nline stores filled with consumer data are undoubtedly a tasty morsel for hackers. On the occasion of Safer Internet Day, which is celebrated on February 8, we asked Tomek - Strix e-commerce systems security specialist - about what threatens the industry from online criminals and how to take care of store security.
What are the most common attacks on e-commerce?
We can divide e-commerce attacks into two groups. The first one includes attacks against systems. In the second group we will find attacks against users, i.e. customers of online stores. E-commerce is not a particular category that is more vulnerable to attacks. But it is important to remember that one of the main motivations of cybercriminals is money, which makes e-commerce vulnerable to e.g. financial fraud, i.e. using stolen data to make in-store purchases. However, if we look at the statistics - according to OWASP ranking in 2021, the most popular category of attacks was the so-called broken access control, which is a situation when a user gets permission to use resources to which he should not have access.
What is this type of attack in practice?
Let's assume that as a customer of a store we have a gift card. After logging into our account we should see only our card and its current status. Breach of broken access control type causes that user A can view the content and data of user B's card. Not only does it lead to data leakage, but also the attacker gains the possibility to use the card and make purchases with it. Such an attack can be massive and cause large losses to the business.
What other attacks on systems can we distinguish?
An example of such attack is e.g. DDoS, or distributed denial-of-service attack. This attack consists in the fact, that to the given system will flow simultaneously a large number of requests from many IP addresses. In such a situation, the system either loads slowly or we lose all access to it, so the customers cannot buy in our store. Recently, attacks using malware, e.g. from the ransomware category, are also popular. Such software infects a particular system and encrypts files on it, blocking work. To get out of this situation, in case of bad preparation, sometimes you even have to pay a ransom.
A large group of attacks are attacks related to the use of so-called vulnerabilities.
These are attacks that exploit previously published vulnerabilities of a given system. The common cause in such cases is unfortunately human error or lack of awareness about threats, because malware is distributed via emails, where attackers place a link that redirects the victim further. Once clicked and infected, the malware can be spread to other computers on a given network. Often such an attack is precisely targeted, so the message does not go to the first better employee, but for example to the system administrator. Then, the effectiveness of such attack is much higher and it brings more serious consequences.
And what do attacks directly on shoppers consist in?
The most common malicious activity is phishing. It is a situation when store users receive emails or text messages with a message about the need to pay an additional fee for an order. In such messages, there are links that redirect customers to a system that deceptively resembles a payment gateway in the store. The main goal of the attackers is to obtain bank details. A moment of inattention leads to the account owner losing a certain amount of money, and sometimes their entire life savings.
How can store owners take care of the security of their systems?
The basic thing is to keep the system and all the applications that are part of it updated, and to use antivirus and firewall software that sifts out attack attempts. The second important thing is to educate employees about security. I mean all employees, including developers. Developers should consider security issues while coding and perform code scans for vulnerabilities. The third issue is regular testing. As long as we do not know that our e-commerce system is vulnerable, we think that we are not in danger. However, only regular tests allow to determine the level of security of the e-commerce system.
At Strix you are responsible for conducting tests for our customers. What is your job in terms of e-commerce security?
Security in IT can be divided into two fronts - blue and red. As you can guess, red stands for attack and blue for protection and monitoring. In my work I think like a hacker, I try to break business logic, gaps in functionality, but let's make it clear - I work for the benefit of the projects I deal with. On a daily basis I look for system vulnerabilities, that is weaknesses that could be used against a given company. I prepare scenarios and recommendations on how to solve such vulnerabilities. On a daily basis I also follow the guidelines of OWASP organization which creates standards for web application security.
And what are your daily ways to stay safe while shopping online?
The first thing I always check is the encryption of the site. I look to see if a padlock is visible next to the website address. Right now it's not hard to have SSL, but if a site doesn't have encrypted protocols, I definitely won't buy anything there. I also won't buy where there are some payment systems I don't know about. Apart from that, I do what every shopper should do - I read reviews of other users who have previously gone through the path of purchase in a given place and check whether they encountered any threats.