5 Types of Security Vulnerabilities in E-commerce and How to Protect Against Them

Beyond Identity Blog | Tuesday, October 26, 2021

Security risks have always existed for e-commerce businesses as attackers attempt to exploit vulnerabilities to gain access to customers’ personal and financial data. E-commerce is such a hot target for hackers that online retailers saw a 50% jump in cybercrime in 2020. Leaving security vulnerabilities in e-commerce unaddressed can cause significant damage to a company and its customers, erode customer trust, harm the bottom line, and even potentially put an organization in legal jeopardy.

The fallout when e-commerce sites are targeted by hackers

The allure of e-commerce sites to a hacker is obvious: a successful hack exposes sensitive data for the taking, such as names, addresses, e-mail addresses, and most importantly, credit card numbers.

Online brands like Booking.com and Neiman Marcus have fallen victim to data breaches. But the big e-commerce brands aren't the only ones attacked either. Due to the investments that larger brands have made in their security infrastructure and resources, an attacker might find it easier to attack a small or mid-sized e-commerce website because it's far more likely to have holes in its security practices, making it an easier target.

E-commerce websites that are victims to cyber attacks can expect a loss of customers, fines, and business disruptions for weeks, months, and even years.

Loss of customers

One of the biggest, and likely longest-lasting, effects of an e-commerce hacking attack is a loss of customers. In an attack, hackers steal customer information resulting in credit card fraud, compromised credentials, and loss of trust. 

Unfortunately, trust is difficult to build yet easy to break. And once a customer loses trust in a company, they are often unwilling to make purchases or use its services creating long term retention issues for the company. 

For small and medium-sized businesses, that can be a death knell. And with only about one in eight small businesses prepared for cyberattacks, hackers know that these e-commerce websites are easier to hack.

Even if an attacker does not gain access to customer information but causes other damage, it may harm website operations. Your e-commerce store may malfunction, preventing customers from making purchases.

Fines

Financial losses aren't limited to losing customers, and a hack may expose your e-commerce business to potential legal trouble. Regulators are increasingly focusing on data security and expect e-commerce websites to handle customer data appropriately. In fact, by 2023 65% of the world’s population will be covered by some form of a privacy regulation. 

Sites found to be negligent may face fines from local, state, and federal agencies like the Federal Trade Commission (FTC) for not properly safeguarding consumer data. The financial trouble doesn't stop there: insurance premiums may rise, and you may get less favorable terms from credit card processors, too.

Disruption of business operations

A hack, by nature, is a disruptive event. Responding to one is an "all hands on deck" moment, redirecting the business's efforts away from selling your products to resolving the issues the cyber attack raised. It may disrupt other aspects, too, such as your supply chain and customers' access to your website.

Hackers might redirect visitors to other sites or inject malicious code into your product pages. They might shut down the site, leaving you scrambling to figure out the cause. 

Some vulnerabilities are the same in e-commerce sites as they are on other types of websites. For example, hackers can use SQL injection vulnerabilities on any website. However, some vulnerabilities are more common on e-commerce sites. Learn what are the most common vulnerabilities, why hackers use them, and how to protect your business.

1. Bot attacks

Attackers may use bots to exploit a vulnerability quickly and repeatedly. For example, an attacker might notice that a particular e-commerce site's web server uses SSL encryption but does not have HTTPS enabled on its page. In that case, they may create a botnet consisting of thousands of computers and instruct them to attack this site.

The bot network exploits the vulnerability, gaining access to the system. Bots may also be used to remotely change your prices, launch DDoS attacks, and more.

Prevent this by:

  • Implement passwordless authentication: It stops credential-based attacks executed by bots because the password does not exist for authentication.
  • Keep an eye on your traffic: Monitor web traffic, both where it's coming from and how much. A sudden spike from a particular location might indicate that you're under attack.
  • Monitor for failed login attempts: Another sign of a bot attack is a sudden surge in the number of failed login attempts. Bot networks are often used for credential stuffing attacks.
  • Protect exposed APIs and mobile apps: Web-exposed APIs and mobile apps need to be adequately secured. These public-facing portions of your web business are likely to get the most attention from malicious actors.
  • Consider a bot mitigation solution: There are platforms available that look for the telltale signs of a bot attack and automatically divert bot traffic away. One big downside is their cost, which could be too much for many small and mid-sized businesses.

2. Credential stuffing 

Credential stuffing describes the practice of using leaked username and password pairs to gain unauthorized access to systems that reuse credentials or employ weak authentication methods.

This kind of attack highlights the significant issue with passwords as it’s estimated that compromised passwords are responsible for 81% of all data breaches. Even when organizations protect themselves, alphanumeric passwords are often pilfered through phishing and keystroke logging.

