the kinds of online transactions and information they target.
Malware
The Guide to Malware Incident Prevention and Handling for Desktops and Laptops defines malware as “a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.”
Malicious software, shortened to “malware”, is a catch-all category to describe one of the most common threats against an organization’s applications and sensitive information.
Phishing
Fraudsters enacting phishing attacks use email to send victims to a website that appears to be genuine. They lure victims to log on to the genuine-looking website in order to extract passwords, credit card, or banking information.
Here is a sample YouTube phishing attack in action:
SQL injections
Structured Query Language injection (SQLi) attacks exploit web application pages to extract or manipulate data from a network’s database.
SQLi attacks are considered one of the most intrusive attacks on ecommerce websites. For example, imperva’s 2013 Web Application Attack Report surveyed a number of web application servers and found one that received 94,057 SQL injection attack requests in one day.
Ecommerce websites tend to be especially vulnerable to SQLi attacks.
The Trustwave 2016 Global Security Report found that SQLi attacks specialize in extracting personally identifiable information (PII) and credit card information from a database. These are the same personalized customer data that a retailer would request and store in order to offer a positive customer experience.
To prevent the loss of sensitive customer PII or limit the data that a successful attack can extract, we recommend limiting the personal information that you gather and share with third party services. We also recommend sharing only necessary information with your own service providers.
At Convictional, for example, the only piece of customer PII we store is the ship-to address. We do not store any retailer’s customer data, such as email addresses, phone numbers, or credit card numbers.
In addition to fraudulent transactions, an SQL injection attack can also be used to launch denial-of-service (DoS) attacks against the website itself.
DoS & DDOS attacks
A denial-of-service or DoS attack targets the availability of an online service, usually a website or application.
A subset of the DoS attack, a distributed denial-of-service or DDoS attack uses a collection of decentralized computer systems to generate an attack. An attacker typically exploits a glitch in an operating system or application to gain access to a computer (bot) and add it to the network they control (botnet)
Both attacks flood a victim’s infrastructure with traffic in order to overwhelm it and bring it down.
To mitigate the damage of a successful DoS or DDoS attack, we recommend using mirrored or replicated servers, particularly ones that have proven capacity and reliability. This usually means taking advantage of cloud computing infrastructure such as Google Cloud Platform on which Convictional is built.
Security solutions to protect customer data in transit & at rest
Marketplaces and retailers need to have systems and solutions in place to protect data in motion and at rest.
As we mentioned above, PII in databases are vulnerable to SQL injection attacks and as a result, make the ecommerce website susceptible to DDoS or DoS attacks.
For data in transit, this means using end-to-end encryption and an updated client/server authentication.
For data at rest, the main protection protocols revolve around domain authentication and operating system access controls. Given the fact that sensitive data is often backed up and recoverable even when deleted, ecommerce retailers need to encrypt their data at rest and have a way to manage access to the encryption keys.
Firewalls
Out of 3,950 global respondents across several industries, Verizon found that external attackers caused the majority of cybersecurity breaches in 2019. Firewalls are the most common solution against these external attacks.
Think of the firewall as a virtual security wall around your organization's "fortress" with only way, heavily guarded way in or out.
The firewall sits between the organization's network and the Internet at large. A firewall is a single choke point where security monitoring and auditing is done to prevent malware from entering your network.
Firewalls can serve as the platform for more advanced security measures such as IPSec. They can also be installed on individual servers, computers, and devices in order to add an extra layer of protection.
However, the firewall cannot protect against internal attacks. For example, a hacker might trick an unwitting employee into clicking on a phishing email. The firewall cannot stop the impending theft of data from happening.
A firewall also cannot solve security breaches that have already bypassed it. For example, an employee might connect an infected hard drive or smartphone directly to a retailer’s network. The retailer’s firewall will not stop the malware from spreading.
PCI DSS & Payment Gateways
According to the Security Standards Council, “The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.”
These standards give merchants, payment issuers, and service providers baseline requirements for keeping their payment processing secure.
A payment gateway enables credit card transactions to take place on a website, while adhering to the PCI DSS.
For example, all Convictional customers use Stripe to send and receive payments on our platform. With Stripe as our payment gateway, we can safely automate invoicing, set custom tax rates, and bill users for shipping without storing the credit card information ourselves.
SSL Certificates
Secure Sockets Layer (SSL) and its current iteration of Transport Layer Security (TLS) are widely-used security protocols. They rely on certificate authentication between the website being accessed (server) and the computer or user accessing it (client).
Most modern browsers and servers have SSL certificates built in. Ecommerce websites that use “HTTPS” are already using SSL certificates to ensure the security of data that is being transmitted between the client and the server.
For example, Convictional uses API endpoints to force encrypted connections between its customers and third-party services. We also have automatic security checks to ensure that data in transit is end-to-end encrypted.
Multifactor authentication
Multifactor authentication is used to describe the multiple privileges a user must have in order to access restricted data. As its name implies, multifactor authentication requires at least 2 steps before a user can log in to a system.
For example, Google employs a 2-Step Verification system. A user needs to enter their normal password and a code generated by the Google Authenticator app before they get access to their Google account.
Multifactor authentication divides a system or a program into siloed parts that require various levels of privileged access. As a result, it is the most effective defense against DoS attacks.
Alongside multifactor authentication is the idea of having a single sign-on (SSO) login system.
With single sign-on, a service does not need to store user passwords in its database. Instead, it uses other services – most commonly Google, Facebook, and Twitter – to authenticate users. In this way, the service delegates the trust and the risk to a more secure SSO provider.
At Convictional, our team uses Google’s SSO and 2-Step Verification in our day-to-day jobs. We also offer an SSO option for our customers to log on to the Convictional dashboard.
"As a storied retailer, with a sought-after clientele, we emphasize the rigorous protection of our customer data. We're proud to partner with a modern technology provider that demonstrates that same commitment while helping us move at the speed of a startup."
— Stephen Jackson, EVP/CIO of Harry Rosen
To Launch & Scale Your Digital Marketplace
Chat with us to learn more
