Securing E-Commerce in an Age of Relentless Cyber Threats
E-commerce businesses face significant cybersecurity threats, accounting for 75 percent of all fraud, data breaches, and financial theft. These businesses are prime targets for cybercriminals, who exploit weaknesses in third-party software, payment gateways, and customer account security, leaving online stores vulnerable to devastating attacks.
A data breach can cause significant disruption to operations, limit productivity, and result in financial loss. An inadequate response to a breach only compounds the issue. Staying informed about the top threats to the retail and e-commerce sectors enables you to take a secure approach to decision-making, implement stronger security measures, and protect your business from potential disruptions and financial loss that ultimately affect your customers.
Third-Party Software Risk
E-commerce businesses rely heavily on third-party software for operations, from content management systems (CMS) and payment processors to marketing tools and inventory management. While convenient and in most cases necessary, leveraging third-party software exposes your business and customers to risks if providers are compromised.
Cybersecurity experts can help implement this, but if you’re limited on budget, one of the most cost-effective things you can do to improve your third-party security before you attain their services is to ask about their information security programs, and then use that information when making a decision about which provider to work with. This tactic is known as third-party risk management (TPRM). Choosing vendors that take security seriously can have a huge impact on the security of your e-commerce business.
Equally important is keeping third-party software up-to-date. In particular, if you're running a website with a CMS like WordPress, regularly update plug-ins and any internet-facing tools to minimize vulnerabilities. Insecure or outdated plugins are a common entry point for attacks, and the time between an exploit being discovered and being exploited on a global scale is getting shorter and shorter, often leaving a day or less to fix things before attackers try to exploit your site. Keeping your internet-exposed software updated can dramatically reduce the chances of your store being hacked.
Credit Card Skimmers
While we often hear about credit card skimmers at sketchy ATMs and gas pumps, e-commerce sites are another popular target. But instead of gluing a physical card skimmer on top of the legitimate card reader, attackers exploit vulnerabilities in popular e-commerce platforms such as Magento and Shopify to install extra JavaScript code in your e-commerce site. The extra code watches when your customers type in their credit card numbers and sends it to the attackers.
This type of attack is referred to as a Magecart attack, after one of the gangs that first started hacking Magento sites and skimming credit card numbers. According to Sansec, criminals compromised over 5 percent of Adobe Commerce and Magento stores in the summer of 2024. Mitigating this risk is primarily handled by the steps detailed in the third-party software risk section above. If criminals can’t gain unauthorized access to your website authoring tools, they can’t embed their malicious, card-stealing scripts into your payment pages.
Account Takeover Attacks
Account takeover (ATO) attacks are a common problem, often caused by customers reusing poorly chosen passwords across sites. If another site is breached, attackers can use leaked credentials to access your site, impersonate users, and make unauthorized purchases. Through no fault of your own, this results in chargebacks, refunds and financial losses.
To mitigate this, offer federated login options through Google, shifting security to trusted providers. Another option is to implement passkeys.
By staying informed and prioritizing cybersecurity, you not only safeguard your business against downtime and financial loss, but also build and earn trust with your customers, ensuring they feel secure when shopping with you.
Phil Brass is a senior evangelist for DirectDefense, an information security services company.
Phil Brass brings more than 30 years of experience in security consulting and software engineering, including five years of writing security assessment tools and more than 15 years in consulting. Phil is a subject matter expert on application security programs, secure development lifecycle, assessment technologies, code review, and manual testing of application security, and leads a large consulting team delivering all of these services and more.
Prior to joining DirectDefense, Phil served as Director in Optiv’s Threat Management community. Before joining Optiv in 2009, Phil was employed at Internet Security Systems (ISS) as a Windows security expert, X-Force researcher, software engineer, and team lead on the Internet Scanner 5 project. He also spent two years managing software engineering projects at ISS.
Phil has extensive knowledge in software engineering, programming languages, network communications protocols, relational databases, and all things in security as they relate to those technologies.
Prior to his time at ISS, Phil worked as an Application Engineer and Software Architect in the healthcare information systems sector, where he focused on protocols and communications with diverse hospital systems, data warehouse implementation, and high-level architectural design of distributed inventory management systems.
