By Marc Rubbinaccio, Senior Compliance Manager, Secureframe.
About the author: Marc Rubbinaccio, CISSP, CISA is an information security leader who helps organizations reduce security risk through regulatory compliance, security audits, risk management, application and infrastructure penetration testing, and more. As a previous QSA, Marc has extensive experience performing and managing security audits for PCI DSS, HITRUST, and other internationally recognized security frameworks.
Cyber security is an ever-evolving process for all organizations that operate online, and e-commerce businesses are one of the main targets for attackers, with over $25 billion in annual losses due to payment fraud expected by 2024.
The direct financial cost of cyber attacks aside, breaches can damage your brand, causing irreparable reputational harm. For this reason, it’s imperative that you familiarize yourself with cyber security threats. Below, I discuss the most concerning cyber threats to e-commerce businesses as well as some steps to defend your organization from these threats.
4 common e-commerce cyber threats
Some cyber security threats, such as malware, are common in every industry operating online. There are a few cyber threats, however, that e-commerce organizations are particularly vulnerable to.
- e-Skimming: One of the greatest threats to your customers’ card information and personal data is e-Skimming. Once hackers have gained access to your platform or website, attackers plant malicious software in payment pages and collect the data that users enter. An example of an e-skimming attack is the Magecart Card Skimmer. In this attack, hackers breached a common e-commerce service provider and injected a script within the javascript payment page. When entered by the customer, this script forwarded card details directly to the attacker’s server.
- Cross-site scripting (XSS): XSS occurs when an attacker inserts malicious scripts into an otherwise trusted webpage. XSS could redirect users to a malicious domain where sensitive information would be captured. An example of XSS is the Water Pamola attack. In the attack, hackers targeted administrators, sending orders appended with malicious scripts. If the underlying application or server is susceptible to the XSS attack, the scripts would execute.
- Outdated software and applications: Security updates to applications and software are released for a reason; usually when a critical security vulnerability has been identified within the software. In the context of retail, within the Magento 1 attack of earlier this year, over 500 stores were utilizing a 12 year-old Magento 1 application, which was no longer supported after June 2020. Once an application is no longer supported by the manufacturer, security updates are no longer provided, and publicly released vulnerabilities become well known, jeopardizing business security.
- Phishing attacks: As with many types of organizations, personnel can be the weakest security link. Instead of searching for vulnerable software and writing complicated exploits, it is much simpler for hackers to send a phishing email to a payment portal administrator and to then gain access via a crafted malicious credential gathering webpage. The recent attack against a US clothing brand describes a similar scenario, where employees’ emails were compromised due to a phishing campaign, leading to attackers gaining access to payment card numbers and account information.
4 ways to protect your business
As an e-commerce organization, your security measures must at least meet PCI compliance requirements and ideally go beyond them. The following techniques will help protect your assets, systems and your customers from malicious attackers and security vulnerabilities.
Strong passwords & MFA
Customer and internal administrator accounts should both utilize strong passwords, as enforced by the technology in place. Passwords should meet a minimum length, leverage complexity, and should not be shared, as all account passwords should be unique.
Administrators should be utilizing multi-factor authentication when accessing any backend systems or applications.
Implement security updates in a timely manner and perform vulnerability scanning
Application and infrastructure vulnerability scanning is a great way to detect known weaknesses and vulnerabilities in your environment, giving you visibility into an important part of your organization’s security posture. Resolving vulnerabilities discovered utilizing tools such as DAST and SAST, Network vulnerability scanners, and container analysis tools, will give you a chance to mitigate or remediate vulnerabilities before attackers can exploit them.
Most vulnerability scanners will scan for outdated applications and operating systems, comparing the applications and operating system versions to vulnerability signatures within the scanner database. With this information, you will know when applications and operating systems are out-of-date and require a security update to resolve a vulnerability found. Installing these security updates in a timely manner (recommended within 30 days by the PCI DSS) will help keep your environment secure.
Implement network segmentation
Network segmentation is the process of sectioning off networks into sub-networks, limiting communication between the sub-networks. Isolating devices and networks that are not related to the management of the sensitive services will reduce the footprint of potential attack vectors into the sensitive data environment.
Security awareness training
Security awareness training is the key to ensuring your personnel are well-equipped to understand what a phishing attempt is and in reducing the possibility of a social engineering attack’s success within your environment.
Training should also include information regarding the sensitive data in your environment and the protection of this data. Specialized personnel, such as developers and employees with roles in the incident response team, should attend specific training regarding their responsibilities, such as secure development training and table top exercises.