E-commerce
The main cyber-criminal activities can be grouped into the following themes:
Defacing – Involves editing or replacing content on your site and is sometimes
known as ‘digital graffiti’. This could be a targeted attack to undermine your clients’
trust in your business, or perhaps something politically motivated to further someone
else’s message.
Spamming – Sends out emails, sometimes with advertising and sometimes with
phishing scams. Messages are often sent out repeatedly and in bulk, and it could be
to any email address including those associated with your website or hosting. Your
server can be blacklisted because of spamming, preventing you from sending
legitimate emails.
Phishing – Exploits the trust of a user to obtain login details, personal details or
financial information. This can be used to gain access to email inboxes or other
password protected areas.
Malware – Designed to infect a system and cause it harm, making changes against
the user’s will and knowledge. It’s a general term covering anything from viruses to
advertising software (adware). It can force the user into a network of other hacked
devices controlled remotely by the hacker. These networks are often used for DDoS
attacks.
DDoS attacks – Use the network of devices behind them to bombard a site a system
with waves of traffic or requests that overwhelm the system and take it offline.
Your site could be a victim of this, or if it is part of the network used to attack others,
it could be taken offline by your host or server provider when it is detected. Some of
these attacks, e.g. DDoS, will also affect other websites on the same server. So when
you are considering your hosting options please check if your provider applies
security updates to all the software.
Content injection – Black hat SEO technique (Search Engine Optimisation in
violation of the search engine guidelines) that involves inserting links to other websites
into your site. This could be to increase the traffic of another website or to generate
click-through revenue. Some of these will be visible and some of them won’t be, but
search engines will be able to find them and may blacklist your website from SERPs
(Search Engine Results Pages) meaning your customers wouldn’t be able to find you.
Interception of data – Containing credit card numbers or addresses is a possibility
on insecure sites. The data is used by criminals to sell on, make purchases and all
sorts of other criminal activities. If your site handles this kind of information, and
you have not taken appropriate measures, such as installing security updates and
implementing HTTPS (SSL) to encrypt data for all sites that take payment online, then
you could be prosecuted under the UK Data Protection Act (under paragraphs 18-27).
Any of these types of attacks are bad for business. Your site could go down completely
or your customers could become confused or annoyed at suspicious emails or
advertising emails not related to your brand. In extreme cases, personal details of your
clients or commercially sensitive data could be stolen. Your website could also suffer a
fall in traffic and rank due to search engine algorithms no longer classing your site as
trustworthy. Here are some ways you can protect your site:
How and why should you protect your e-commerce site?
352 Views
Over the past number of years, there has been a monumental increase in the amount
of business conducted electronically, and as a result, this has led to a lot of security
issues particularly in mobile commerce.
E-commerce Security includes a number of areas including privacy, integrity,
authentication, and non-repudiation. A breach in any of these areas can result in major problems
chargebacks for an online vendor, a purchaser, or both. Hackers try to steal credit card and other sensitive information from eCommerce sites
daily. To protect and reassure your customers, it’s important to know how to protect
your e-business and your sensitive customer data. One major breach chargebacks,
system someone stealing your business name or copying your products; could mean
the end of your business.
The main cyber-criminal activities can be grouped into the following themes:
Defacing – Involves editing or replacing content on your site and is sometimes
known as ‘digital graffiti’. This could be a targeted attack to undermine your clients’
trust in your business, or perhaps something politically motivated to further someone
else’s message.
Spamming – Sends out emails, sometimes with advertising and sometimes with
phishing scams. Messages are often sent out repeatedly and in bulk, and it could be
to any email address including those associated with your website or hosting. Your
server can be blacklisted because of spamming, preventing you from sending
legitimate emails.
Phishing – Exploits the trust of a user to obtain login details, personal details or
financial information. This can be used to gain access to email inboxes or other
password protected areas.
Malware – Designed to infect a system and cause it harm, making changes against
the user’s will and knowledge. It’s a general term covering anything from viruses to
advertising software (adware). It can force the user into a network of other hacked
devices controlled remotely by the hacker. These networks are often used for DDoS
attacks.
DDoS attacks – Use the network of devices behind them to bombard a site a system
with waves of traffic or requests that overwhelm the system and take it offline.
Your site could be a victim of this, or if it is part of the network used to attack others,
it could be taken offline by your host or server provider when it is detected. Some of
these attacks, e.g. DDoS, will also affect other websites on the same server. So when
you are considering your hosting options please check if your provider applies
security updates to all the software.
