Hackers and cyber criminals identify E-commerce sites as a source of information, such as credit cards and other PII (Personally identifiable information). To protect customers, it’s necessary to know how to protect the application and the sensitive customer data it has. All this involves user’s trust and assurance on the brand and yes, it is at risk, if you compromise on the e-commerce application security.
What is wrong with the E-commerce sector?
As per the last year’s data breach figures (see above), the retail sector which includes e-commerce sector constitutes for more than half of the data breaches. Let us look at some of the threats to e-commerce applications.
- E-commerce websites are vulnerable to scam from external as well as internal sources. It may also include credit card fraud, the information being fed into the system by dishonest employees, attackers, malware, etc.
- Security issues that exist in internal networks and interface between transactions done by customers on the network. Bypassing the e-commerce application, the attackers can also gain access to more critical internal systems, which could have been isolated from the outside world.
- Malicious software and computer viruses are few of the biggest threats. Viruses come from external sources and can corrupt critical files present on systems on the internal network. What if it completely destroys the server on which the application is hosted. This will disrupt the operations of the website. A malicious software that has been accidentally downloaded has the ability to steal the clients information before any encryption methods come into effect.
Mostly employees and users open the door to attackers. According to a survey, Easily guessable passwords are responsible for an initial intrusion in 31% data breaches.
eBay, the world’s largest and most used eCommerce platform, had suffered a major security breach in the year 2014. The organization reported that more than 100 million customers were affected. It’s still not clear how the intruders gained access to the eBay database, but this is definitely the right time to analyze and re-evaluate application security.
“Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” eBay recently commented. “The company is aggressively investigating the matter.”
The hacking was examined by security experts, as it happened last year. The access was created after intruding into an employee’s computer. Although the exact technique used to execute the same was not revealed. Attackers also managed to steal hashed passwords of the users. Cracking the hashes will take a lot of time and computation power, but it is crackable. The exact number of compromised accounts was not known, but the organization made an estimate of 145 million accounts being compromised. And this makes it a massive data breach. The delay in detecting the breach enabled the attackers to check for other log-in opportunities and the breached information was sold online.
Reactive Approach they had to follow
After the attack, eBay had to ask users to change their passwords. This was an action taken to safeguard users from the impacts of stolen information by the attackers. The following information was breached:
- Encrypted passwords
- E-mail addresses
- Physical addresses
- Phone numbers
- Dates of birth
Impacts of Data Breach
- Business Disruption
- Loss of Trust
- Penalties by Government agencies
- Search Engine Result
- Compensation offered to the customer
- Time and effort lost in investigation
Ways to Prevent E-commerce application:
The security vertical of the organization should enforce strict internet browsing rules on all employees. This can be achieved by blocking social networking websites, using strict email protocols and encryption and a robust BYOD policy. Implementing effective Application Security is the best way to combat injection attacks and other most frequent attacks like XSS that are done on e-commerce applications.
An application penetration testing of the e-commerce portal should be done. This practice should be followed on a regular basis. Such an assessment will cover every aspect of the application to discover the existing security weaknesses. With an added advantage over an automated scan, this type of testing also provides business logic testing, followed by validation and in-depth probing to test application and report vulnerabilities if any. If interested, you can check the case study of one of the e-commerce application we did at TO THE NEW. The following practices should be followed to prevent an e-commerce application from breach:
- Use a secure encryption in the transmission channel
- Don’t store sensitive data in clear text
- Implement a strong password policy
- There should be an intrusion detection system (IDS) & intrusion prevention system (IPS) in place
- Implement the security in layers
- Provide security training to employees
- Monitor the traffic and logs of the website regularly
- Perform regular PCI scans
- Patch your servers
- Implement a DDoS detection and mitigation service
- Use a fraud management service
- Backup your site
- Introduce red flags and security awareness
So, it becomes really important to take certain proactive steps to secure your e-comm application from breach.
I have covered the essence of application security in the Healthcare sector in my last blog. Read our next blog post on importance of application security in Finance sector