By: Nihad Hassan
October 1, 2021
Top Four eCommerce Security Threats For 2021
By: Nihad Hassan
October 1, 2021
The Digital revolution impacts everything around us; nowadays, people use the Internet heavily in their daily lives. For instance, they use it to study, work, socialize, conduct online banking, and shop from the online marketplace.
The ongoing spread of COVID-19 has changed customer buying behaviors dramatically; people have become more willing to shop from home, especially after the extended lockdown imposed by governments around the world to stop the spread of the disease. According to Roi Revolution, e-commerce sales have increased significantly and are expected to reach over $843 billion in sales this year (2021).
E-commerce security has become a significant concern for businesses, especially after the series of data breaches that impacted high-profile targets recently. Most customers do not worry about making payments using PayPal, Amazon, Google, and Apple. However, they become worried when using their credit or debit cards to make online payments.
For any E-commerce business, failing to protect its payment portal's security can have catastrophic consequences on its reputation and sales. Without forgetting the fines imposed by regulatory compliance bodies such as GDPR and PCI DSS, the customer's personal information is exposed to a data breach.
It is essential to be familiar with the most prominent security threats to understand how to secure your online business. This article will shed light on the top four threats impacting e-commerce websites.
Top four e-commerce security threats
In the e-commerce area, financial fraud can happen in two forms:
- Stolen credit cards: In this case, cybercriminals use stolen credit card info to make unauthorized payments. Credit card info can be stolen using various ways such as:
- Via major data breaches
- By intercepting public internet networks when using public Wi-Fi hot spots (this can be mitigated using a reliable VPN service).
- Phishing emails.
- Malware (Spyware).
- From the trash!
- Conducting online transactions using insecure systems leading to compromising user-sensitive payment info.
Although banks and credit card providers offer many features to fight transaction fraud (payment cancelation within a period and other refund options), not all people check their credit history to see their credit card purchase. This makes them subject to this type of attack.
Passwords remain a significant concern for security professionals; since the invention of the Internet, security professionals find it challenging to balance creating robust, complex passwords with user convenience (easy to remember).
Password attacks pose a real threat to online transactions. The most famous attack is utilizing the brute-force technique to break into secure systems. Brute-force works by running a script or tool and trying to guess all possible password combinations. Such attacks need time and dedication to guess the correct password. However, sometimes adversaries know some information about the target, and they combine the information to guess the password. Information about a user (target) can be collected from various public sources, such as social media platforms and public databases. Cyber attackers commonly use Open Source Intelligence (OSINT) to find information about their victims before executing their attack.
Sometimes the administrator password used to protect the entire payment system gets compromised. In such a case, predicting the damage is difficult. The damage level can range from a significant data breach, taking the system offline, ceasing online payments, to reaching huge fines imposed by regulatory compliance bodies.
SE remains the most preferred method used by cybercriminals to gain unauthorized access to secure systems. There is no company immune to SE attacks. No matter its defenses, the human element remains the weakest point that adversaries can exploit to gain unauthorized access to protected resources.
SE attacks work by manipulating the human mind to convince the victim to act against enforced security controls to give away sensitive information (e.g., login credentials or other sensitive information). There are mainly two types of SE attacks:
- In-person: This involves a direct connection with the victim.
- Using technology uses phishing emails, SMS messages, or messages sent via social media platforms containing links to compromised websites used to steal victim credentials.
Direct attacks against e-Commerce websites
The previous attacks aim to steal sensitive information, especially customer details and credit card information. However, other forms of attacks aim to disrupt the normal operation of a website or web application. The most apparent attack of this type is the Distributed Denial of Service Attack (DDoS).
DDoS works by sending traffic from thousands and even millions of devices to overwhelm the target server with false traffic, so it cannot respond to legitimate traffic and crash. DDoS attacks are increasing in frequency, especially after the start of the COVID-19 pandemic. According to securelist, Quarter 2 of 202 witnessed a spike in the number of DDoS attacks (see Figure 1).
Figure 1 - Comparative amount of DDoS attacks - Source
For any e-Commerce business, keeping its customers' payment information private remains a top priority. Strong security controls must be set in place to protect customer's information and other confidential digital assets. Technological solutions must also be utilized to counter destructive attacks, such as the Distributed Denial of Service attack (DDoS).