The sharp increase in online shopping since the start of the COVID-19 outbreak has led to a significant rise in cyber-attacks on ecommerce websites and apps, making it imperative for retailers to stay alert to the latest risks.
Ecommerce has come under a great deal of added pressure since the start of the pandemic. Lockdown restrictions and health concerns have had a significant impact on shopping behaviour, creating unprecedented conditions for retailers. With consumers unable to visit brick-and-mortar stores, reliance on ecommerce has grown significantly and companies have been forced to adapt quickly.
BDO found that online sales in the UK showed record growth during May 2020, – 129.5% higher than the same period in May 2019.
Sadly, the growth in ecommerce has been matched by a rise in cybercriminals targeting online retailers. Action Fraud received reports of online fraud totalling £16.6 million in losses since shops closed on 23rd March due to the coronavirus outbreak.
The growth in online shopping has placed increased strain on retailers’ supply chains, order management and fulfilment systems, adding further security challenges to the mix.
Key cyber risks for online retailers
During this time, it is important that organisations are fully aware of the cyber security issues which could damage their business and customer relationships as well having a key impact on their ongoing ability to comply with the GDPR and PCI DSS. Key risks that organisations should be vigilant about include:
Insecure setup and configuration of websites
In the rush to respond to the sharp increase in online shopping, many companies have started taking orders and introducing new ecommerce systems. As a result of this, many may not have fully considered and assessed the security impact of these changes. All these aspects can create potential vulnerabilities for hackers to exploit.
During this period of intense pressure for online retail, there is also a greater risk of introducing web application vulnerabilities, particularly if changes are being rolled out without adequate security testing having taken place. Common web app vulnerabilities that could allow an attacker to access sensitive customer and financial information include data encryption, authentication, cross-site scripting (XXS) and SQL injection flaws.
Cloud security misconfigurations are also a significant problem for businesses. Researchers found that this type of misconfiguration cost companies around $5 trillion in 2018 and 2019 with more than 33 billion records exposed over the last two years.
Mobile application vulnerabilities
Mobile shopping apps have proved to be a valuable way to build and maintain customer relationships during the lockdown, but they are also an attractive target for cybercriminals. Around 26% of fraudulent ecommerce transactions in the first three months of 2020 occurred as a result of compromised web applications – double the figure for the previous three months. The impact of fraud on mobile banking apps highlights the vulnerability of other types of apps. In the US, the use of banking apps increased by 50% during lockdown and the FBI had to issue a warning to users that they may be at greater risk of compromise.
Supply chain risks
No company operates in a vacuum. Every retailer relies on suppliers and partners. While collaboration is good for business, it also increases the possibilities of supply chain security attacks. This is because fraudsters seek to compromise organisations by exploiting their relationships with other companies. According to one breaches survey, only a very small number of UK businesses set minimum security standards for their suppliers. With supply chain attacks on the rise, overlooking this risk is potentially very damaging.
Threat actors have moved quickly to exploit the circumstances created by the pandemic. The combination of a fast-moving situation and an increase in online shopping has created ideal conditions for them. Hackers are looking to compromise organisations both directly and via third party suppliers through phishing. Business Email Compromise (BEC) is a type of attack in which criminals masquerade as colleagues and trusted contacts in order to make fraudulent payment requests. BEC attacks have increased sharply during the pandemic, with a 30% spike in the first 100 days alone.
Card skimming attacks
Another criminal activity which has increased since the start of the pandemic is card skimming, yet a surprising number of companies are still failing to protect their websites effectively. Magecart is one high-profile example of a particularly aggressive piece of card-skimming malware which is used to inject JavaScript into a website checkout or cart page.
Card skimming attacks are very hard to detect, as proven by the fact they have affected so many high-profile companies, including British Airways, Ticketmaster and Newegg. Outdoor clothing retailer, Páramo, was infected with the malware for more than eight months before it was detected. During that time, the personal details of over 3,500 customers were compromised. Accessories retailer, Claire’s, was also recently hit, with an attack reportedly coinciding with the firm closing its physical stores on the 20th March 2020. Cybercriminals stole an unknown volume of customers’ payment card details by infiltrating the company’s Salesforce Commerce Cloud environment for at least seven weeks.
