Earlier this year, security researchers discovered a data dump that contained the details of over 6 billion compromised accounts. Among the records were almost 800 million individual email addresses and 21 million unique passwords. The data dump was a composite collection that included data leaked from over 300 different websites, including ecommerce stores.
Last year, Marriott leaked 5 million unencrypted passwords, Exactis leaked a database with over 340 million records containing personal information, MyFitnessPal leaked 150 million records that included passwords and addresses, and that’s just the tip of the iceberg.
All of these were big multinational companies, and you might be thinking that a small or medium ecommerce store doesn’t face the same threats. However, most data breaches do, in fact, involve small businesses. The bots that carry out hacking attacks, including the Magecart attacks, are global and automated. If your ecommerce business stores private data online, it’s at risk of a data breach.
The good news is that by following security best practices it’s possible to mitigate most of the risk. A well-secured store is unlikely to be hacked, but if it is, it is unlikely to leak any useful data. Let’s take a look at some of the security precautions you can implement to reduce the chances of your ecommerce store becoming a data breach statistic.
You Can’t Leak Data That You Don’t Have
The first rule of data security is this: if you don’t need to store a piece of data, then don’t store it. That goes double for potentially sensitive personal data. Some data is essential to an ecommerce business: names, addresses, and possibly phone numbers. But ecommerce retailers should think long and hard before storing more than that.
Credit card numbers in particular should be treated if they were toxic. In 2019, it shouldn’t need to be said, but, if you’re running an ecommerce store, don’t store credit card numbers. It’s more efficient and less risky to outsource payment processing to a third party, and if you do that, you don’t need the credit card numbers.
Large payment processors invest millions of dollars and hire some of the smartest programmers in the world to protect their data. It’s unlikely that any but the largest ecommerce retailers have the resources and expertise to match the big payment processors, and anything less is just asking for trouble.
It’s tempting to see data an asset that might prove useful in the future, but you should also think of data as a liability. If you don’t need it, delete it.
Keep Your Ecommerce Store Updated
In the last few months, a cross-site scripting vulnerability was discovered in WordPress, an SQL injection vulnerability was discovered in Magento, and many vulnerabilities were discovered in plugins or extensions for both. The fact that these applications had vulnerabilities isn’t unusual; it’s a normal and expected part of the software development process. Software has bugs, and some bugs create vulnerabilities.
Of more importance than the existence of vulnerabilities is that they’re discovered and fixed quickly. The Magento and WordPress projects react immediately to reported vulnerabilities, releasing patches to fix the buggy code. But if store owners don’t update, the vulnerabilities are never fixed on their store. Because vulnerabilities are to be expected, any store that isn’t updated regularly is at risk of a data breach.
Don’t Let Malware in by the Backdoor
When most of us think about how stores are compromised, we imagine attackers or their bots guessing usernames and passwords, searching for weak points in the store’s front-end through which code can be injected, or conducting social engineering attacks that trick administrators into granting them access. But there is another type of attack that doesn’t focus on the ecommerce store itself, but on the trusted libraries, scripts, and CDNs that have free rein to inject code.
When a library or plugin is used on thousands of sites, the servers that host it are a tempting target. Criminals only have to breach one server, and their code will automatically be distributed to thousands of sites.
Supply chain attacks have increased over the past couple of years. The Magecart malware infected many ecommerce stores by first infecting software that was trusted and installed or updated automatically and extensions. Be careful which software you install and pay attention to security news relevant to your ecommerce application.
Use a Web Application Firewall
In an ideal world, there would be no vulnerabilities for attackers to exploit, but the web and the software we expose to it are not ideal. As mentioned earlier, software often contains vulnerabilities. We update to remove vulnerabilities, but there is another approach: we can stop web requests that contain attacks from ever reaching the ecommerce application. That’s the job of a web application firewall (WAF).
A WAF recognizes patterns that match malicious requests, such as the type of request that contains an SQL injection attack. Suspected malicious requests are rejected before they reach Magento or WooCommerce. ModSecurity is one of the most widely used web application firewalls, and there are also application-specific firewalls available for WordPress (WooCommerce), Magento, and other ecommerce applications
Choose a Secure Web Hosting Provider
An ecommerce application sits at the top of a mountain of software and hardware managed by a web hosting provider. A store owner can follow all of the suggestions we have made, but their store may still be vulnerable if their hosting provider doesn’t take their responsibilities seriously. An attacker doesn’t have to find a vulnerability in the store if they can find one in the operating system, database, or web server the store relies on.
Before committing your store to a hosting provider, investigate its security track record and talk to their customer service representatives about the precautions it takes to keep ecommerce sites safe. The best ecommerce hosting providers are committed to client security. The worst are interested in taking your money and will cut you loose when something goes wrong.
Take the time to assess your hosting options and make security a priority, or your store may be on next year’s list of data breach statistics.
About the Author:
Graeme Caldwell - Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, TechCrunch to TemplateMonster. For more content, visit the Nexcess blog and give them a follow at @nexcess.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky