Published on 07/07/20 by Mark West and Bradlie Houldsworth
For many years, the biggest cyber threats to the retail industry were focused on brick-and-mortar physical shops, these were mostly breaches of point-of-sale (POS) systems to illegally capture shoppers’ card information.
Cybercrime Magazine predicts that retail will be one of the top 10 most attacked industries for 2019–2022.
Recently, there have been many worrying and large-scale cyber attacks on various eCommerce technologies, particularly those which have known vunerablities. This had led to many eCommerce business owners becoming worried about the safety and security of their website and data.
Computerweekly.com recently reported on a large attack on US-based Claires Accessories, undertaken by Magecart’s credit-card skimmer which was installed onto the website’s checkout without the retailer’s knowledge. This identified and demonstrated that even with an enterprise-level eCommerce platform such as SFCC (Salesforce Commerce Cloud), attacks and penetration is possible if security is left unmanaged.
In this article we explore how eCommerce security works, the main threats which are seen in the industry, the differences between security and compliance and what is the safest eCommerce platform available today.
How does eCommerce security work?
Cyber/online attacks have become more frequent and sophisticated in recent years, especially with many more retailers turning to eCommerce to generate revenue for their business. Ecommerce security refers to the measures taken to protect your business and your customers against cyber threats.
When looking to understand how eCommerce security works, we first need to be aware of the elements which make up this space.
1. Personal Data
When hackers are able to identify customers personal data, it can be matched with payment data so that transactions can be attempted. The fields which hackers normally attempt to steal include the customer’s name, email address, physical billing address and any additional information which could be either sold on or used to authenticate a transaction.
2. Payment Card Industry Data Security Standard (PCI DSS)
Commonly known as “PCI Compliance” – PCI is a set of standards which both a retailer and technology/payment gateways. It is a requirement for organisations and retailers to safely and securely accept, store, process, and transmit cardholder data during credit card transaction to prevent fraud and data breaches.
3. International Organization for Standardization (ISO)
The ISO develops and publishes standards for organizations internationally, they do this by creating the “documents that provide requirements, specifications, guidelines, or characteristics that can be used to consistently ensure that materials, products, processes, and services are fit for their purpose.”
ISO certification means a business has:
- High quality management systems,
- Data security,
- Risk aversion strategies, and
- Standardized business practices.
ISO-certified businesses have to go through a very strict assessment through testing and inspections by a third-party inspector. For eCommerce businesses, the technology they rely upon should have high levels of documentation around processes, especially when it comes to security.
4. Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication
SSL relies on encryption to make the connection between the user and the website entirely private. Each message transmitted between the two must pass an internal check to ensure the connection is secure before it succeeds. If the check fails (due to data corruption, or any unexpected attempt to alter or capture the data), the encrypted data will not be exposed.
SSL’s are on almost every website you visit, and Chrome (amongst other browsers) have began flagging to the user when a website does not have an SSL installed. The encryption used prevents those with malicious intent from intercepting transactions as innocent as your search queries.
5. Multi-factor authentication (MFA) and 2-factor authentication (2FA)
Multi-factor authentication (MFA) is a security control that requires users to verify who they are by providing multiple pieces of evidence or passwords before gaining access to a device or website. If you are logging into a website admin area, depending on your access level, you will need to provide additional information before the platform will grant you access.
MFA and 2FA are similar in their security-level, however each approach has a unique pro/con which can be argued.
6. Distributed Denial of Service (DDoS attacks)
A distributed denial-of-service (DDoS) attack is a nasty and malicious attempt to disrupt normal traffic of a targeted server or network by overwhelming it (or its surrounding infrastructure) with a flood of fake traffic. This flood normally means the website will begin to slow down, and in the worst scenario, have too much capacity and go offline.
These attacks will often allow an attacker to identify issues with the platform that can be later exploited.
7. Malware and ransomware
This type of eCommerce security issue is where an attacker infects the user’s computers and servers with viruses. The hacker then locks out the user and then they ask for a ransom in return for the access to your own systems.
Believe it or not, these ransomware attacks are growing at a rapid pace and its high time for organizations and even individuals to take some serious precautionary safety measures before the situation gets worse. Speaking of ransomware, especially the e-commerce businesses are suffering at the moment and literally thousands of attacks have been reported till date.
What is data compliance, and how is it different from security?
Data compliance when it comes to eCommerce relates to how user data is processed and managed, for instance where it is stored, what frameworks are used for the methods of collecting and validating the data. In comparison, data security is focused on how the data was captured, and what methods are used for storing the data in a safe and secure location with measures for tracking access to it.
Within eCommerce, data compliance rules and regulations come into play in the same way they do for all digital-based businesses.
The two main compliance regulators within the UK are:
Payment Card Industry Data Security Standard (PCI-DSS)
As mentioned earlier, PCI compliance is incredibly important when handling users personal payment information such as card details or account details.
The technology a retailer uses needs to be fully PCI-DSS compliant to give piece at mind.
