Digital transformation—two words that each bubble with power (and a little overuse). Despite whatever emotions surface on hearing those two words, you need to understand what they mean for your consumer business to succeed in today’s new digital order. You own the challenge of guiding your business through change and disruption to come out on the other side transformed and thriving.
E-commerce might as well drop its “e” as more commercial businesses survive by moving online, in whole or part, to stay competitive. Even businesses that succeed with brick-and-mortar storefronts rely on customers browsing or competitively shopping online. Maintaining a high level of security while establishing, running, or transferring to a digital business is a challenge. Traditional brick-and-mortar companies now have to adapt to convenient digital shopping carts, 24-hour availability, an endless selection from virtual storehouses, fast shipping, and branded blogs hosted in the cloud and tied together by a ball of rubber bands we call APIs.
The best way to secure your online or cloud-based business is to build security in from the start. New platforms, solutions, and application-based infrastructures require new ways of thinking. New pitfalls await companies entering cloud-based businesses. If you aren’t starting a newborn e-business, these cloud-based security considerations stand. Do a thorough audit and update of your security environment and consider updating or supplementing existing tools. (These guidelines should help!).
Regardless of whether you are newly born to e-commerce, old hat, or migrating existing businesses, here are specific e-commerce security vulnerabilities and practices you’ll want to pay close attention to. Not watching security is like boring holes in the structures that keep your business afloat.Sharing Responsibility for Your Security
Security is not automatic in the cloud. Cloud providers provide basic infrastructure security and physical security for the servers your code will execute on. However, you’re always responsible for the security of any data held in the cloud and web applications that touch your business and services. Ignoring this shared responsibility is a common cause of major data breaches like Walmart’s 2018 breach.
Amazon Web Services (AWS) has a published shared responsibility model, which every AWS client should read. (You can find it in their Security Best Practices white paper.) As more services are added to AWS, security complexity rises—questions, responsibilities, solutions, et al.—and the points where vulnerabilities may appear will increase in frequency and complexity, too. Get to know the shared responsibility model well so you can plan in advance how to put it to use effectively for your applications.
Once you know your responsibility, you need to invest in truly effective solutions that are designed for e-commerce. Namely: the right cloud-designed security tools that work with your infrastructure paired with good dev-side security testing. Ease-of-use should be paramount without sacrificing security, so look for automation and strong UI. If you won’t use a solution, it’s not really a solution.
In Cloud Security:
Business changes as quickly as the data coming and going from the cloud. Keep your security as targeted and agile as your business models. You don’t have to sacrifice speed or performance for security provided you have the right tools for your environment, configured to the objectives, and easily implemented and fully adopted by your practitioners.
If you are producing your own e-commerce applications, protect yourself before you go to market. An intelligent tool that fits into your pipeline can monitor for threats and abnormalities in your own code. Once in production, vulnerabilities not only become more dangerous, they become much more costly and time-consuming to fix or recover from, should they lead to attacks or breaches. When looking for a DevOps security tool, look for the following:
Invest in the right tools to expose sensitive data and security weaknesses. Fix issues as they arise while building your applications instead of tacking security on at the end. Build security into your CI/CD process to alert you early and often to security problems in your code.Common Risks for E-Commerce Businesses
Every industry has unique risks and security pitfalls to avoid. Let’s take a look at some security risks common to e-commerce businesses and how to prevent them.Account Takeover
Don’t let hackers undermine the legitimate customer data your business hinges on. Account takeover occurs when a malicious hacker steals a legitimate user’s credentials for a site and uses them to perform actions the user didn’t intend. Account takeover is a persistently serious issue for e-commerce businesses, causing $5.1 billion in losses in 2017 alone.
Phishing attacks are a major cause of account takeover. Attackers email users by impersonating a brand— going so far as to steal real brand logos or slightly dissimilar URLs to look legitimate. You’ve probably received one of these phishing attempts in your own inbox.
Phishing emails often ask for the user’s credentials or personal data using social engineering tactics, like fear and urgency. They may claim to protect the targeted customer.
For example, an email may claim a user’s account will be shut down or compromised if they don’t authenticate their account or transactions by entering their username and password immediately. “Your data may have been compromised. In order to check on potential fraud to your account, please login here with your name and password.”
Or, they may promise rewards or discounts in exchange for entering personal data, like a social security number. “You’ve been preselected for a federal loan consolidation program based on your student debt and credit rating. Please enter your social security number to access this limited time relief program.”
