“Cybersecurity” is a catch-all expression that covers a world of processes, practices, applications and hardware in every form and flavor imaginable.
Whatever their specific functions and operational scope, they share a single global focus: the protection of sensitive data, digital systems, networks and IT infrastructure against penetration, corruption, exploitation, and destruction by bad actors.
In 2021, as the pace of digital transformation in retail e-commerce picks up, those bad actors could include anyone.
Anyone. From state-sponsored hacking collectives, to cyber-thieves looking for sensitive data and other marketable goodies to sell, to credit card fraud artists, to clever individuals who think disrupting the status quo for fun and profit is a great idea.
If there’s money to be made from some sort of IT-based crime or disruption, someone will get into it – and the rate at which e-commerce retail is being targeted has gone up alarmingly.
For example, ransomware activity against retail over the last year (during the pandemic) went up by 365%.
And that’s just one aspect of cybercrime that can impact e-commerce retail.
Bet that got your attention. But that’s not enough.
If you’re an e-commerce retailer, you have to see the problems clearly before you can think about your own site security or take meaningful action to improve it.
What You Need to Know Right Now About Retail Cyberthreats in 2021
If you do any reading about current developments in e-commerce retail, you already know that its core technologies are evolving quickly in response to increasing consumer demand. In fact, they’re frequently ahead of the security technologies designed to protect them.
You also know that consumer expectations are changing, and that there are some common threads we can trace.
These include greater demand for evidence of retailer and manufacturer honesty, transparency, sustainability, and community commitment.
Consumers also want more immersive experiences, and they want to build relationships with their favorite brands. They’re becoming less reluctant to share their preferences and needs, and that increases their potential vulnerability.
As online shoppers, they’re not just visiting retail sites. They’re also all over social media, and they’re sharing valuable personal and brand-preference data every time they visit Instagram or Facebook or Twitter.
They can even make purchases by direct links from those social media platforms, and others.
All of this means that the obligations of e-commerce retailers to safeguard customer data, payment information, order history, and personal details are growing. These obligations apply to large retail enterprises, merchant users of popular e-commerce platforms, and small operations with relatively simple “pre-built” retail website solutions.
It also means bad actors are watching constantly and have no scruples about taking advantage of any unpatched access point or flaw they can find for their own gain.
Why is this important for you as an e-commerce retailer? An obvious question…
If your e-commerce site is attacked, you may lose revenue, confidential customer data, key analytics data, and even your ability to keep your site operating. You may also suffer damage to your brand that may be irreversible.
Just as consumers are engaging more intensely with online retail – and exposing their personal data even more broadly – the threat of retail cyber-attack continues to grow.
Common Forms of Cyber-Attack Against Online Retail
As 2021 unfolds, the most common forms of cyber-attack on retailers will increase in frequency. These basic forms aren’t necessarily new, but the implementation methods continue to evolve, becoming more sophisticated.
Most of these are old news, but perhaps a quick review is in order. The ongoing success of these attack strategies suggests that too many retailers (and consumers) aren’t nearly as informed as they should be.
Phishing (including “spear fishing” that targets particular individuals) is an attempt to gain valuable data from targets fraudulently by means of emails, text messages, posts on messaging apps, and even telephone calls.
Phishing scams tend to have some common attributes.
The scam messages may appear to be from trusted sources, including friends, or from financial institutions the scammers think targets might trust.
Bogus emails and messages may suggest that recipients owe the supposed senders money or must claim a delivery, and sometimes the messages are very convincing.
In other instances, there’s something obviously wrong with a message’s format. In less professional phishing attempts directed to targets in English-speaking countries, poor English is often a give-way, even when a message’s format looks legitimate.
The messages often contain hyperlinks intended to motivate recipients to click without examining the links too closely. The links don’t actually lead to the apparent destinations, but rather to phony sites through which the perpetrators hope to gather personal or financial information.
