By Adam Palmer, Chief Security Strategist, Tenable
As the UK continues to navigate local lockdowns, traditional bricks-and-mortar retailers have seen a steady decline in footfall and resulting sales, while online transactions have soared. The result has seen many shop owners scrambling to move online. Many are hoping to capitalise on this year’s Black Friday sales and festive shopping season which is predicted to be a record-breaker.
Since the pandemic began, the UK’s internet sales have increased from almost 1 in 5 (19%) shopping online to a peak of almost 1 in 3 (32.8%) of all sales now online. This is a positive for the digital economy; however, data privacy and security have become a priority now, more than ever, for both consumers and retailers. As we navigate the tricky economy, e-commerce companies must not let hidden cyber risks jeopardise their growth and the trust of consumers.
Stop being an easy target
Cybercriminals are constantly on the lookout for e-commerce victims from which to steal personal data. While the financial sector has created robust security platforms to protect online banking, many e-commerce sites are still developing security and may prioritise user experience over safety measures. The result is consumer data protection added as an afterthought.
During the holiday shopping season, rather than taking a site offline to patch systems, temporary IT fixes are applied to prevent system outages around peak sales events like Black Friday. This may create additional risks and vulnerabilities if security is not considered as part of the process.
These factors create opportunities for scammers to steal data, particularly credit card information shared during transactions. Credit card information offers attackers a double payout as they can use the information themselves for purchases, and sell the data to other criminals on the Dark Web.
Find the hidden cyber risk pitfalls
Retailers can benefit greatly from investing in security systems that provide enhanced visibility and offer context that helps security teams understand which vulnerabilities to remediate first.
One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete – with address details or delivery instructions – an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software. Retailers should perform a rigorous assessment of their backend systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities that exist in back-end systems, retailers must work to patch systems where updates are available, or limit access to those that can’t to reduce the risk of an attacker exploiting the system.
Another window of opportunity is vulnerabilities hidden in plugins used to power eCommerce sites. One example is the recent WooCommerce plugin security flaw, reportedly installed in 40,000 websites. Another is the notorious Magecart card skimmer that’s infected over 2,000 websites. It’s imperative that these known flaws are identified and remediated before an attacker finds them.
Further complicating the situation, many e-commerce security teams are still using legacy systems that lack comprehensive visibility into the full attack surface in modern IT environments. This creates blind spots for security leaders. Instead, retailers should look for solutions that allow them to gain security context and guidance against high-risk web application vulnerabilities; recognise vulnerabilities in custom code and third-party components used to build e-commerce web applications; and flagging any kind of misconfigurations that can increase exposure.
The risk has significantly increased, in part, as many in the retail sector have been forced to make large technological leaps overnight in response to the pandemic. Retailers must protect their business and customers from cyber threats. Only then can business risks – such as loss of data and customer trust – be minimised and ecommerce grow in a secure manner.