What can you do to avoid phishing attacks on your customers? The best way to protect users is to educate them. Clearly inform them up front that you will never ask for passwords or personal data, except as defined by your business. More proactively, consider educating customers on phishing attacks before attacks occur using your brand. You’ll help your branding by presenting yourself as a responsible steward of their data and bolster your system security at the same time.Back all user education initiatives with technical steps to keep user data safe. Here are some to consider:
No good deed goes unpunished, as skeptics and shrewd businessmen may say. Bonuses are important tools for building a loyal customer base and attracting new customers. Unfortunately, some malicious users attempt to abuse bonuses to steal more value than they have a right to.
Promo abuse is often seen when users create multiple accounts to try to take advantage of the promo over and over again. Elon Musk shut down Tesla’s referral promo when some owners paid for Google ads promoting their codes. One Uber rider gamed their promo code system and gathered $50,000 in free rides.Don’t let thieves spoil the spoils. Stopping promo codes completely is a cost to your business and can limit customer goodwill initiatives. Opt to create processes and tools to monitor for suspicious activity and shut it down. There are a number of ways to do this. The simplest way is to limit accounts:
A less invasive option is to use behavioral analytics to watch new accounts for suspicious behavior, such as sending out referrals immediately without looking at any products. Depending on your business model and how aggressively you want to pursue promos, you can apply parameters for limiting and monitoring accounts.The Good, the Bot, and the Ugly
Small, automated software programs—or bots—have made a multitude of tedious tasks easier to complete in less time. They are usually streamlined for very specific functions. Search engines use bots to scan and index web pages on the Internet. Chatbots make customer support easier for e-commerce and SAAS companies. Bots can monitor websites for performance problems or tell you the news and weather on demand.
Not all bots have your best interest at heart. Many bots have been created to create an unfair competitive advantage. Some predatory bots can scrape a site for inventory and prices to underbid vendors based on this insider knowledge. Other bots are maliciously designed to attack a site.
A particularly ugly bot of late is designed to perform account takeover attacks. They can be used to buy products with stolen credit card numbers or buy out your inventory in order to sell items for higher prices elsewhere. They can also be used to perform distributed denial of service (DDoS) attacks against your site.
As with any relationship, there is an innate vulnerability that comes with using an outside service. Using third-party bot software to provide customer service makes a lot of business sense, providing the vendor is good about security. Make sure all your bot vendors follow strong security practices. A careless bot vendor could result in having your customers’ data stolen by attacking the insecure bot software.
What is the best defense against bot-based attacks? AI, or machine learning, is probably the most powerful tool to prevent bot attacks. Only monitoring for known vulnerabilities can fall short of bots, which operate like non-malicious bots from a surface view. Machine learning can monitor traffic over time, creating a baseline of normal behavior. Behavioral analytics tools so determine what normal behavior looks like and then flags behavior that deviates as abnormal. That abnormal behavior could easily be a malicious bot.
Using intelligent solutions also means that your tools can get smarter as they grow with you. It can learn from both experiencing your traffic and learning from how you respond to alerts and flags. And, your developers will learn with it, seeing weaknesses in the code before it’s too late. Build protection into your applications that alert when bots are detected so they can be blocked quickly.Navigating the Compliance Landscape
E-commerce businesses have to think about compliance and regulations early in planning for any online presence. The number of regulations to be followed will undoubtedly increase over time as more governments notice the importance of privacy and security for end users. Insurance companies struggling with how to think about data privacy and protection are also pushing the needle for stricter security accountability on the part of business owners.
Let’s dive into some specific regulations you have to plan for in an e-commerce business.Managing PCI Compliance
Every e-commerce business should think about PCI compliance early—and check compliance regularly. (PCI, or PCI DSS, is shorthand for Payment Card Identity Data Security Standard.) The digital world is constantly evolving. PCI compliance is especially challenging for e-commerce because of continually shifting requirements based on how companies may transmit, store, and process payment card information. New payment forms, methods, and landscapes are continually being introduced. And your business needs to keep up. A company like Apple can introduce new payment methods without thinking of every e-commerce storefront that will feel the benefit of quickly adopting it.