Insecure plugins
While website plugins offer enhanced functionality and features for online retailers, they also create additional security risks. Not all plugins are security-assessed before they are installed or updated regularly, leaving sites vulnerable to attacks which could seek to exploit them. Recent research identified that over 20 million attacks were attempted against more than half a million individual WordPress sites on one day in May 2020 alone. It is essential to check that any plugins in use are validated, showing they come from a reputable source, and regularly updated.
Good security hygiene also extends towards all other software organisations use to support their website and applications. Popular ecommerce platform, Magento, is one good example of a platform which organisations should check at this time. Those that don’t upgrade to the latest branch, 2.x, risk leaving their site vulnerable to attacks as well as failing to comply with the PCI DSS.
Online retailers should also be alert to the risk of Open Source Software (OSS). OSS is widely used by ecommerce businesses due to its flexibility and lower total cost of ownership. Owing to its popularity, OSS has the potential to create vulnerabilities across a huge number of websites. In 2019, the number of OSS vulnerabilities more than doubled.
Practical steps for protecting your ecommerce business
The changing habits of online shoppers and cybercriminals demand that retailers adopt a multi-layered approach to protecting the security of their websites and web applications. Businesses should safeguard their data and assets by:
1. Applying Secure by Design
Secure by Design refers to the principle of designing software and systems with a high consideration of security from the very start of the development process. This means safety is the core consideration for every aspect of a website or piece of software, including its architecture. Prioritising this approach when developing websites and applications as well as rolling out new products and services will ensure that security is always a top priority rather than being an afterthought or forgotten about entirely.
2. Undertaking regular vulnerability assessments
Organisations should conduct regular vulnerability assessments to assess the security of their website and web applications. Web application security testing needs to be undertaken before releasing a new site or application and after rolling out new features and services. Assessments can help to identify misconfigurations, out of date software plugins and use of unsafe user credentials. Web application pen tests should also be commissioned periodically to help identify the vulnerabilities that automated scanning tools can miss. These vulnerabilities include the ones currently listed in the Open Web Application Security Project’s top ten web application security risks.
3. Providing employee training
A company’s employees make up one of the most important lines of defence against cybercriminals. Unfortunately, a common approach used by hackers is to gain initial access to systems by first compromising the account of a member of staff. Retailers should provide comprehensive staff training on security measures and best practices. As part of this, staff need to understand the importance of setting strong passwords and keeping employees updated about the latest phishing campaigns to ensure they avoid opening links and attachments from unknown senders.
4. Managing user permissions and privileges
Ensuring staff only have the minimum level of system and network access needed to perform their job is vital to help limit the amount of damage a hacker could inflict. It means that users should only have the minimum rights required to perform their role. In 2018, event ticketing site TicketFly lost data relating to 26 million customers. During the breach, a hacker was able to gain access to the webmaster’s account, which provided all the privileges and access needed to steal the data. It is important to manage user permissions and privileges very carefully, perhaps splitting them up across a variety of accounts.
5. Using a web application firewall
One common line of defence for online retailers is a web application firewall (WAF). WAFs help to protect website and applications by analysing both HTTP and HTTPS web traffic in order to identify and block attacks. While a WAF is very useful, it’s important to note that most solutions only defend against attacks with known signatures. For this reason, WAFs offer little protection against new types of threats.
6. Staying proactive about endpoint and network monitoring
It is essential for retailers to be vigilant about the status of their website so they can act quickly if anything suspicious occurs. Ecommerce companies should regularly monitor their websites, web servers, databases and backend infrastructure for signs of suspicious behaviour which could indicate that a breach has occurred. This is a task that can be performed manually by an administrator or automatically through the use of monitoring technologies such as Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) tools.
Securing ecommerce success in the long-term
Adapting to change is an integral part of business. But the cyber security risks created by the COVID-19 pandemic have created significant challenges, and will continue to do so. Cybercriminals are extremely opportunistic and the large number of new ecommerce sites created in response to the pandemic has provided them with many new opportunities to launch attacks.
The ending of lockdown restrictions doesn’t necessarily mean a reduction in the demand for ecommerce. Despite lockdown easing, shopping habits have changed. Security strategy and protections need to change too.
To safeguard the security of their customers and their business, retailers need to focus as much on the technology they use to sell their products as the products themselves. Staying up to date with cyber security and accessing expert support at the right time can help ecommerce companies to thrive in volatile commercial conditions.