In 2019 online retail is a booming business. With an increasingly faster technology, e-commerce has some undebatable advantages:
- it is the best way to attract customers and to gain visibility;
- it has low operating costs;
- it is much easier to start and manage than a physical store;
- it offers the possibility to explore different dynamics of your business (you can reach every market in the world, you can constantly keep an eye on your customers’ buying habits and you can have a faster response to the market demands).
But, with an e-commerce store, you have more to worry about the other organisations’ competition in the same sectors. Customers are constantly looking for a more and more personalized experience and a comfortable shopping environment. This is what drives retailers to rapidly improve their websites and develop their mobile applications (often neglecting aspects as properly testing the security).
What you cannot afford to forget in this run to provide a great online shopping experience?
Trust is the most valuable currency!
In order for your visitors to be converted in customers, not to abandon their shopping carts before the end of the purchase and to become loyal customers which constantly return to shop on your website/application, it is highly important that they have the confidence to entrust you with their personal and financial information.
Building digital trust and secure your customers require you to understand the cybersecurity level of your website/application and a constant concern for checking, evaluate and improve the security.
To better understand the challenges of e-commerce security, let’s go together through the most common cybersecurity risks of an e-commerce store and see what they entail:
1. Phishing attacks
These are social engineering attacks that seek to steal user data, including login credentials and credit card details by masquerading as a trustworthy entity.
There are several different types of phishing attacks used by the cybercriminals to make the users to perform some type of actions. The most common phishing attack involves sending authentic looking emails about the need to verify the account information, undesirable account changes and more other scams with the goal that the user will click on a link or will access a bogus website where the sensitive information shall be collected.
For the online retail, we would like to draw your attention especially on two types of phishing attacks:
- content injection phishing: implies that the hacker replace part of the content of a legitimate website (by exploiting a vulnerability) with false content designed to mislead or misdirect the user into giving up sensitive information;
- spear phishing: a targeted form of phishing when the emails are highly customized for specific persons within an organisation (CEO, executives, contractors etc.) with the goal to steal data or to install malware on the recipient’s computer, to gain access to the target’s network and, therefore, capturing credit card information of the customers.
Just a click on a malicious link is enough to cause a security breach.
2. DDoS attacks (Disturbed Denial of Service)
DDoS is a technical attack that implies overwhelming a server with traffic from multiple sources (a group of internet connected devices which have been infected to allow remote use maliciously send requests, packets or data) with the consequence that the server reaches its saturation and start denying the legitimate connections. Therefore, the server slows down or even completely shuts down.
Because the sales are not possible while the website is offline, the immediate effect of the DDoS attacks is the loss of the profit that might have otherwise been realised (usually the losses are much higher during holidays, when the demand is also higher). When the customers have so much options on the internet, it is highly unlikely that they will wait until your website is back online. Also, it should not be overlooked that the DDoS attacks are usually used as diversion for a more malicious attack.
3. Man in the middle attack (MITM)
A MITM describes an attack where the attacker places himself between two devices (a web browser and a web server) and intercept the communication.
Depending on the target or the goal, there are many techniques used for MITM attacks. Regarding online retail, SSL hijacking requires a special attention.
SSL hijacking is a web attack based on the principle of computer sessions (the time period the communication between two systems take place). To understand how SSL hijacking is working you have to be aware that when you connect to a website, the computer and the web server go over series of steps: (1) the computer connect to an unsecure server (HTTP); (2) the unsecure server is automatically to the secure version (HTTPS); (3) the computer connects to the HTTPS server; (4) the HTTPS server provides a certificate, proofing positive identification of the website.
In case of a SSL hijacking the HTTP server is not redirected to the HTTPS version, but the attacker uses another computer and secure the server to intercept all the information passing between the server and the user’s computer (including passwords, credit card details and other sensitive data).
Malware is any malicious software (program, file, code) especially designed to be harmful to systems.
There are a lot of types of malware, each of them with different functions: viruses, trojan, spyware, worms, ransomware, adware, botnets etc. Despite their diversity, all malware seek to take control over the device and to interfere with the normal activity. Although they cannot harm the hardware, they usually have the capability to provide remote access for the attacker, to sent spam from the infected device, to steal sensitive data or to investigate your computer activity without your knowledge or your permission. As you can see, malware use spam and phishing emails to infect devices.
In the e-commerce world, ransomware requires a special attention. Ransomware is typically a malware that lock down a computer or encrypts the files, threatening to erase everything unless a payment is made (usually the payments are made in bitcoin or other cryptocurrency as it grant anonymity). There are two types of ransomware in circulation:
- encrypting ransomware: it is designed to encrypt the system files and after the payment is made provided the victim with a key which can decrypt the content;
- locker ransomware: it locks the victim out of the operative system, without encrypting the files. The victim has to pay a ransom to gain back the acces.
Usually the code behind ransomware is not very advanced (ransomware is based on spam e-mail and social engineering) and it is easy to obtain through online criminal marketplaces, while defending against it is very difficult.
The ransomware gain a lot of popularity in the last years due to cryptocurrency payment methods. In 2019, the global damage made by ransomware is expected to exceed $ 11.5 billion.
The e-commerce websites are a very tempting target for the cyber criminals because they manage a lot of sensitive data (personal information, credit card details etc.). All the attacks described above as well as many others represent a permanent possibility and threat for the online retail as any software and any e-commerce platform have vulnerabilities that are known or shall be known by the cyber criminals.