Let’s use integrating with PayPal as an example. PayPal is what PCI refers to as a Payment Service Provider—or PSP. PSPs have a direct relationship with credit card companies and banks. They do the “dirty work” of processing the credit card transactions between a vendor and consumer. Using payment gateways like PayPal can simplify your compliance requirements under PCI. Unfortunately, simplification isn’t the same as doing away with compliance.Using PSPs doesn’t absolve you of all responsibility for PCI compliance. Variations in infrastructure or processes can determine compliance—and, in reality, your vulnerability to attacks and breaches. Technical details unwaveringly affect what you need to do to remain compliant. Let’s examine two basic scenarios that change PCI compliance when using PayPal as an example of PSP use:
Check out PCI’s e-commerce best practices to see what your business will need.
APIs are invaluable for making highly adaptive, quick-responding, multi-functional e-commerce landscapes for businesses. They also come with added responsibility, which includes additional security testing that should function at the application level. For payment processing, consider the costs and benefits of hosting payments on your site with APIs or using a PSP.GDPR and Other Regulations
As governments get wind of the downsides of the connected world brought forth by the Internet, more regulations will be coming. GDPR was the start of strong regulation of the privacy and data of end users, but it isn’t the last.A great article by Yottaa outlines the steps e-commerce businesses can take to become GDPR compliant:
Regardless of your long-term strategy, GDPR and other regulations will have an impact on your e-commerce site. Don’t wait to determine the impact of GDPR and up and coming regulations such as CCPA. These sorts of regulations come from legitimate concern for and awareness of the potential damage to consumers when their data is misused or breached.NIST Compliance and Certification
The National Institute of Standards and Technology (NIST) provides IT security standards for the United States government and government contractors. Compliance isn’t a hardline requirement for every business, but it is a good practice.
NIST’s standards are high and thorough. A business compliant with NIST standards is complying with the minimum standards that government systems must comply with. NIST certification demonstrates that you take security seriously and use industry best practices to keep your customers safe.End User AuthenticationThe prevalence of account takeover attacks has encouraged companies to find stronger and multiply-sourced authentication practices. Authentication is the practice of identifying and verifying someone in a digital format. Popular authentication practices are:
Many e-commerce companies are moving to two-factor authentication options and/or biometrics to better combat account takeovers (think of your fingerprint or facial recognition locks on smartphones which are used to access the phone, apps, or verify mobile transactions.). Two-factor authentication forces the user to provide two proofs of identity. Users are prompted to register or confirm who they are using two forms of identification, like a password and code texted or emailed to them.
In two-factor authentication, a password is often the first go-to factor offered to the user by e-commerce sites. There are a lot of options for verifying through the second factor. A popular form of authentication can be a one-time password generator or a FIDO key.
One-time password generators often take the form of phone apps, like Google Authenticator, and verify possession of the device being used for the first time. It helps identify users across devices and recognize legitimate sources of customer actions. USB keys such as Yubikey are popular options for FIDO keys. FIDO uses public key cryptography to ensure no one else has possession of a particular key.
Despite the popularity of biometrics, they are not foolproof and can be prone to false positives. No matter what security authentication factors, services, or practices you use, stay vigilant on security risks. Always consider your risk tolerance when deciding on identity authentication systems for high-security transactions.
Software installed on the user’s device can send push notifications to the user on login. These notifications have the time and the IP address of the login and ask the user to verify whether they were the ones who initiated the login attempt.
Finally, user behavior analytics can be used to authenticate identity to some degree. Abnormal user behavior, including location and times of use, can signify fraud. For example, analytics can track the IP addresses and times of the day users typically login. A login attempt from a strange place or at a strange time, like 3:00 AM, can be used to trigger a block on the login attempt and/or an email to the user to verify the legitimacy of the transaction. Banking and credit cards have been using this sort of analytics-based behavioral analysis to fight fraud for decades. Activity in another country or abnormally high-ticket purchases are common triggers for fraud alerts.
E-commerce is particularly susceptible to account takeovers or fraud activity. Invest in tools and best practices that help ensure user identity. Newer technology, like advanced, real-time analytics and machine learning that monitors for abnormal user behavior can help. Smart encryption and authentication mechanisms built into development cycles, authentication tools, and API-focused security tools can also reduce the risk of account takeover and other security issues.Five Steps to Secure Your E-Commerce Business NowLet’s summarize with five key steps you need to take to secure your ecommerce business.
The threat landscape for e-commerce is constantly changing. Implement the five steps above to keep your applications and customers safe. Keep your customers’ safety a priority in your business, and you’ll never run out of them.