There are often innocent-seeming but dangerous attachments – fake invoices, official notices, shipping confirmations, or other types of documents one might expect to receive. Opening these attachments can prove disastrous, as they often contain viruses, ransomware, or other forms of malware that will immediately make themselves at home on a target’s system.
Fake messages are frequently “urgent” or offer limited-time opportunities to participate in supposedly sure-fire money-making schemes of questionable legality, like the so-called “Nigerian scam” phishing emails or social media messages. These work on the assumption that some people will still jump at opportunities that are too good to be true, even when they know better.
- PDF scams
PDF files are common, and they’re incredibly useful because they resolve issues of document format compatibility in communication and file transmission.
As email attachments, PDFs offer bad actors readily accessible vehicles for the delivery of Trojans and other viruses, ransomware, or malware.
Bad actors continue to refine PDFs as delivery vehicles, and at least one threat source has demonstrated its ability to deliver near-invisible download utilities inside PDF files that then enable the sender to continue downloading malware or ransomware to targeted systems.
As its name suggests, ransomware attacks involve covert encryption and/or removal of data for the purpose of ransoming it back to its rightful owners. In theory, if a victim pays the ransom, the attackers provide a means for the victim to decrypt and recover the hostage data.
Ransomware attacks usually target large enterprises because that’s where the perpetrators know they’ll find the richest victims, and those most likely to pay.
Beyond that, ransomware cybercriminals seem to have few scruples about the nature of the victims (hospitals have been attacked and their data held to ransom), and some paying victims never recover their data.
In fact, cybercriminals are increasingly favoring the so-called “double extortion” approach to ransomware. This involves the transfer of the target’s data from its systems to the hackers’ servers even before the perpetrators encrypt the data. The tactic minimizes the target’s opportunity to recreate stolen or encrypted information without paying the ransom.
Ransomware attacks are going to get increasingly ugly as 2021 unfolds.
“Malware” is a generic term that covers a great deal. It’s a catch-all expression for all the various forms of application software or code invasions hackers use to damage networks, steal data (or money), corrupt systems, and give unfettered access to the IT infrastructure of their targets.
Sadly, there’s no such thing as a one-size-fits-all solution to existing malware. There’s just too much of it, it’s too sophisticated, and the good guys are always in the position of playing catch-up to block the schemes of the bad guys.
- Database breaches
As the name suggests, a database breach is an unauthorized entry into a network repository of confidential information that’s supposed to be secure.
So far as we can tell, there is just no such thing as a database that can be guaranteed secure. We’ve seen ample evidence of large institutional databases, both inside and outside e-commerce, that were very secure…until they weren’t.
We’re talking about billions of data records that included medical information, consumers’ personal details, basic OS use and ownership, and more.
It’s true that these were institutional breaches, but the records pertained to individual consumers, clients, patients, users, or owners.
That’s people like us. And you.
In fact, if you look at the scope of breaches in 2020, the odds are good that at least some of you were affected directly or can no longer rely on the security of your personal information online.
It’s also worth noting that no matter how big or small your e-commerce enterprise is or what platform you use, you’re vulnerable. So are your shoppers because you process their saved payment information on each and every transaction.
That means it’s available to anyone who can hack into your customer database.
- Credential stuffing
Credential stuffing refers to the use of stolen credentials for one site or source as the means to attempt “legitimate” entry into another site.
Given the billions of bits of stolen personal and credit card information that are readily available to hackers, you can understand why credential stuffing is an ongoing threat.
It’s an automated attack regarded as a form of “brute force” in which the hackers’ malicious code forces repeated login attempts using the stolen details, pairing names and other login details until it can access users’ accounts.
Most of the time, the attackers’ purpose in each of these forms of attack is to get access to data or actual accounts to enable the commission of payment fraud. There are multiple forms of payment fraud, and sometimes, bad actors change up the game to steal what they want. They can get very creative indeed.
