Eleven Top Security Threats to Your Ecommerce Site

As our lives and businesses become increasingly digitized, cybercrime has made its way into common parlance as something we should all be concerned about. In times past, individuals or small businesses wouldn’t have been particularly targeted, but that’s just not the case anymore.

Because of the rapid acceleration in cybercrime, cybersecurity is now one of the fastest-growing segments in technology. As soon as one threat is identified and mitigated, new ones spring up to take their place. Like an endless game of whack-a-mole, security experts must be ever-vigilant to the emergence of smarter and more destructive threats with a wide range of objectives.

To complicate matters, malicious actors don’t all have the same goals. Money is always a driving principle, but sowing chaos, planting untruths, and destroying online reputations are just as prevalent. The perpetrators could be anyone from an individual to a group of scammers or politically motivated organizations, and nobody is exempt from risk.

The Threat Environment From an
Ecommerce Perspective

Ecommerce businesses are targeted for a long list of reasons. If they fall victim to ecommerce security risks, they stand to lose a lot.

According to a recent study published by IBM, the average cost of a data breach is in the range of $3.86 million globally and $8.64 million in the United States alone. The study also reports that the average time it takes to identify, control, and recover from a breach is 280 days. Assuming an organization can continue operations, its reputation may be irreparably destroyed.

Ecommerce has grown exponentially in our post-pandemic world. In the past year alone, online shopping grew an incredible 44 percent, nearly three times the growth experienced in 2019. Ecommerce now accounts for more than 20 percent of all retail, for a total of $861 billion in 2020.

If ecommerce systems are breached, sensitive customer data, including personally identifiable information (PII) and payment card information, could be exposed.

To date, some of the biggest breaches include:

• Walgreens exposed PII of up to 10 million customers due to an error within their mobile app’s messaging feature.
• J. Crew fell victim to a credential stuffing attack that exposed customer accounts and information, including the last four digits of their credit cards, billing addresses, and expiry dates.
• Marriott potentially exposed PII of 500 million customers through leaked employee credentials.
• Capital One’s database was hacked by a former employee, who obtained personal credit information and social security/social insurance numbers of more than 100 million individuals in the US and Canada.

These are just a handful of examples, but it demonstrates that even the most trusted and diligent companies are at risk. What we can take away from this is that any organization is vulnerable. No matter how well you think you are protected, you could be at risk without even realizing it.

Major Ecommerce Security Threats to be
Aware of in 2021

Here is a listing of some of the top active ecommerce security risks today:

1. Lack of security protocols. Your employees must be trained and aware of company security policies. Periodic updates are required to cover the latest threats. New hires should be required to read and sign your security policy to enforce accountability.
2. Unpatched or outdated software, such as legacy systems and software, third-party apps, and plugins, represents a potential backdoor for malicious actors. In addition to your firewall, anti-virus, and end-point security system, be sure the SaaS apps and plugins you install are from reputable companies and remove all outdated software from your system immediately.
3. Social engineering is a collection of tactics waged against your employees to convince them to give up login credentials or account information. Some of these campaigns are so sophisticated they are nearly impossible to spot, so it pays to err on the side of caution. Have your employees report any suspicious requests and educate them on what to look out for.
4. Bots can be configured to scrape competing ecommerce sites for pricing and inventory information to undercut your sales. They could also tie up valuable inventory in shopping carts so that it looks like you’re stocked out, leading to loss of revenue.
5. DDoS (Distributed Denial of Service) and Denial of Service attacks have a single objective: to disable your website. DDoS leverages multiple unsecured computers and devices to flood your system with requests until the site crashes.
6. Trojan Horses are malicious applications, often disguised as legitimate software. The user downloads the app onto their system, where the trojan proceeds to complete its mission, either to steal payment information, PII, company data, or to modify or block data.
7. Payment card fraud can take many forms. Malicious actors can flood a merchant’s systems with small purchases made on stolen card info to find one that works—then the sky’s the limit. You’ve not only lost the value of the product, but you’re also on the hook for the refund once the fraud is detected. Other fraudulent practices include purchasing a product, using it, then requesting a refund.
8. SQL injections target your query submission forms to access your databases, injecting malicious code, extracting, modifying, or deleting system data, or issuing commands to the operating system. Attackers can spoof identities, change account balances, void transactions, or expose all data on the system.
9. Malware refers to a vast body of security threats delivered via code. Malicious code can be annoying at least (such as adware) and devastating at worst (such as ransomware, in which thieves hold your entire systems for ransom until you pay them what they want). Malware can bring any company to its knees, and it doesn’t just target large organizations. Ransomware, in particular, tends to target small businesses because they are easy targets and will pay out quickly when their back is against the wall.
10. Skimming seeks to capture payment card information in real-time during a transaction. In an on-premise situation, this happens by deploying a small device on point-of-sale card readers in stores or at ATMs. However, it is also prevalent in ecommerce. Malicious JavaScript code is injected into a website, where it proceeds to harvest payment card details and PII. Thieves gain access to systems through social engineering tactics, credential stuffing, or by exploiting system vulnerabilities.
11. Scraping extracts pricing and inventory data from ecommerce sites to replicate the same information on a competing and fraudulent site. Customers believe they are purchasing from a bona fide ecommerce store, but they are actually giving their money and payment info to scammers.

