Cybersecurity, believe it or not, has been around since the 1970’s. I was only a toddler back then, creeping around poorly laminated floors, when Bob Thomas created a program called Creeper that would move along ARPANETs (Advanced Research Projects Agency Network) poorly laminated network, leaving a little bread crumb wherever it went. Then along came a programmer named Ray Tomlinson, yup, the guy that invented email, and he wrote a program called Reaper, which chased and deleted Creeper. Those two programs might have been the first two examples of an antivirus (Reaper) program and a self-replicating program (Creeper). The first ever computer worm (Write Once Read Many).
Fast forward to the 90’s, ARPANET gave way to the internet, GenX was in full swing partying it up while leaving no cellphone breadcrumbs to track and big business was just starting to reluctantly test the waters of the internet. In those days, security on the net was almost an afterthought. If you think about it, network transmission protocols like TCP/IP, SMTP, UDP, FTP, HTTP, etc. were not developed with security in mind and while cryptography goes back thousands of years, the first Data Encryption Standard was only developed in 1975 by IBM researchers and still left a lot to by desired by the time 90’s rolled around.
In this day and age however, cybersecurity cannot be that last thing you think of when designing and building a digital presence. Hackers are no longer breaking into systems for the sheer joy of being able to do it and I would probably be grossly underestimating the amount of money being transacted on the internet if I said 1.5 billion dollars were exchanging hands every day.
Still, we are only scratching the surface of the amount of sensitive and critical information that is floating out there. From personal information like credit card, social security and routing numbers, to top secret military communications, medical records, IoT communications, etc. The list goes on and the threats are real. So, if you want to build an E-Commerce business and dip your cup into the millions of dollars streaming online a minute, you must first take into serious consideration your cybersecurity strategy and how it applies to your E-Commerce security.
What is E-Commerce Security
A good portion of small businesses, 70% in fact, are completely unprepared for a cyber-attack. They may have some good baseline security measures in place, but merely hoping that you have covered all your bases is really never enough in a world where hackers are constantly morphing their methods of attack.
If you are looking to build an online solution that offers safe online transactions, then having a solid set of E-Commerce security guardrails in place is imperative. We have all seen the news reels of large groups of criminals going to physical retail stores and just ransacking them. The same type of digital ransacking can occur with an online store. In fact, according to Trustwave 2020 Global Security Report, the retail industry happens to be the most targeted vertical for cyber-attacks, accounting for 24% worldwide attacks, with the financial institutions a close second at 18%.
This article will cover what some of the most common threats are, the importance of E-Commerce security and some of the best practices for protecting your online presence. Before we get into any of that, there are some terms that you need to understand when it comes to E-Commerce security protocols.
Privacy (or Authorization)
The very first step in E-Commerce Security is preventing unauthorized access, either internal or external, from accessing customer, employee or company data, but really and most importantly, customer data. Maintaining your reputation as a E-Retailer starts with the confidentiality of assuring that the customers privacy is secured. There are many ways to assure customer privacy, including firewalls, encryption, anti-virus software, virtual private networks (VPNS), etc., but also being candid with your customers.
Give your customers control over what data and how much of it, they share and also be transparent on how the data would be used by the company if they choose to share it. This helps develop trust and a good part of that trust is having a privacy policy that is clear and easy to comprehend.
On top of transparency is providing the options for the customer to opt out of sharing data, having the ability to delete their data, and sharing details on data protection, disaster recovery plans and even audit results should a significant incident occur. All of this builds trust and assures the customer that you are taking the privacy of your customers data very seriously.
Integrity
It is not enough to just collect data, it has to be accurate in order for it to be useful and that is what Integrity is all about. Keeping clean, curated datasets is integral when running an E-Commerce business. In fact, I would endeavor to say that is probably even more important now with the advent of Artificial Intelligence, which relies on expansive datasets (Large Language Models) to build out their intelligence. Having disjointed data would be detrimental to a lot of the Chatbots and Customer Service AI out there, which consequently wouldn’t bode well for consumer confidence.
Authentication
This is multi-faceted. First, you want to assure your customers that you are who you say you are. To this end you want to make sure that your site not only utilizes https (no one really uses http any longer), but that you have a certificate associated with your site that authenticates you as the business that you say you are.
