Small e-commerce sites are often the target of attacks, with hackers taking advantage of companies without the dedicated security staff and expertise of a company that’s in the top half of the Fortune 500. And while breaches at smaller companies may not make the headlines (if they are detected at all), the number of small ecommerce sites – the long tail – provides a tempting volume of sites to attack.
Those who wonder how they can possibly protect themselves when eBay couldn’t, take heart. The root of the attack on eBay seems to have come from an easy-to-prevent vulnerability, and the cloud has brought with it affordable security solutions that would have been out of reach for small businesses just a few years ago.
Here are some tips for protecting your e-commerce website.
1) Close Holes in Your Website
There are two common vulnerabilities ecommerce sites should fix. Many sites, based on how their ecommerce application was built, are vulnerable to SQL injection attacks. Criminals probe web applications with SQL queries to try and extract information from the ecommerce database.
Another type of vulnerability that every ecommerce site should have an answer for is Cross Site Scripting (XSS) attacks. Cross site scripting attacks can occur when applications take untrusted data from users and send it to web browsers without properly validating or “treating” that data to ensure it isn’t malicious. XSS can be used to take over user accounts, change website content, or redirect visitors to malicious websites without their knowledge.
A web application firewall (WAF) prevents both of- these direct attack on web applications.
2) Beware Denial of Service Attacks
Some criminals are taking a brute force approach and flooding websites with traffic to take them offline – called a distributed denial of service (DDoS) attack. For an ecommerce site, a DDoS attack has a direct impact on revenue. Most ecommerce sites know how much they make per minute or hour. Attacks can last for hours or days. Often site owners will get a ransom note, with an amount of money specified to stop the DDoS attack.
Rather than fall prey to extortionists, ecommerce sites should have protection against DDoS attacks. This protection will also prevents cybercriminals from using DDoS as a diversion, where they probe for vulnerabilities while you are dealing with a massive flood of traffic.
Botnet DDoS: 180,000 bots bombarding a website for 150+ hours | Hi-res version
3) Two-Factor Authentication for Admins
Stolen or compromised user credentials are a common cause of breaches. eBay reported that cyber attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network. Criminals use social engineering, “phishing”, malware and other means to guess or capture usernames and passwords. Attackers also often target administrators, whom they discover on social networks, using “spear phishing” attacks to obtain sensitive data.
To stop this problem, turn on two-factor authentication. This second factor is usually a code generated via an app or received via text on a phone owned by the user. Criminals can’t steal the code, and it lasts only for a minute or two.
4) Scan Your Site for Vulnerabilities Regularly
Scanning your site regularly for vulnerabilities is a best practice. Scanners will detect SQL injection vulnerabilities and XSS mentioned above, as well as a host of other vulnerabilities.
This information can be used to assess the security posture of an e-commerce website, as well as provide insight for engineers on how to remediate vulnerabilities at the code level, or tune a WAF to protect against the specific vulnerabilities.
5) Be Careful Who Your Partners Are
According to research by the Ponemon institute, third party providers – hosters, payment processors, call centers, shredders – have a significant impact on breach likelihood and scope. Make sure your providers have their security act together. In the ecommerce world, make sure your providers are compliant with security best practices like the Payment Card Industry’s Data Security Standard (PCI-DSS). Ask them to show you their certification.