Mitigating the Risk: Taking Action

Ecommerce websites of any size must apply a proactive approach to protecting their digital assets. Preventing cyberattacks is much less costly than recovering after a breach. The more effort you put into mitigating ecommerce security risks now, the better prepared you’ll be for whatever may come.

Here are a few essential security practices you should implement immediately:

• SSL/TLS enables HTTPS, the secure (encrypted) version of HTTP that transfers information between a website and a browser. When you have SSL enabled, your URL will display HTTPS in the address bar. Browsers today will block websites that lack HTTPS, and Google uses it as a ranking factor. If you don’t have SSL enabled, it will prevent new users from discovering your site.
• Payment Gateways facilitate more secure payments as they take payment card information off your site, thus lowering risk. You might also consider using a third-party payment processor like PayPal, Stripe, or Square.
• Secure your servers and admin panels by employing strong passwords and role-based access. You can also think about enabling multi-factor authentication and using a password manager to prevent unauthorized access and enforce security policies.
• Firewalls are an inexpensive and effective way to protect your network perimeter. They regulate website traffic, block malicious access, and protect you against SQL injections and credential stuffing threats.
• Anti-virus and anti-malware software are foundational to any ecommerce security protocol. Choose solutions with real-time protection and always purchase from a reputable vendor. Dive deep into the features and be sure you understand what you’re getting—and what you’re not getting. Keep in mind, though anti-virus and malware detection software can stop incoming threats, they won’t recognize what comes from within your system.
• Employee and client training is an essential practice for any organization. Your team should be well aware of your security policies, and the policies themselves should be updated regularly to ensure compliance. Make sure both employees and clients are aware of potential threats. For example, you might want to provide your customers with an overview of common threats and let them know what to do if they discover anything suspicious on your site.
• Cloud backups are a way to protect your ecommerce business from costly downtime. While backups aren’t a cybersecurity tool in themselves, they are an essential failsafe in the event of a breach or data loss for any reason. Rewind cloud backups are purpose-built for ecommerce stores and backup every data point, from images to site code and third-party SaaS app dependencies. Because your backup lives in the cloud, it’s fully protected with the latest security features, ensuring a clean, fast-loading restoration.

While ecommerce security is a serious concern, there are plenty of actions you can take today to reduce your risk. If you’re unsure about where to begin, start with the easy stuff first: back up your data today.

Rewind is the leading provider of BaaS apps. Since 2015, Rewind has helped over 100,000 businesses back up their data on Shopify, QuickBooks Online, BigCommerce, GitHub, Trello, and more.