Then there’s the creative stuff…
In a March 16, 2021 post over at bleepingcomputer.com, Ionut Ilascu detailed a payment fraud scheme hackers were using to get their hands on payment card data from compromised online retailers without leaving the usual traces associated with such hacks.
Instead of leaving the tracks one would expect to find, hackers found a novel way (using recent developments in steganography) to save the stolen data in image (.JPG) files on the victims’ compromised sites. They could then download the image files without arousing suspicion.
The bad actors used a Magecart attack to steal shoppers’ data during the check-out process, but it was their simple means of getting the data from the compromised systems to their own servers that pushed the criminal creativity envelope. It worked very well, until it was discovered.
But Magecart “skimming” attacks will continue to be a problem through 2021 and beyond, and of course, they don’t represent the only threats to e-commerce retailers.
Let’s think about payment fraud for a moment.
As you might have gathered from the sorts of attacks we mentioned above, the ultimate goal where e-commerce retailers are concerned is payment fraud.
Payment fraud is really a type of identity theft that’s a staple for cybercriminals who target vulnerable retail enterprises. In fact, the availability of stolen credit card data for would-be cybercriminals, and the ready access to tools and help for stealing data directly, are keys to understanding the explosive growth in online payment fraud, including so-called “clean” fraud and chargeback fraud.
Clean fraud involves the use of stolen payment details of verified, genuine purchasers to make fraudulent transactions look clean.
Chargeback fraud (“friendly fraud”) involves customers who keep items they’ve bought online from e-commerce retailers but claim refunds for the kept items. The refund claims are usually based on assertions that a customer paid multiple times for a purchase or never made the purchase at all, or that the item purchased was never delivered.
Technology solutions to address such payment frauds are forecast to be retailer priorities in 2021.
“Oh, good – I feel so much better now…”
Sorry about all this – please don’t shoot the messenger.
It’s not our intent to push anyone into deep paranoia or have retailers wandering around constantly second-guessing their site security issues. What we’ve shared thus far is – we hope – enough to drive home the importance of taking e-commerce retail cybersecurity more seriously in 2021.
So, as an e-commerce retailer, what best practices should you adopt, and where can you look for help and advice?
There are some key – even generic – areas in which you can be proactive for the rest of 2021, and beyond.
Best Practices for 2021
Start with a site security audit
Even if you’re already convinced that you should upgrade your e-commerce site’s security, you can’t make effective improvements unless you have a clear picture of your current security measures and their effectiveness.
If you have that information, that’s great. If not, you should consider starting with a site security audit. You can start with basic questions about security issues for any website that processes financial or personal consumer data – even small sites belonging to “solopreneur” retail businesses.
You should NOT assume that everything has been handled for you by your e-commerce platform provider.
It’s also possible, depending on the size of your business, to get a full-blown professional security audit for your site or network, including cloud resources. Such audits are usually very thorough, and customizable to one’s e-commerce business needs.
There are many security consultancy firms providing such audits in 2021, and they offer options to fit a variety of site sizes and budgets. The odds are good that wherever you’re based, there will be local consultants capable of providing this service to you.
A good site audit will identify existing vulnerabilities and advise you as to measures you can take to plug gaps and adjust your infrastructure proactively for better protection against cyberattacks.
Learn and follow compliance standards – and don’t forget privacy legislation
You may already have taken steps to see that your retail site adheres to some well-known compliance standards. They cover such matters as the collection and storage of credit card data, website infrastructure, risk-aversion practices, and more.
Compliance standards like PCI DSS (Payment Card Industry Data Security Standard) can be complicated. They require serious and consistent attention to detail, and retailers should inform themselves as to their compliance obligations.
Some standards are compulsory, while others (like various forms if ISO compliance) are worth the effort required to attain them or are viewed as prerequisites to success in particular markets.
There are also data-handling compliance requirements imposed by privacy legislation. If your e-commerce business deals with customers in the European Union, for example, your data-handling practices, privacy procedures, cookie usage, and other aspects of your business fall under the GDPR (General Data Protection Regulation).
