Attacks on data — also known as hacks — have been a huge problem in recent years.
You may remember some of these attacks from the headlines: 147 million Equifax records hacked, 383 million Marriott records hacked, and up to 3 billion Yahoo records hacked. And, unfortunately, the hacks seem to be more frequent and sophisticated with each passing year. Statista reported 669 data breaches in 2005 and a consistent climb to 1,473 breaches in 2019, in the U.S. alone. These are certainly notable because of the sheer number of records stolen, but small eCommerce businesses are definitely not immune to hacks due to the ease with which they can be penetrated. 25%-30% of small businesses are affected.
Businesses have so much information that makes the effort of hacking worth it: names, email addresses, passwords, credit card numbers, phone numbers, etc. Though, sometimes eCommerce companies make it pretty easy to be hacked. Not only may hackers access your data to use elsewhere, they may order products from your site with someone else’s credit card information to then go sell on the black market.
Retail fraud and data breaches are a cost that businesses do not want to incur. Lexis Nexis reported in their 2018 True Cost of Fraud study that small retailers will end up incurring $2.30 for each $1.00 of fraud. As such, it is important to have multiple layers of security to protect personal data and payment information.
There are ample ways that sites and users can be vulnerable to security attacks, but there are also numerous ways to make a secure eCommerce shopping cart. Once you understand the risks and the importance of security in eCommerce, we will show you the inexpensive methods of how to build a secure eCommerce website that customers can trust.
The importance of security in eCommerce
As an eCommerce store, your site’s security should be important to you for many reasons.
Though your main focus may be the products you are selling and your company branding, don’t forget that your site security is an element of the customer experience. How your customers feel when making purchases on your site is important. If customers are going to be entering in their credit card information they will want to have the confidence that the purchase they are making is valid, and you will treat their credit card with respect. If they can’t be confident, you may lose out on their business.
Security is so important that private industry and government have created standards by which companies must comply. The European Union and the state of California have privacy acts to protect their citizens and residents, respectively. Though being compliant with these standards will not guarantee you are as secure as possible, it will help you get there. The same goes for the opposite. You may have taken measures to secure your site and protect your customers from hacks, but your efforts may not go as far as making you compliant.
It is far cheaper to get your security right from the get-go rather than coming up from behind once you have already been hacked. Retail fraud can be expected to cost $130B over the next 4 years from the combined costs of fines handed out by credit card companies and regulatory bodies, chargebacks, and the loss of merchandise by shipping products ordered fraudulently.
Despite the raging importance of security in eCommerce, companies still ignore it. Why? Probably because of a lack of understanding around the depth of the risk. Many probably think that they are too small to be targeted. When, in fact, small companies are the target of many security breaches.
Because security is so important we’ll tell you how eCommerce is made secure for both buyers and sellers.
Here are some common eCommerce security threats and security measures in eCommerce to take.
eCommerce security threat #1 – Distributed Denial of Service (DDoS)
In short, distributed denial of service creates a disruption in your legitimate customer traffic by creating a traffic jam. This makes the site inaccessible to your customers meaning that customers can’t use your site or make purchases during this time.
During this traffic jam, bots may take the time to scrape prices or your full catalogue, for example. Use a web application firewall to secure an eCommerce site against DDoS attacks.
eCommerce security threat #2 – Malware
Malware is an overarching term that includes viruses, trojan horses, ransomware, and other software installed on your system that attacks. Its sneaky nature deletes data and infects site visitors. Ransomware, a familiar term, locks the victim out until a ransom is paid. You’ll know if you are a victim of ransomware because your emails may begin bouncing; your system may be unresponsive, slow, or freeze; or you may get bombarded with pop-ups.
To secure an eCommerce site against malware avoid clicking on suspicious links. The act could install malware on your system. Captcha will help you distinguish between authentic and inauthentic users and malware scanners can automatically alert you to problems. However, if these fail for you, always having a recent back-up of your site data will help you restore your system without too much hassle.
eCommerce security threat #3 – Phishing
Phishing could happen to you or to your customers. This is when hackers trick people into providing passwords, account numbers, social security numbers, and more. Oftentimes, it is via text, email, or phone.
You can help your customers avoid falling victim to phishing by letting them know how they can expect to hear from you and how you won’t contact them. That way, they can be on the lookout. To guard yourself against phishing, always make sure you know who a message is coming from. Look for anything amiss in messages that may seem ph-ishy.
eCommerce security threat #4 – SQL injection
When your data is not securely stored, all it takes is an attacker injecting a SQL query to ask the database questions or commands that it shouldn’t. This command can be submitted through a form on your website and allows the attacker to view or change your data.
Secure an eCommerce site against SQL injections by scanning your site daily for vulnerabilities that would allow an attacker to inject a SQL command into your database. Additionally, make sure that your SQL databases are secure.
eCommerce security threat #5 – Cross-site scripting (XSS)
eCommerce security threat #7 – Brute force attack
A brute force attack uses a program to guess the login information for the admin section of your site by trying different combinations of usernames and passwords until they land on the right one. This is a prime reason not to have “admin” as a username and “1234” as a password.