The lock icon on the website URL let’s us know the site is secure
All browsers these days support https and customers always have the option to view the actual certificates that were provided by the trusted authority to that business. Customer quotes and case studies, while good, can be easily fabricated. Certificates from trusted authorities gives the consumer some semblance of ease that they are at the right place and it is secure.
On the other side of the equation, when a customer signs up and needs to authenticate to the website, multi-factor authentication should never be optional. Customers should always log in securely (proper encryption and password rules) and then receive a security code to a third-party device, like a cellphone, that finishes up the login process. Anything less is inviting an attack.
Non-Repudiation
This simply means that neither a company nor a customer can deny transactions that they have participated in. This is generally implicit in physical retail stores, but it is a little trickier with online purchases. Taking measures, like digital signatures, ensures that neither party can deny that a purchase was made. It is also good to adhere to the PCI DSS (Payment Card Industry Data Security Standard), since it sets the rules that relates to credit card or debit card purchases, and let’s be honest, no one uses cash anymore for online purchases… ok, well they never used cash for online purchases, but these days, they rarely use it for any other purchases as well, even at a physical store.
Common E-Commerce Threats
Today everything is digital it seems, even down to the currency, which makes everything a target and you better believe that perps are always looking for ways to take advantage of those marks. To mitigate those risks, it is good to have an idea of what kind of threats are out there and how they work.
Phishing
This trick has been around for a while. It is pretty simple in that it tries to con the victim into providing confidential personal information, like passwords or social security numbers, via email, text or phone. They will try everything, from putting false (but valid looking) links on emails, play on the heart strings of the lonely or depressed via loving text messages or mimic some sort of emergency on the phone. Whatever the trick, it obviously still works and still generates a ton a money despite the fact that one would think most people wouldn’t fall for some of the deceit they put on. Yet, people still do, mostly the young and naive or old and senescent, but it happens enough that criminals are not going to drop that tactic just yet.
To mitigate this type of attack on your customers, just maintaining transparency by informing them that your company would never email, text or call requesting personal information and to be vigilant about those type of requests.
Malware and Ransomware
Short for “Malicious Software”, this technique is way more complex than phishing and is specifically designed to disrupt, damage or gain unauthorized access to a computer system. While the delivery mechanism can be an email or text, so it could look like a phishing attempt, once loaded onto a target system, no further action is needed from the user.
Malware could be anything from inconvenient to you or your business, to encrypting all your critical systems important files until you pay a ransom. Either would be highly disruptive and very expensive if your E-Commerce system is hit, so protecting these systems is a little more than important.
Anti-Virus and Anti-Spyware software are pretty standard these days and a must for any E-Commerce system but additional tools that can be part of your firewall or complimentary to it are Intrusion Detection Systems and Intrusion Prevention Systems that add that extra layer of relaxation to your evening.
SQL Injection
The Structured Query Language (SQL) is the standard for retrieving data from a structured database like Microsoft SQL, MySQL, Oracle, etc. These databases are all over and maintain data for some the largest enterprises on the planet. However, they are not always secure and without the right protections it is possible for nefarious actors to “inject” their own queries into these databases, giving them access to any information in the database.
These types of attacks are not uncommon, which makes it imperative that your developers follow proper security protocols when designing an E-Commerce solution. In addition, it is imperative to keep the database, not only up to date on security patches, but safely tucked away in a private network obfuscated from those without privileges, and that the most current web development strategies are utilized for SQL injection prevention.
Cross-Site Scripting (XSS)
This type of attack focuses more on webpages and functions by inserting a snippet of code onto a webpage and allowing an attacker to compromise the interactions that that user has with a vulnerable application. Generally speaking, the attacker can prance around as a victim user, which allows then to carry out the actions that the user is able to perform, including accessing the user’s data. If the user has privileged access, well, the attacker just hit the lotto!
Regularly scanning for vulnerabilities in the code or API integrations and patching them swiftly can thwart XSS attacks.
Brute Force Attacks
These types of attacks are less common than the others simply because the amount of processing power needed to succeed. The way they function is simple, the attacker attempts to get access into a system by trying every possible password combination there is. Of course, they don’t do this by hand, that would be entirely inefficient, and they want to make money quickly. They instead write scripts that try every possible combination of letters, numbers and characters that can make up your password, hence the “brute force” moniker.