General Data Protection Regulation (GDPR)
As of 2017 when GDPR fully came into effect, retailers are accutely more aware of the data rights which their users and potential customers have. A retailer needs to have a simple and clear GDPR policy, which stipulates how they collect, transfer and store personal data collected on each user to their website.
With tailor-made technology, such as Remarkable.net’s eCommerce tech, although a guideline is defined, a retailer can specify the logic and rules around GDPR; giving them ultimate control over how to collect and store data and communicate with their customer.
The biggest security threats to your eCommerce site are:
This is a hacking technique where mass-sending a malicious email to trick people into clicking on malware links or disclosing private information, such as their credit card details. Filters can catch many, but not all, mass phishing attacks. However, spam filters are generally helpless in the face of more targeted attacks like spear phishing.
Spear phising are much more targeted and will typically appear to be from a sender which you recognise, either by name or by email address. This leads to a higher chance of the receipt opening the email and trusting its contents. Within eCommerce, this might be from a brand or retailer which a consumer will trust and be more inclined to open links or attachments.
Malware and ransomware
This is less common in modern times due to many SaaS technologies, including our own, now being cloud-based. However, Malware is malicious software, which sits on the infected computer/server and causes a device to become locked or unusable. Stealing, deleting or encrypting data is the goal for this type of attack and taking control of your devices to attack other organisations is also common.
That said, Malware and Ransomware attacks are becoming more sophisticated within the eCommerce industry, and is costing retailers tens of millions in lost revenue every year. Firewalls are the applicable first-line defense against this form of attack and should be in place at various levels throughout your eCommerce architecture.
One of the scarier threats to an eCommerce site is SQL injection, which occurs when an attacker inserts characters (in the form of a SQL command) in a web form where a user would typically supply legitimate input such as a username or password. Those injected characters are meant to trick the website into granting the attacker unauthorized access to the underlying database – and it will, if the website doesn’t adequately filter or validate user input based on the specified criteria.
These types of attacks were common with Magento after several flaws were found with the open-source nature of their platform. By carrying out SQL injection in a targeted e-commerce website that uses Magento’s commercial or open-source platform, attackers were able to inject their own commands to an SQL database and transfer sensitive data available on the database to a remote server. Such data may include credit card numbers and other personal details of people who made online purchases on the targeted site.
Link & Email spamming
If there’s an inbox available or an email address/contact form public on a website, spammers will find a way to clog it. Spam can also be found on Internet forums, text messages, blog comments, and social media. Email spam, however, is by far the most prevalent, and often the most threatening to consumers.
What is the safest eCommerce platform?
If you are looking for an eCommerce platform or technology which ensures your website users remain as safe as possible, then we recommend that you consider a custom platform which can be tailor-fit to your requirements and exact setup. This will ensure you remain in full control of your entire eCommerce operation.
Magento vs Shopify+ security…
Both Magento and Shopify Plus are extremely common and powerful platforms, which power many large and successful retailers around the world. However, they are not for everyone, and for those retailers who have security as an important point within their replatforming decisions, then there needs to be a key concious decision around this.
Magento 1 was recently announced as “end-of-life” and is no longer fully supported as an eCommerce platform by their new owners ‘Adobe’. This means that the retailers who remain on this legacy system will remain transactional and live, however, they are no longer fully PCI-DSS compliant and won’t receive security update patches to update their site with. This makes those sites more prone to attacks and hacking.
How Remarkable.net helps keep your business safe and secure
Many of Remarkable.net’s clients are retailers who wish to launch/re-launch their store quickly and are typically limited by resources for custom development and IT work. They look to integrate their website to an ERP, POS, or 3PL system and they have a team who wear many hats and handle a variety of operations. They also do not want to handle security, maintenance, or uptime of platform – so cost-effective SaaS solutions like Vybe Commerce Cloud allows for this scenario.
The security benefits of SaaS
The true benefits of SaaS solutions which are related to security are:
- SaaS platforms can handle large order volumes, surges in traffic and some advanced capabilities like drop shipping. The architecture required for this ensures platforms are robust and more difficult for attacks to be successful.
- The modularity of a SaaS platform allows for a retailer to decide which elements of their eCommerce operation are included and which are managed in separate systems, like fulfilment, order processing, customer management, product information management, and more. This separation ensures attacks can be isolated and smaller areas of a site can be accessed at a time.
- Self-hosted software can be just as secure as SaaS platforms – but the responsibility of ensuring it is secure is with the retailer. Open-source platforms are prone to issues like malware and security breaches, however, SaaS companies update your website for you – meaning you never have to worry about your site’s security. Self-hosted platforms release security updates and patches that you need to stay compliant, however, you still have to deploy them yourself – which takes time and resources to do.
It is incredibly important for any eCommerce retailer to consider security as a top-priority within their business and ensure their eCommerce platform is fully secure and compliant. At Remarkable.net, our teams are trained and remain focused on security – this gives our clients peace of mind and comfort that their business is safe, and if attacked, they have the right partner to help them through the situation.