Content injection – Black hat SEO technique (Search Engine Optimisation in
violation of the search engine guidelines) that involves inserting links to other websites
into your site. This could be to increase the traffic of another website or to generate
click-through revenue. Some of these will be visible and some of them won’t be, but
search engines will be able to find them and may blacklist your website from SERPs
(Search Engine Results Pages) meaning your customers wouldn’t be able to find you.
Interception of data – Containing credit card numbers or addresses is a possibility
on insecure sites. The data is used by criminals to sell on, make purchases and all
sorts of other criminal activities. If your site handles this kind of information, and
you have not taken appropriate measures, such as installing security updates and
implementing HTTPS (SSL) to encrypt data for all sites that take payment online, then
you could be prosecuted under the UK Data Protection Act (under paragraphs 18-27).
Any of these types of attacks are bad for business. Your site could go down completely
or your customers could become confused or annoyed at suspicious emails or
advertising emails not related to your brand. In extreme cases, personal details of your
clients or commercially sensitive data could be stolen. Your website could also suffer a
fall in traffic and rank due to search engine algorithms no longer classing your site as
trustworthy. Here are some ways you can protect your site:
Choose a secure eCommerce platform.
If you’re with a cheap host that offers as much disk space and bandwidth as you want,
all for a couple of pounds a year, you should think again. You’re probably squeezed in
with thousands of other bargain hunters. The chances are they’re careless about
updating their software so hackers can exploit them and at worst they’re probably
sending tons of spam relating to all sorts of dodgy products and services.
The problem here is that pretty soon the server gets a bad reputation. That means it’s
IP address is probably on loads of blacklists, in turn your emails don’t get through
and your position in the search engine results in decreases.
So if you’re serious about E-commerce the best way to avoid these issues altogether is
to migrate your website over to Certa or move your site to a Virtual Private Server or
VPS for short.
With VPS you get full control over the hosting and you’re not sharing with other
businesses. VPS is very powerful, you can have dedicated resources allocated to you
that you don’t have to share – things like CPU and RAM. This means your site will
not only be more secure but also much, much faster.
Stop collecting or saving customer data
Hackers and identity thieves cannot steal what you don’t have. Do not collect or save
any private customer data through your e-commerce site that is not essential to your
business.
When it comes to processing credit cards, use an encrypted checkout terminal to
eliminate the need for your own servers to ever see the customer’s credit card data.
This might be slightly more inconvenient at checkout time for your customers, but it
comes with high benefits that overshadow the risk of compromising their credit card
numbers.
Tenzing's Security team has some tips for securing your #ecommerce site after #heartbleed pic.twitter.com/zTB5B5hWS5
— Pivotree (@TeamPivotree) April 15, 2014
SSL/TLS encryption
You must encrypt all communications between the website and browsers when
transmitting confidential information. However to keep hackers at bay, maintain
current encryption algorithms such as the latest versions of SSL (Secure Sockets Layer)
or TLS (Transport Security Layer). Although some refer to TLS as SSL, and there is a
technical difference, it’s probably not something you need to worry about. What’s
important is that you avoid vulnerable versions of the encryption library.
SSL is the standard when it comes to securing online transactions. SSL certificate
authenticates the identity of users and encrypts data while at store and transit.
Implementing SSL is essential for E-commerce websites to establish secure connectivity
between the end-user systems and your website.
The padlock icon with HTTPS in the address bar is an essential requirement for
providing their personal details and credit card information. If the consumers believe
that a vendor is doing everything possible to secure their transactions, they are more
likely to do business with them.
Consider Two Factor Authentication
Stolen or compromised user credentials are a common cause of web security breaches.
There are multiple ‘phishing’ ways to steal or guess valid user credentials and
compromise the security of your online store. That is where the need for a proven user
authentication mechanism arises. It is a foundation for securing your online store from
hacking attempts.
Many E-commerce sites are implementing two-factor authentication (2FA) to add an
extra layer of security to their online stores. Two-factor authentication is a security
process in which a valid user needs to provide two means of identification one is
typically the username/password combo, while the second one is usually a code
generated in real-time and sent to a verified phone owned by the user. Hackers might
crack the password, but they cannot steal this code, which usually expires after a short
duration.
Check your updates
Regardless of what technology you use for your Website (i.e., WordPress, Joomla,
Drupal, non-CMS) you have to be mindful of tools, plugins, extensions that are
integrated into your platform. Security updates fix vulnerabilities in systems to
prevent them being exploited by unauthorised users. Keep your website secure from
known vulnerabilities in the CMS software. Additionally, the server software should be
updated regularly. This is the responsibility of the company hosting your website – so
be sure to check your hosting company has these measures in place.