The problem here for that approach is that circumventing it is rather simple, have a complicated password, that changes periodically.
E-Skimming
This is the process of capturing data real time as a customer is typing it in. In order to do this, code has been living somewhere on the target machine and that normally makes it way there via XSS, phishing or brute force attacks amongst others. Once there, the hacker can monitor checkout pages and capture payment information as customers key it in.
To prevent this, you have to be on top of maintenance and update schedules. Regularly push patches to your webserver, vet any ad server code and make certain that any third-party APIs are updated. Cyber insurance may cover any losses should you be dealing with a site already impacted (and assuming you have cyber insurance), but if you have already been touched by a breach, you might have a long road of cyber forensics to deal with on your shopping cart page.
Spam
We are all familiar with random senseless emails that contain less then compelling links to click on. Those links of course lead to a dark pathway and most of us understand that, so those emails (thanks to Spam filters) get sent to the trash. But Spam has evolved over the years and have taken their skills to blogs, social media posts or contact forms. So, as a user it is always a good thing to be vigilant.
As an E-Commerce provider, you want to take efforts to secure your site from Spam attacks. This might include deleting unwanted comments, enabling reCAPTCHA on forms and making use of the spam filters that screen all incoming email traffic to look for keywords, links, pics, etc., and send them to the junk folder.
There are other protective measures one can take in locking down the security of an E-Commerce site, which we will discuss a little more later, but Spam in general is automated, so basic measures that focus on techniques where input is required based on images that only a person can interpret, are the best methods now. I do have to say however that AI is going to change that dynamic a little bit.
Bots
You can think of Bots as these little dumb software programs that are really good at performing repetitive tasks, and one of those tasks might be to screen scrape websites for certain data and then using that data for nefarious reasons. The list of malicious ways bots can be used is pretty extensive, but there are other bots that are entirely good, like service bots, Slush bots and chat bots. You don’ want to block those.
So, what you want to do here is apply some level of what’s called Bot Mitigation, which simply means you have a process in place that reduces the risk of automated bot attacks by using software that functions to distinguish bots from real people, separating the good ones from the bad and then handling any nasty activity. This topic can be quite extensive, but safe to say there is software out there than can handle the work.
Trojan Horses
We are all familiar with what happened in Troy, and just like that large wooden horse with a nasty little surprise inside, Trojan Horses is malware that functions like its namesake, disguising themselves as useful little programs and showing their nasty side once someone downloads them onto the network.
Anti-Virus protection, as well as IDS (Intrusion Detection System) and IPS (Intrusion Prevention Systems) implementations can render these types of attacks null and void, but they have to be kept up to date because Trojan Horses change all the time.
Best Practices
Use Multi-layer Security
The movie Home Alone is a fantastic little example of making great use of multi-layer security. From booby-trapped doors to slippery stairs, to scattered jumping jacks on the floor and one gallon paint cans swinging from the ceiling, every layer of security made it near impossible for the thieves to navigate the measures to reach their intended goal.
In cyber security the concept is much the same. It is simply adding secondary and tertiary layers of security controls as obstacles that thwart would be intruders, because criminals are looking for easy targets, not multiple hoops to jump through.
Most people are familiar with logging into a system, whether it is an E-Commerce system or some internal company application and having to wait to receive a code from the system to your email address or cell phone and then entering that code in order to access the application. This is called multi-factor authentication, and it is one way to add additional layers of security to protect a system. One could also throw in reCAPTCHA during a login process and then multi-factor authentication after that.
The more layers of security, the harder it is for bad players to infiltrate and that is the idea. It may be a little inconvenient for users and may add a little additional time to their login process, but if it prevents a revenue ending breach, it is well worth it.
Secure your website with SSL Certificates
Secure Socket Layer (SSL) certifications are the norm these days when it comes to verifying a websites identity and encrypting the connection. Those certs don’t only develop trust, they protect credit card details and other potentially sensitive data that gets transacted on your E-Commerce site. It’s uncommon these days to see any sites that are not using https in their URL and having a cert that verifies the sites identity. Implementing this is pretty much a given.