The GDPR’s requirements are detailed, specific, subject to regular change, and involve heavy penalties for non-compliance. Their effect is to make your use of industry-standard online security practices a requirement of doing business with EU-based consumers.
Talk with partners and platform providers
If your e-commerce business depends on online interactions with partners, including suppliers and shippers, engage them in a conversation about security.
Because their systems and yours should ideally complement each other in ensuring system security and data protection. If the systems don’t play well with each other for any reason, there may be security gaps through which attackers could gain access.
If a partner experiences a database breach, your business may be compromised.
You should also use security resources and practice suggestions provided by your e-commerce platform.
Your job is to provide security for your e-commerce site and your data. It’s your platform provider’s job to see to matters of platform stability and security.
It doesn’t matter whether you use Magento, or Shopify, or BigCommerce, or some other provider. They have to cope with huge data management problems and they’re not immune to security issues either.
Your platform probably does a great job, but you share responsibility for the security of cloud-based resources and you rely on the provider for critical infrastructure. Learning the practices that enhance its security efforts will enhance your own and minimize risk.
Don’t ignore third-party vulnerabilities
If you use third-party apps for site infrastructure or to enhance user experience, you should review them regularly to see that they’re serving you well. You should also update them regularly and check periodically to ensure that they have no known vulnerabilities.
That sort of information isn’t hard to find. In fact, if you use Wordpress, for example, there are security providers who offer monthly reports of known plugin vulnerabilities that might open a Wordpress site to attack.
Dude, fix your password policies
How often have all of us seen warnings about improving password policies?
Even in basic personal computer use, most people get lazy or sloppy, using the same passwords on different sites or adopting easily guessed words and phrases because they’re also easy to remember.
That will be enough of that, especially in 2021 and beyond.
Apart of from the fact that Windows itself has some inherent password-related weaknesses, e-commerce retailers do themselves and their customers a major disservice by not enforcing the use of complex passwords.
The availability of strong password solutions like 1Password, LastPass, and similar applications means that users can no longer complain about being unable to make up or remember complex passwords. This is important because the kinds of passwords they often provide on their own come from the very data the passwords are designed to protect.
As simple and trite as it seems, passwords continue to be a major vulnerability, especially as hackers develop increasingly powerful brute-force resources to force user accounts. As a result, a strong password policy for users and employees is no longer just desirable in 2021.
It’s a necessity.
Tip of the iceberg, much?
This is one of those subject areas in which there’s so much more to say. Still, we want to leave you with a few more key take-aways:
- Point of Sale (PoS) systems need enhanced malware protection – data skimming is on the rise and it’s not going to go away in 2021. The bad guys are getting more creative here too. Check your PoS systems.
- Think seriously about restricting internal data access to those employees who actually need regular access. Where possible, you should layer access as well. Not everyone needs the same level of access “depth.”
- Find a practical, reliable backup solution for your e-commerce data. Off-the-shelf is much more cost-effective and sometimes more reliable than a custom solution, and you don’t necessarily sacrifice security. Think about redundant backups – local, physical off-site, AND cloud-based – as this is one area where a little extra paranoia and expense are justified. If possible, avoid manual data back-up. It’s a time-consuming pain in the neck.
- Consider adding two-factor authentication to your site for all users. If you do, your level of security rises dramatically and immediately.
- Depending on the platform and/or CMS you’re using for your retail site, consider adding a robust security extension that offers a suite of security protection services. Wordpress users may already be familiar with plugins from Wordfence, iThemes, CleanTalk, and many others. There are also external 24/7 monitoring services, like the one provided by WeWatchYourWebsite.com, that examine your entire site at regular intervals and compare the results to a clean benchmark version.
As we said, these aren’t the only considerations for e-commerce retailers in 2021, but we hope we’ve shown you some things you hadn’t considered before, and made you think about some critical e-commerce site security issues.