In February 2020, Amazon Web Services (AWS) was hit by a distributed denial of service (DDoS) attack with peak traffic volumes reaching 2.3 Tbps, a steep rise from the previous attack (1.7 Tbps) on NETSCOUT Arbor in 2018.
Such cyberattacks are on the rise and online stores are particularly attractive for threat actors because they are repositories of personally identifiable information (PII) and financial data.
The COVID-19 pandemic has increased the cyberattack surface due to the shift to remote work. More people are shopping online due to social distancing norms. Thus, financially driven cyber attacks like ransomware and identity theft via phishing attacks are the primary risks in 2021.
Web developers should be able to create secure systems for online stores to protect against malicious entities.
Read more related articles: The Marriage of Passwords and Microsoft in 2021 | What Is the Cyber Kill Chain and How It Can Protect Against Attacks | 4 Secure Services You Need for 2021 and Beyond | The Use of Artificial Intelligence in Cybersecurity: A Review
Why is e-commerce cybersecurity important?
Cyber attacks cripple business processes and IT assets, damage reputation and trust, and cause financial losses and legal troubles.
CSO’s The State of Cybersecurity 2021 revealed that 15% of organizations had to shut shop due to a cyberattack.
Do not assume that small businesses are safe. In 2021, hackers targeted 43% of small businesses—and only 14% of them were prepared (Accenture’s Cost of Cybercrime Study 2019).
The first step to protect an online store is to understand the most common cybersecurity threats.
Top e-commerce security threats
Websites are commonly affected by these threats:
Phishing is a type of social engineering where hackers attempt to trick buyers into giving up their personal information such as login details, bank account numbers, and passwords via email, text message, or phone call.
Hackers may send emails with a request to update login details via a specific link or may include links that redirect to fake online stores.
For example, the EITest of 2017 where users were redirected to fake tech support via Internet Explorer.
Malware is malicious software installed on computer systems or mobile devices without the knowledge of the user. Spyware, trojan horse, viruses, and ransomware are types of malware.
Ransomware uses encryption to prevent the victim from accessing critical data, files, or applications. Hackers then demand a ransom in exchange for a key that will release the data. Ransomware can enter systems through phishing emails, fake websites, or pop-ups.
Want more tech news? Subscribe to ComputingEdge Newsletter Today!
3. SQL injection
An SQL injection attack involves the insertion of an SQL query via query submission forms.
It allows hackers to read sensitive data from the database, modify data, execute administrative operations, access sensitive files, or even issue commands to the operating system.
4. Cross-site scripting (XSS)
Some malicious scripts may even rewrite the HTML content of the infected page.
E-skimming involves stealing credit card details and PII from the checkout pages of online stores.
Hackers access the website through phishing attacks, brute force attacks, cross-site scripting, or third-party compromises. They then capture payment information from shoppers in real-time as the checkout page is being used.
6. DDoS attacks
DDoS attacks disrupt online stores and cause financial losses due to stopped sales.
Hackers send a high volume of unusual requests to your server using untraceable IP addresses that overwhelm it and cause it to crash.
Next, let’s see how we can implement website security solutions to protect online stores from threat actors.
How to secure online stores from cyberattacks
Online business owners tend to focus on things like website design and SEO and fail to invest in security. But the cost of a cyberattack is much more than the cost of securing a website.
Here are some ways in which e-commerce websites can be protected:
1. Use SSL certificates
Secure socket layer (SSL) is a security protocol that encrypts data in transit between the host (web server or firewall) and client (web browser). It prevents sensitive information such as credit card details, contact information, and personal data from being intercepted.
Extended Validation (EV) or organization validation (OV) SSL certificates authenticate the website, telling customers that the site is safe for online transactions. It adds a green HTTPS padlock to the site’s URL, demonstrating its trustworthiness.
Google released a Chrome update in 2018 that alerts visitors if a website does not have an SSL certificate.
