Online commerce is a massive business and only growing larger. With more than half of American consumers now regularly shopping online, Forrester Research expects that online sales in the U.S. will top $355 billion in 2016. Even so, that number represents only around 7 percent of all retail sales, leaving huge room for growth in the industry. Something online retailers are keenly aware of.
Many still have serious questions about the security of their data when ordering online: 60% admit to having concerns about online commerce security, and almost one third of those say they hesitate to shop online because of that concern. This lack of consumer confidence is a growing concern for online merchants.
In 2014, eBay, the online auction giant and, increasingly, the storefront for direct-to-consumer small businesses, was hacked and lost personal information and passwords on every single registered user of the service. Even though no financial information was stolen, users were exposed to brute force hacking attacks on other accounts and became susceptible to a greater level of vulnerability as far as identity theft was concerned.
Working to counter these breaches and clean up their image, online retailers have turned to cybersecurity auditors, engineers and administrators with advanced degrees to up their game when it comes to putting the customer first.
With Unique Opportunities Come Unique Vulnerabilities
The convenience of online shopping makes it a killer app for millions of consumers. But that convenience can extend to unwelcome site users just as much as it does to consumers ready to drop a paycheck on the latest must-haves.
Since almost all customer interaction for online retailers occurs via phone or email, e-commerce sites are particularly vulnerable to social engineering attacks. A Chinese hacker half a world away can pose as a soccer mom from Dubuque or an accountant from New York.
Employers with online stores have to be particularly vigilant against this sort of manipulation, since no amount of technology can prevent an employee from being tricked into giving up sensitive information businesses have on their clients – from addresses, to consumer profiles that include things like birthdays and phone numbers, to registration passwords customers might use elsewhere. Instead, the job of cybersecurity professionals is to come up with procedures and safeguards to verify identity before releasing confidential information. This often leads to tension with customer service.
Theft is One Thing … But Just for Lulz?!
In 2012, senior staff writer for Wired Magazine Mat Honan had his Amazon, Twitter, Gmail and Apple accounts hijacked. As it turned out, the perpetrators were able to exploit Apple and Amazon’s over-the-phone identification procedures to break into the accounts, as Matt later recounted in a Wired Magazine piece. It all started with a temporary password being issued in response to a bogus call to Apple Care for a ME.com password reset … and ended with Mat losing years worth of baby pictures of his daughter and his reputation being tarnished by racist rants coming from his Twitter account. All for the Lulz.
Individually, all companies involved were relatively secure. Played against one another, they made account hijacking easy– a lesson for other information security teams not to look at their procedures strictly in isolation.
Securing the Shop Against Emerging Threats … and Lackadaisical Employees
e-commerce sites run a variety of backend shopping cart and transaction processing software. In cases where this software is developed in-house, careful attention is required to reduce bugs and vulnerabilities at the coding level. Where external software is used, cybersecurity professionals are responsible for validating the vendor and ensuring that patch levels are kept current.
Increasingly, many server and application level functions of e-commerce sites are outsourced to cloud service providers. In those cases, security analysts need to work closely with the cloud provider team and be mindful of what aspects of security can be outsourced safely and which ones need to stay in-house.
Gone Phishing, But it’s No Vacation
A phishing attack involves sending out an email that masquerades as an official document of some sort, requesting confidential information under the auspices of regular business. Very few people actually fall for these scams anymore, but the email can be sent on such a massive scale that somebody somewhere is going to end up giving up the goods. Even if only a tiny percentage of recipients fall for it, the net result can be a significant number of compromises.
Spearphishing is a variant of phishing that is commonly deployed against e-commerce sites and can be much more effective than broad-based phishing attacks. Knowing the target’s employer, job title, and sometimes even their coworkers names allows scam artists to create a much more compelling narrative for the attack email.
Due to the daily requirements for employee and supplier interaction, it’s not feasible to secure employee accounts against these types of attacks. In these situations, the only real defense is for cybersecurity teams to educate employees and constantly reinforce protocols.
The eBay attack was made possible by gaining access to credentials belonging to a small number of the company’s employees. And it wasn’t the first time the company’s sensitive information was compromised as a result of exploiting weak security protocols loosely enforced by lackadaisical staff. In 2010, a spearphishing attack that originated in Romania netted credentials belonging to six different eBay employees.
Cross-site Scripting Attacks Hit the Unwary
Another common vulnerability for e-commerce sites, one that hits both employees and customers, is known as cross-site scripting (XSS). Some sites encourage users to respond to surveys or leave feedback about the product they purchased or their experience with the online vendor. The value to the vendor of having this kind of free user generated content is obvious, but it doesn’t come without risks. XSS attacks involve using customer review forums to craft malicious payloads that hit other users.
Unwary site administrators can fall victim to these scripts as easily as other users. Cybersecurity teams have to work to ensure that all user input that is later displayed on either administrative consoles or the website proper is sanitized of any potentially malicious code.
Investing in Solid Security in Online Commerce Pays Dividends
Some e-commerce sites are finding that paying extra attention to security can be more than just a defensive measure. In some cases, it can provide a genuine business advantage over competitors.
Amazon, for example, despite only selling online, came out on top of a survey asking consumers who they trusted most with their credit card information. The massive online retailer even beat out many traditional brick-and-mortar stores, which are generally perceived as safer.
Amazon has been proactive in providing a two-factor authentication option and is not reticent about quickly notifying users in the event of even theoretical security breaches, a marked contrast to companies that attempt to sit on news of an exposure as long as possible before making it public.
Amazon has also been a heavy investor in cybersecurity startups, and presumably, this isn’t solely for the growth potential.