Cybersecurity in eCommerce is a burning issue. We found this out more deeply with the pandemic and subsequent government restrictions, when even more people had to move online. Gaps in online store systems and above all - ignorance of customers and eCommerce employees are a big problem and threat. So how to make eCommerce safe?
According to the European Network and Information Security Agency, hackers attack online every 4 seconds! This black scenario is unfortunately the reality, in which especially eCommerce owners have to find themselves. They are responsible for the security of customer data, but also for the operation of services. With more people and aspects of life moving online, hacker attacks have become more frequent, sophisticated and advanced. Hackers are no longer using just malware, but also creating fake online stores. A UCE RESEARCH study conducted for Modern Commerce Group found that in 2020, nearly 40% of Poles encountered a fake eCommerce store.
Lockdown periods have also changed the activity of new social groups. People over 55 years old started to use eCommerce more dynamically. Unfortunately, these people are statistically more vulnerable to fraud than digital natives. An extremely important element of taking care of cybersecurity is not only investing in better technology, but also educational campaigns addressed to different groups.
eCommerce Security Update
Extensive functionality, customizations for your customers, scalability, SEO optimization - all of these are important in the context of an eCommerce platform, but without the security of personal data, payment transactions, and files, they don't matter much.
When choosing a platform, you need to keep in mind that these are most likely to evolve. So you need to keep track of their updates to maintain data security and decide to migrate at the right time. This is the case with e-shops based on Magento, one of the market leaders in eCommerce platforms.
In June 2020, after more than 10 years of development, Magento 1 support was officially terminated by Adobe, the owner of the eCommerce platform. What does it mean from the point of view of e-shops? The most important consequence for those businesses which decided not to migrate to a higher version Magento 2, is vulnerable to hacking attacks. Adobe has been supporting for more than a year in keeping the data secure only on platforms built on Magento 2. Those persisting on the earlier version thus have no security updates, which can lead to uncontrolled data leaks and unauthorized access. Any gap created on Magento 1 can thus be fixed only by the particular eCommerce company, without support, which entails much higher costs of keeping the platform in optimal condition. The lack of an update in this case also implies a loss of compliance with the Payment Card Industry Data Security Standard (PCI DSS), the secure processing of payment cardholder data.
Hackers' attack on more than 2000 online stores based on Magento 1 can prove the unprofitability of staying behind. This one took place in September 2020, which is less than 4 months after support for this version of the eCommerce platform was discontinued. Hackers broke into the sites and stole payment card data by installing malware.
The most common eCommerce threats
The types of hacking are changing and adapting to current technologies. Therefore, it is crucial to regularly test eCommerce for new vulnerabilities to cyber attacks. Below we describe the most popular ones, not exhausting the whole topic, but illustrating some patterns of threats present on the web.
DDoS (Distributed Denial of Service) is one of the most popular and common hacking attacks. It consists in overloading and consequently slowing down the eCommerce services to the maximum by rapidly increasing the amount of traffic on the platform. This type of attack is most dangerous during seasonal promotions, when the store plans to make the most profits.
Data breaches unfortunately occur more often due to human carelessness. This was the case with the leaked employee data of McDonald's Poland. The network left the sensitive information in a... public folder. For eCommerce the most important is the security of invoices, customer data, passwords and logins. It is therefore important to secure them with modern hashing algorithms, but also to educate customers about making their password unique and as strong as possible.
Phishing Pishing is a slightly more subtle attack aimed directly at the eCommerce customer. A hacker forges in it, for example, the domain address and login panel. With the help of manipulation techniques he persuades the client to enter his personal and payment data. Phishing is also spamming SMS, e-mail or phone calls, which unfortunately still take their toll in the form of stolen data. How to protect yourself against this kind of attacks? Many companies decide to buy domains with a similar name to the official brand website. A simple solution is the obligation to create strong passwords, or two-step verification.
Ransomware Ransomware is one of the worst attacks from an eCommerce perspective. Hackers instal malware that encrypts data. The next step is blackmail and extorting a ransom in exchange for access to the stolen information. Many companies have been among the victims of ransomware attacks - from giants like Garmin and JBS to smaller online stores. The burning issue for eCommerce is the decision - whether to pay the ransom. Regardless of the action, there is no guarantee that the stolen customer data will remain safe.
Keep your eCommerce secure
In addition to educating customers on cyber attacks and social engineering used by hackers and the necessary of regular updates to eCommerce system security, it is important to perform preventive penetration tests (pentests). These involve conducting a hacking attack under controlled conditions. Thanks to this process we will catch security gaps, vulnerability of the system to hacking techniques and resistance to security breach attempts. After completing such an audit, pentesters, by some called legitimate hackers, send a report to eCommerce that lists all system vulnerabilities and recommendations. The great value of penetration tests is that they are conducted from the perspective of a potential hacker. It is worth to conduct them at the time of big changes on the platform - new functionalities, software or layout.
Payments in eCommerce - give a sense of security
The moment of payment in an online store is crucial from an eCommerce perspective. A customer will not complete a transaction without a sense of trust in the store. What will reassure the consumer that shopping at your store is safe?
First, the payment methods. Customers like to have a wide choice. However, there is no sense to grind to the maximum - instead, it is worth following current trends. And these trends show that fast transfer and BLIK are very popular not only because of the convenience, but also the trust that these solutions evoke in customers.
Secondly, security. An SSL certificate is a basic that no eCommerce site can do without. This standard security protocol involves encrypting the connection between the website and the server. This solution guarantees that all data used by an online store are encrypted. In the context of payment security, it is also worth using the 3-D Secure service, i.e. authorization of online transactions made without the physical use of a card. A customer entering data from his credit card additionally authorizes purchase through a code, which he receives in SMS message.
Third, legal notes. Store regulations are a mandatory legal document for eCommerce. It regulates the content of the legal relationship between the service provider (seller) and the service recipient (buyer). Lack of regulations violates the collective interests of consumers and may be the basis for action by the Office of Competition and Consumer Protection. In legal terms, online stores must also comply with the requirements of the Regulation on Personal Data Protection (RODO). The regulation sets out, among other things, the rules for data processing, observance of the rights of data subjects and the obligations imposed by the RODO on data controllers. An example of a document that demonstrates a good and caring approach to customer data protection is the privacy policy document. It contains information about the data retention period, the potential intention to transfer data, the right to request access to data from the controller, or the right to lodge a complaint to the supervisory authority.
Why should you invest in eCommerce security?
Online stores are increasingly falling victim to hacking attacks and this is unlikely to change in the future. Investing in security should therefore be a matter of fact, but not all people in the eCommerce industry remember about it. Numbers and financial arguments will help to convince them, but also the analogy to stationary stores. Entering such stores, as customers, we expect the presence of security staff, we also understand the legitimacy of investing in anti-burglary doors, bars and locks and all possible solutions to ensure the safety of customers and employees. Therefore, don't look for arguments against investing in eCommerce security, right?
