General security

Top cybersecurity lessons for e-commerce website administrators

Introduction

In 2018, card-skimming malware targeting Magento-based online stores resulted in the infection of 7,339 e-commerce sites. Any customer entering card details into the site then had those cards exposed to fraudsters. According to Sophos, the malware homed in on vulnerabilities in Magento as well as using other tricks, including dormant accounts and poor authentication.

By the end of 2019, there were around 2.1 billion online retail purchasers in the world. Around 80% of people in the U.S. shop online and over half of those use their smartphone to make a purchase. Shopping online requires high levels of fraud detection and security. This is evidenced by the $130 billion loss expected from 2018–2023 from digital CNP (Card Not Present) fraud.

As owners, administrators or hosts of e-commerce sites, we need to make sure we offer our customers the most secure experience we can.

Why it is a win-win-win to have a secure e-commerce website

Happy customers are loyal customers and they spread the word that your site is a safe bet. But making sure that your online experience is secure is not just about creating a great relationship with your clientele. It is about other aspects of online life too, including:

Meeting compliance requirements

If you process personal data and/or handle financial information, you will come under the watch of numerous data protection and financial regulations. This may be by geography or industry, but it is likely to include the General Data Protection Regulation (GDPR) and/or the California Consumer Privacy Act (CCPA).

You may also need to ensure you meet financial regulations such as PCI-DSS and PSD2. All of these regulations have at least some focus on data security and privacy.

Reducing data breaches and other security threats

Poor e-commerce web security can result in a variety of costs, including the cost of data breach notifications, cost of downtime, loss of custom and fines from non-compliance.

The threats from CMS-related malware, along with many other threats to e-commerce sites, can be mitigated by following certain security hygiene measures. Here we look at some of the most important.

10 ways to protect your e-commerce website

Here is a top tip list of things to check to make sure you de-risk your e-commerce website.

1. Secure your communications

If you don’t already have your e-commerce site configured to use HTTPS, then this should be a priority. HTTPS is achieved by enabling the secure communication protocol, Transport Layer Security (TLS) across your site. TLS is an update to the previous Secure Sockets Layer (SSL) protocol.

Having HTTPS in place ensures that any data transferred between browser and web is encrypted and authenticated. It is especially important to make sure that any pages that handle personal data and/or financial information are HTTPS-enabled.

2. Establish robust authentication

Many malware infections of e-commerce sites are caused by insecure administrator login to the backend system and CMS interface. Always change default passwords after you have set up and configured your site. Wherever enabled, implement two-factor authentication for your administrator.

3. Use audit tools to check any unusual login activity

Robust authentication is also something that you need to consider for your users too. If you allow a customer to create an account, make sure that the account login credentials are designed to be as secure as possible.

Ideally, this means enabling customers to set up a second factor to log in after they’ve entered a password. Protecting customer data from phishing means that you will need to use a second-factor authentication system or an alternative. Depending on the level of risk of the e-commerce site and transaction, you may have to create even more secure authentication options, including risk-based and biometric.

4. Secure web servers

Misconfigurations are behind many web server compromises. Sometimes the installation and configuration of a web server will be performed using sample or default files and configuration options. Often these will have not been optimized for security, even leaving open access to external actors via open services or default passwords.

Do not take security for granted and check all of your configuration settings, both on first setup and whenever an update is installed.

5. Plugin and site theme hygiene

Plugins can be a conduit to insecurity, adding vulnerabilities to your site. In 2018, thousands of sites were infected with malware because of insecure plugins or themes.

There are many thousands of plugins available, performing a myriad of functions. Make sure that you choose well-tested plugins that are community-checked and given the OK.

6. Patch in time

All of the components of your e-commerce website, including the CMS backend, plugins and themes, need to be regularly updated as new patches come out. If you don’t, there is a higher risk that your site will be identified for attack; cybercriminals use bots to look for unpatched systems to target.

7. Keep payments secure

Online transactions are a focus for cybercriminals. The European Payment Council points this out in their “2018 Payment Threats and Fraud Trends Report.” Ensuring that online payments are done securely, is important from a customer perspective and to ensure you remain in compliance with financial regulations.

New initiatives such as the Payment Services Directive (PSD2) have added layers of security to online payments. This includes the Secure Customer Authentication (SCA). This requires that a “customer-initiated” online payment has an extra authentication step during the payment process. PSD2 and SCA is an EU initiative; however, it affects any company that sells globally.

8. Be security-aware

Having everyone who is involved in an e-commerce site be security-aware is important. Many security attacks start with simple things. Security awareness training tailored to the different roles in an e-commerce operation can help lower your cyber-risk. Topics such as not sharing passwords, how spearphishing works and ensuring that updates are done promptly will usually be covered in the training.

9. Offer customer security awareness

Security awareness can potentially become part of your customer support. Many sites now offer blog posts and other content advising customers about how to keep cyber-safe and secure. This can include advising on the tell-tale signs of phishing and password advice.

10. Secure backups and disaster recovery

You should aim to have a backup and disaster recovery plan for if the worst happens. Having your e-commerce site out of action costs time and money and a secure backup is essential. Having a process in place to ensure swift recovery will help everyone to understand their role and what has to be done to get the site up and running.

Know your OWASP and all the other forms of e-commerce cyberthreats

The above list is by no means exhaustive. However, OWASP compiles a Top Ten list of web application security risks to keep you up to date with the most prevalent cyber-threats.

This list, which includes some of the issues mentioned here already, also gives you advice on how to manage the risk. For example, the top risk in OWASP’s list is “Injection.” An injection vulnerability allows a hacker to inject their own code into a site, which can then, for example, take over a page and extract payment information, etc.

Check out OWASP’s “how to prevent” section about the various ways to stop an injection attack.

Sources

Credit card gobbling malware found piggybacking on ecommerce sites, Naked Security by Sophos
Number of digital buyers worldwide from 2014 to 2021, Statista
Relatively few Americans regularly post their own online reviews, Pew Research Center
Retailers to Lose $130bn Globally in Card-not-Present Fraud over the Next 5 Years, Juniper
Multi-Vector WordPress Infection from Examhome, Sucuri Labs
2018 Payment Threats and Fraud Trends Report, European Payments Council
Law details, European Commission
OWASP Top Ten, OWASP