Cyber Monday is just around the corner, so ecommerce retailers are revving up for a make-or-break holiday season. Unfortunately, online attackers are also getting ready, too — ready to try to infiltrate your ecommerce site for your customers’ personal and credit card information during the busiest shopping weeks of the year. That means you need to do all they can to crank up your cybersecurity efforts at this critical time.
Data shows that ecommerce retailers are, more than ever, getting caught in cyber criminals’ cross-hairs. A recent study from Symantec, for example, found that attackers have turned their focus to ecommerce sites, particularly using “formjacking,” which uses malicious codes on ecommerce sites to steal consumer credit card information.
As threats constantly evolve, cybersecurity needs to be a part of every ecommerce retailer’s holiday strategy, according to Josh Zelonis, principal analyst at Forrester Research. Those that don’t take security seriously are risking their reputation, and therefore their business, he explains — not to mention the financial repercussions that could come as a result of a new regulatory environment, including GDPR. “The holiday season is only a few weeks long, so imagine what a breach could do if it happens at that time,” he says. “So if IT pros are not doing at least the core things that need to be done, you’re just setting yourself up to be a victim.”
Small online retailers, take note
Smaller sites are often the most vulnerable, says Dave Gruber, senior analyst at ESG, because attackers often target smaller sites that traditionally invest less in security controls. “These sites are easier to penetrate, and often lack detection and response resources, giving attackers a lengthier amount of time to carry out their attacks,” he says.
Zelonis agrees: “I frequently come across retailers having a lot of problems with the basics of security, particularly smaller and mid-sized retailers,” he says. “The fundamental problem is that everybody else is improving and getting more sophisticated — not just adversaries but competitors as well.”
There are three primary ways an adversary can enter and compromise an ecommerce site, Zelonis adds: One is through unsecured remote access, including using Remote Desktop Protocol (RDP); another is through human error, such as clicking on phishing emails. Finally, the threat of consumer data loss looms large, through browser skimming attacks such as Magecart, which is a consortium of malicious hacker groups who target online shopping cart systems, usually Magento, to steal customer payment card information.
In August 2019, for example, over 80 ecommerce sites were found to have been compromised by Magecart groups, including large, reputable motorsports and luxury goods sites. In addition, global brands such as Ticketmaster and British Airways were targeted in 2018. “Ecommerce companies need to be cognizant that adversaries are very sophisticated with this type of attack, and organizations will go for a long period of time without knowing they were compromised,” says Zelonis.
What is causing the rise in ecommerce fraud?
According to the 2019 True Cost of Fraud study from LexisNexis Risk Solutions, overall retail fraud attempts have doubled year-over-year and tripled since 2017. More types of retail and ecommerce merchants have been targeted, including small businesses, resulting in an increased cost of fraud ($3.13 for each $1 of fraud in 2019 vs. $2.94 a year ago).
The study found several trends driving the rise in ecommerce fraud risk: For one thing, mobile commerce has boomed, even among smaller retailers that want to provide a convenient customer experience and meet consumer expectations. In addition, there has been a rise in international transactions that produce more risk around identity verification; and merchants are increasing their mix of digital goods compared to physical goods. “The ability to detect fraud in mobile channels, global transactions and digital, non-shipped goods is simply more difficult,” says Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions.
Another big fraud driver is bot attacks, particularly as criminals take advantage of the huge holiday volume to hide their aggressive bot efforts. According to Tiffany Kleeman, vice president of bot management at Imperva, bad bots are a problem faced by every business with an online platform, this is especially true for the ecommerce industry. An Imperva study, in fact, recently found that 17.7 percent of internet traffic on ecommerce sites can be traced back to bad bots.
“Bad bots commit a wide range of harmful activities including unauthorized price scraping, inventory checking, denial of inventory, scaling, customer account takeover, gift card abuse, spam comments, and transaction fraud, all of which have a significant impact on the customer experience and can ruin the reputation of any ecommerce business,” she says.
Cybersecurity action plan for ecommerce retailers
While the holidays are coming fast and it may seem overwhelming to address cybersecurity issues so late in the game, this is no time to throw up your hands, say Zelonis. “Security infrastructure hygiene is a marathon, not a sprint,” he says. “Doing nothing now puts you in a bad spot come January when the rush is over, and you’ll be two months behind on all the things you need to be doing which can then have grave effects on the organization through 2020 and beyond.”
To that end, these are several short and long-term cybersecurity steps to tackle, no matter what time of year it is:
- Plug holes with the right patches and updates. Don’t ignore the obvious, says Brendon Macaraeg, head of product marketing at Signal Sciences. “Attackers go after known, published vulnerabilities across all the key pieces of infrastructure that host, serve and feed data into your ecommerce application,” he says. By installing the latest software revisions and patches, you’re plugging those potential holes that attackers would otherwise leverage.
- Adopt additional identity verification methods. The need to adopt additional identity verification methods, such as incorporating location-based digital identity elements and behavioral biometrics is something that many smaller retailers and many mid to large still need to really embrace, says Sutherland: “Retailers don’t want to increase customer friction, but it is essential to lower the cost of fraud.”
- Make sure employees understand priorities. Phishing attacks constantly entice employees into clicking links or downloading attachments that install malicious software. That means organizations need to make sure employees understand the threat to the organization and what their priorities should be, says Zelonis. “Rather than thinking they have to focus on how many emails they can sift through, they should be trained to be on the lookout for phishing attacks and how essential it is to cybersecurity.”
- Instill security deeply into devops processes. It is a broad, long-term goal, but Gruber emphasizes it is essential to ensure that every application update is analyzed carefully to ensure new vulnerabilities are injected into applications. “Next-gen web application firewalls are also helping close additional security gaps, and browser skimming threats can be secured using newer web application and API protection platforms,” he explains.
- Block bad bots. There is no one-size-fits-all way to protect against bot attacks, but there are proactive steps ecommerce retailers should take, says Kleeman. These include blocking or capturing outdated user agents/browsers; blocking known hosting providers and proxy services; and blocking all access points. “Be sure to protect exposed APIs and mobile apps, not just your website, and share blocking information between systems wherever possible,” she explains.
Don’t wait to shore up ecommerce security
Ecommerce is typically not a high-margin industry, which means there is often less money to spend on cybersecurity on websites and apps, says Zelonis. Yet, at the same time, attackers are increasingly turning their attention to ecommerce retailers, so a data breach could always be close at hand. “We’re not getting vulnerabilities remediated in a sane amount of time, which leaves the door open for a lot of consequences that can happen,” he explains.
Attackers will continue to innovate and leverage new vulnerabilities in applications, browsers and cloud infrastructure, says Gruber. The key, he adds, is to act now, even if your holiday efforts are only the start of a long-term journey that lasts all year long. Doing so is essential to boosting customer trust and keeping attackers at bay.
“Ecommerce fraud continues to escalate, so this year we will see more issues than ever before,” he says. “It’s a cat and mouse game.”