Credential stuffing is on the rise because it works: It allows attackers to gain unauthorized access to multiple accounts without writing any custom malware or using zero-day vulnerabilities.

Prevent this by:

  • Eliminate passwords: Credential stuffing works so well because passwords are inherently insecure. Even the most complex passwords can eventually be guessed. Consider moving to passwordless authentication.
  • Monitor failed logins: Even if you follow zero trust best practices, it doesn't hurt to monitor your logs. If you notice an uptick in the number of failed logins, that's another sign that attackers might be trying to use leaked credentials against you.
  • Use passwordless Multi-Factor Authentication (MFA): Traditional MFA is insecure  and by switching to passwordless MFA you can protect customer’s data without using weak factors like SMS text messages and one-time codes. 

3. Phishing

Attackers may attempt to send e-commerce customers phishing emails that appear as if it was sent from a legitimate online retailer. For example, an attacker may send a customer an email advertising a sale that looks like a real sales email but alter the links to lure the end user to their spoofed version to steal information.

If the customer clicks the link, they are within the attacker's grasp, and they might not know until it's too late. While hackers spoofing your e-mails is unfortunately something you might not be able to control directly, you can take steps to prevent malicious third parties from tricking your customers. You can send helpful prevention tips to your customers like the ones below. 

Prevent this by:

  • Educate users: Tell your users to never send personal information over email, be cautious opening unsolicited emails, and check links in emails before clicking on them.
  • Eliminate passwords: Malicious actors can’t scam a user into handing over their password via a spoofed web page if there’s no password to steal. 
  • Implement risk-based authentication: Set up risk-based authentication that can prompt step-up authentication when higher assurance of identity is needed to protect customers.

4. Account takeover fraud

Attackers may use vulnerabilities to take over an e-commerce customer's account. If usernames and passwords are stored in plain text instead of hashed or encrypted that’s almost an open invitation for a hacker. Even hashed passwords are not good enough because users notoriously reuse passwords and credentials are bought and sold on the dark web. 

If this happens, an attacker can use these credentials to hijack the customer's account. They could do this by changing the email address so future correspondence is sent to them instead.

Prevent this by:

  • Implement passwordless authentication for customers: Eliminating passwords stops attackers from using common and easily guessable passwords to brute force attack accounts. In fact, passwordless authentication for customers accounts stops any and all password-based attacks. 
  • Hash or encrypt sensitive information: Encryption scrambles data so that only the encryption key can decipher it. 
  • Limit the number of login attempts: Limiting failed logins can prevent attackers from trying all possible combinations in an attempt to access accounts on your web server. Prohibit multiple failed logins (typically three to five attempts) to help prevent an attack using brute-force techniques.
  • Check for suspicious behavior: Attackers may perform activities while they're signed in to an account out of character for the legitimate user, such as making changes to the account and then making a purchase soon afterward. Have a system in place that monitors online transactions for suspicious behavior and unauthorized transactions.
  • Add adaptive risk-based authentication: By using real-time user and device signals you can root out bad actors. 

5. Brute force attack 

Attackers may attempt to use a brute force attack on an e-commerce site. For example, if the username for this website is "admin" attackers could try passwords consisting of "admin," "password," "abc123," and so on.

Prevent this by:

  • Use passwordless authentication: With passwordless authentication, the problem of easy-to-guess passwords is eliminated.
  • Block login attempts after too many failed attempts: Sensing a pattern here? This is probably one of the first things you should implement  if it isn't in place already. It's an easy way to stop brute force attacks from being effective, as well as other attack vectors.
  • Monitor suspicious logins: Is a user logging in from a location far away from their typical location, or an unknown device? Tracking these variables and using the data to determine if the user is who they say they are can stop a brute force attack in its tracks.

The earlier vulnerabilities are identified, the easier it is to fix them. While you should stress test your web server, hiring a hacking expert to test your e-commerce store for common security vulnerabilities might be an equally good idea.

You can prevent most vulnerabilities if they are identified early enough in the development cycle and your developers use secure programming techniques while writing code.

Protect your e-commerce business with Beyond Identity

Eliminate fraud and improve your customer authentication experience with our Secure Customers product. Our SDK allows you to launch passwordless authentication across both native and web applications and increase customer conversion rate. Passwords, second devices, one-time codes, and push notifications are now a thing of the past.

With our solution, attackers lack the passwords needed to gain access to an account. Give your customers full protection against the most common attacks, with immutable credentials backed by private keys replacing passwords that never leave the device TPM. 

Learn more about the future of authentication in action and get a demo today.