How can you secure an eCommerce site against brute force attacks? There are many things you can do to avoid them. Having complex, difficult-to-guess passwords with a combination of lowercase and uppercase letters, symbols, and numbers, is a good start. Requiring 2-factor authentication would inhibit attacks even more. The use of captcha would also guarantee that only humans are accessing your account. Additionally, consider a web application firewall and changing your passwords periodically.
So many types of security threats to eCommerce companies! Additionally, attackers can perform file upload attacks which process dangerous files. Monitor your site for core file changes to avoid damage by file upload attacks.
Well-meaning employees can fall victim to attackers’ schemes by sharing a login and/or password over the phone. Internal security policies teaching employees proper protocol can mitigate against this risk.
And lastly, zero-day exploits happen when a hacker beats you to discovering your vulnerabilities. In a zero-day exploit, a hacker discovers the vulnerabilities before you create a patch, and they exploit it the same day.
eCommerce security best practices
Because of the wide variety of ways hackers can take advantage of your system, use some of these best practices on a day-to-day basis to help you avoid lots of them.
- Guide your customers. Teach your customers that weak passwords are asking to get hacked and help them use password creation best practices to avoid trouble. You can even require that they create a strong password featuring lowercase and uppercase letters along with symbols and numbers. Encourage them to always use a private network and log out when they are finished with your application.
- eCommerce security badges. While badges won’t, by nature, make your site less penetrable, the fact that you are using these tools to secure your site is great. Customers value names and logos of reputable tools like BBB, Visa, Mastercard, PayPal, McAfee, Norton antivirus, and Trust-e.
- eCommerce website security policy. Instate a website security policy for your eCommerce store to mitigate security risks. This may involve requiring the use of strong passwords internally, as well as regular password changes. Each platform you use should have different sign-in credentials. A password manager can keep track of them and keep them secure. Your admin area should be particularly hard to hack. Consider only making it accessible to certain IP addresses and set up an alert if someone else tries to access and if there are failed login attempts. Whatever your policy includes, it is paramount to educate employees about the risks so that they understand why it is they need to do what they are being asked. This will improve adherence to your website security policy.
- Meet industry security standards. The payment card industry data security standard — or PCI DSS — is the baseline standard for all companies who process, transmit, and store payment card data online. The Payment Card Industry Data Security Standard (PCI DSS) is a set of global security standards designed to ensure that ALL companies that accept, process, store or transmit credit/debit card information and/or sensitive authentication data maintain a secure environment and customers and their data are protected no matter where they shop and what channel they use.
- Encrypt links. Secure your entire site, not just payment-related pages. Do this by obtaining an SSL certificate and then use the HTTPS protocol to encrypt data sent between a website and a web browser. SSL and HTTPS protect your customers’ information as they are using your site. They will know that the transmission of their data is protected by HTTPS because they will see a lock icon in their search bar. Encryption of links is so important that Google now ranks site based on the presence or absence of HTTPS.
- Require multi-factor authentication. Requiring another form of identity verification other than a username and password will make it even harder for someone to gain access to an account that they shouldn’t have access to. For example, someone could be required to enter a one-time use code when logging in that had been delivered to the email address or phone number associated with the account. Or, you could require login approval if an account is being accessed from an unknown device.
- Only store necessary customer data. Any data that you possess must be protected. It is much easier to only store the data that you absolutely need instead of collecting lots and having to protect it all. Even small companies are targets for hackers. But, the less information you have, the less you will be a target.
- Monitor website activity. There are various things you should be keeping your eye out daily to avoid problems or avoid problems getting even worse. Real-time monitoring tools such as Google Analytics can help, as well as security monitoring tools that scan for suspicious activity. These should trigger warning bells: multiple payment methods from the same IP address, foreign shipping addresses, and large volume orders.
- Keep systems updated. Make sure you are always aware of vulnerabilities and patch them so hackers can’t take advantage of them. Updates generally address known threats and vulnerabilities so it would be in your best interest to set up automatic updates to avoid delays and keep the risk of zero-day attacks and malware low.
- Choose the right platform. Your eCommerce platform should be secure. Unfortunately, popular platforms are targets for attackers, so it should be extra secure. Always make sure you are using the most up-to-date version and that the network is regularly monitored and backed up.
- Pay attention to what you integrate. Don’t use any plugins if you haven’t verified the developers and trust them.
- Use a web application firewall. A web application firewall protects your server and its content from DDoS, SQL injections, XSS, and more. It is programmed to identify which traffic is malicious based on certain activities and what to do if it spots them.
Taking proper security measures in eCommerce is worth the cost. Conniving hackers have found so many different ways to exploit your system’s vulnerabilities that it is important to be proactive and on your A-game to protect both you and your buyers.
eCommerce security threats can be countered by following security best practices including security testing and website security policies. So, while the risk is very real, with proper precautions you can have relative confidence about the security of your site and site visitors. Be ahead of the game by minimizing risk and on top of the game by noting problems and dealing with them quickly.
To learn how to use biometrics for faster and safer online payments, check out this dedicated webinar.