Use Firewalls
There are all sorts of firewalls out there, from your standard boundary protection, to Web Application Firewalls, to stateful firewalls, distributed firewalls, etc., so what type of firewall you choose depends on where you have your E-Commerce application deployed. For instance, if you have your own data center or network, you are probably going to have a standard boundary protection firewall with NetFlow activated (to track traffic) supplemented with IDS and IPS systems as well as software firewalls on the webservers and database servers to compliment other protective measures. I mean you can’t really have too much protection can you?
However, if your E-Commerce application is deployed in the Cloud by one of many cloud service providers, like AWS, Google or Microsoft, to name the top three, you don’t really have to concern yourself with boundary protection or physical IPS or IDS systems or even keeping security measures up to date. The provider will handle all of that. You only need to protect the instances where you have your E-Commerce application installed, and with redundancy and backup measures easily implementable in the Cloud, it is a no brainer really to deploy your E-Commerce application in the cloud to avoid some of the physical configuration and implementation headaches that managing these types of systems can cause.
Install Anti-Virus and Anti-Malware Software
This should be obvious. Regardless of where you deploy your E-Commerce application, in a personal data center or the cloud, you want to protect that system with Anti-Virus and Anti-Malware. There are many to choose from out there, from enterprise level systems to ones your mom and dad can download. The key is to make sure that the system you choose is kept up-to-date with the latest virus and malware definitions, either manually or automatically, and that their logs are monitored continually.
Train your Staff
Believe it or not, the most vulnerable aspect of any E-Commerce system are the employees, so extra care has to be given to your staff if you want to ensure that your systems are secure.
The first step is training… making sure that your employees understand policies and regulations as they pertain to protecting customer information. I would recommend a third party cybersecurity company here that would provide monthly or bi-monthly cybersecurity and privacy training with a must pass exam at the end for each employee. This ensures that the employees understand the policies and the forever changing landscape of cybersecurity and provides some protection for your company against liability.
Amongst the policies that should be enforced for your staff are password policies, mandatory multi-factor authentication and the exercise of least privilege on the network, meaning employees only have the privileges they need to perform their responsibilities, nothing more, nothing less. But most importantly are policies that cover access removal and data retention for post-employment employees, i.e., those employees that were let go. It is very important to swiftly revoke access to all systems at the moment an employee is let go because nothing can be more vindictive than a disgruntled ex-employee.
Educate your Clients
It’s not uncommon for lapses in security to have their origins in customer behavior. Here education is key, simply reminding customers to have complex passwords and that they should periodically be rotated. Keeping your customer aware of what official communications from your website or customer support staff would look like so that they can avoid solicitations from individuals seeking to take advantage of them. All of these simple but effective communications and policies can save a boatload of trouble down the road or river, it is a boatload after all.
Conclusion
The importance of E-Commerce security cannot be overstated. A study performed by Juniper Research estimated that some 33 billion accounts are expected to be breached in 2023. How many more accounts will be breached in 2024? The world’s population is ever growing and as such more and more people are coming online each day. For a cyber-criminal, that is just money in the bank. It is kind of hard to miss when the number of targets is always increasing!
Yet, you don’t have to be part of the statistics if you follow E-Commerce security best practices and remain vigilant in taking care of the integrity of your customer data as well as your own. Customers will take notice of the extra steps taken to protect their data and that trust can be translated into brand affinity.
Plus, safeguarding your site and its data ensures that the services and goods you deliver match your financial and operational capabilities, helping you construct a rock-solid reputation that drives more revenue to your site.
The world of cyber criminality and cybersecurity is in constant flux, it is constantly evolving, and as such, your E-Commerce site has to evolve with it if you want to stay in lock-step with cybersecurity best practices. However, the amount of information can be daunting and managing a business is more than enough responsibility to deal with. At Luminous Tec we envelope all of our projects in the warm embrace of cybersecurity and can manage and maintain all aspects of you E-Commerce project so that you can focus on your business. Let us guide you through the forest of jargon, terminology and regulation so that you can focus on the open plains of profit!
Partner with a trusted E-Commerce development company like ours to ensure your strategy is expertly executed. Contact us today to learn more about how we can help you achieve your goals.