2. Ensure PCI-DSS compliance
Payment Card Industry Data Security Standards is a non-optional set of standards for websites that collect, store, process, or send credit card data. PCI-compliant websites can safely handle credit card transactions.
Online stores usually accept card payments through payment gateways like Paypal, which should also be PCI compliant.
How to ensure that you are PCI compliant:
- Update business payment system with the latest PCI standards.
- Get shopping cart certified by PA-DSS (payment application DSS)
- Ensure that the payment application provider is PCI compliant and integrates with online stores.
3. Use Prepared Statements
If a website has a URL parameter or web form that allows users to enter information, it is vulnerable to SQL injection attacks. If the parameters of the field are too open, hackers can insert malicious code to gain access to the database.
Prepared Statements with parameterized queries is an important way to prevent SQL injection attacks. The SQL command uses a parameter instead of values to prevent the backend from running malicious queries that can harm the database.
For example, If the input is “12345 or 1=1”, the parameterized query will search for a match with the entire string.
4. Enable content security policy
Content security policy helps mitigate cross-site scripting (XSS) attacks and data injection attacks.
To enable CSP, the web server is configured to return the Content-Security-Policy HTTP response header. Alternatively, the <meta> element can be used to configure a policy.
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
CSP lets the browser know which scripts can be executed by specifying trustworthy domains. This prevents the execution of malicious scripts from seemingly legitimate sites.
5. Use website security tools
Website security tools identify security vulnerabilities, malware, and online threats in your website.
- Sucuri – checks for malware, defacement, injected spam, and blacklisting status
- Qualys – checks for SSL misconfiguration or vulnerabilities
- Google Search Console– sends security notifications; offers tools to measure website performance and search traffic
- Unmask Parasites – checks pages for hidden illicit content
- SiteCheck – scans for malware and checks the strength of website security
6. Use robust login methods
Enable two-factor authentication and captcha validation to prevent hackers from sending nefarious requests or spamming content forms.
Educate business owners and customers about password best practices. Lists of leaked passwords are available online, which when combined with brute force tactics, allow hackers to break into websites.
7. Deploy web application firewalls
The first line of defense against cyberattacks is a web application firewall (WAF) that regulates traffic coming to and leaving your online store. It also protects against SQL injection attacks, XSS, and suspicious networks.
In addition, a Content Delivery Network (CDN) can be used to prevent DDoS attacks. Typically used to improve website performance, their ability to analyze and absorb unusual volumes of traffic allows them to mitigate DDoS attacks.
8. Secure admin panel and server
Strong passwords should be used to log in to the admin panel and the client’s server. These passwords should be regularly changed.
The Principle of Least Privilege states that users are allowed only the level of access that they need. User roles should also be strictly defined. This prevents security lapses on the user side.
In addition, alerts can be set up on the admin panel to send notifications when an unknown IP tries to access it.
9. Implement additional security layers
Hackers search for platform or script weaknesses to exploit when attempting to access a database.
Some additional steps that can be taken are:
- Rigorously update and patch software to fix vulnerabilities.
- Disable or remove unused software like mail servers.
- Invest in automatic website backups to have the most recent copy of data.
- Install security plugins to enhance website security for content management systems (CMS) like Joomla, WordPress, or Magento
- Secure connections that contain cookie data.
- Use both client-side and server-side validations.
Hackers are mounting more sophisticated attacks with every passing day. Web developers must remain alert and updated on the latest cybersecurity tools and techniques. It may not be possible to address all threats, but developers must practice the most important security principles to prevent online theft.
About the Writer
Gaurav Belani is a senior SEO and content marketing analyst at Growfusely, a content marketing agency that specializes in data-driven SEO. He has more than seven years of experience in digital marketing and loves writing about education technology, AI, machine learning, data science, and other emerging technologies. In his spare time, he enjoys watching movies and listening to music. Connect with him on Twitter at @belanigaurav.