Retailers aren’t the only ones excited about the holiday earnings this season. Cybercriminals also plan for and exploit this time of year for financial gain. With the increase of traffic and attention focused away from security matters, they know the holiday season brings a bonanza of credit card data and personal information they can sell to the highest bidder.Before the season is upon us, let’s go over a few of the most common ways hackers attack retailers and their customers, and some defenses against them.
Phishing is a method whereby an attacker attempts to exploit a recipient's confidence via a specially crafted email. Typically, these appear like a legitimate email from a contact, a password reset request, or a purchase receipt. If it looks like something the recipient would expect to see in their inbox, they are more likely to open it and click a link inside. This link could contain malware or a fake login page that harvests the recipient’s credentials.
The recipient of a phishing email can protect themselves in a few ways:
- Be wary. Don’t click links in emails when possible. For example, if an email provides a link to a service you use, like a bank, login to the bank directly.
- Keep your device or computer up to date with patches.
- Use antivirus software.
- When offered, take advantage of multi-factor authentication, which will ensure a stolen username and password aren’t enough to compromise your account.
While companies can’t directly protect their customers from phishing attacks, they can do a few things to differentiate their emails from would-be attackers. Namely, prevent your customers from becoming recipients in the first place:
- Enable SPF (Sender Policy Framework). SPF allows you to define which IP addresses your email comes from. As long as the attacker can’t mail from your IP addresses, their attempts to send “from” you will fail an SPF check and end up buried in the SPAM folder.
- Enable DKIM (Domain Keys Identified Mail). DKIM is a method whereby a mail server can apply a digital signature to an outgoing email that authenticates it as an email source. As long as the attacker isn’t able to send mail from your mail server, they will not pass this check.
- Enable DMARC (Domain Message Authentication Reporting). DMARC is a way of communicating with email providers and obtaining reporting from them. With DMARC, you can tell email service providers like Gmail only to deliver mail that passes SPF and DKIM checks and lets you know whenever a mail purportedly from you does not pass these checks.
- Communicate with your customers. Let them know your policies on password resets and links in emails.
- Offer multi-factor authentication. If your customers get phished, the attackers are less likely to use any credentials they harvest. This isn’t a fool-proof defense against phishing, but it increases the difficulty of the attacker’s task.
XSS or “Cross-Site Scripting” is a type of vulnerability typically found in web applications that allow users to upload content. Product reviews, user profiles, comments, and search boxes are UI elements where an attacker may inject malicious code. The target of these attacks is the site users, as the malicious code injected into the site runs in the browsers of those who visit it.
There are two main ways to protect against XSS attacks; ideally, both should be used:
- The best method of protection is to thoroughly sanitize any data your site accepts from a user so that the vulnerability doesn’t exist in the first place. Sanitization here refers to taking what the user types and cleaning it of any code that could be used for malicious intent. This can be time-consuming and requires developer expertise.
- Put an application firewall in front of your site. There are a number of these now, such as AWS WAF, or Cloudflare. These aren’t foolproof, but they can provide an added layer of protection relatively quickly.
- Offer multi-factor authentication.
SQLi or “SQL injection” is similar to XSS in that the attacker exploits poor input sanitization, but unlike XSS, the target here is the database backend of the website. The attacker must only find an input on the site where data can be submitted to the database without being sanitized first. This weak point is typically any form on the site that reads or writes to the database, such as a login box or contact form. Suppose the data submitted by a form is not properly sanitized. In that case, a specially crafted string could allow the attacker to retrieve any information from the database, delete database content, or even drop the entire database.
- Like XSS, the best protection here is to thoroughly sanitize any data your site accepts, such as user-submitted information or data provided by a 3rd party.
- Put an application firewall in front of your site.
- Have good database backups so that if this happens, at least they can’t destroy your data.
- Offer multi-factor authentication.
You may have noticed that multi-factor authentication appears as a mitigation technique for each of these attacks. The point of multi-factor authentication (sometimes called 2FA or 2SV) is that even if an attacker uses any of the methods above to steal credentials, they will be unable to use them alone to login to a customer account. Securing a site against all forms of intrusion can be very difficult, if not impossible. Even if a site is entirely secure itself, a customer could be phished, or another website where they use the same login credentials could be hacked. Multi-factor authentication creates an additional layer of defense against attacks that are outside our ability to control.
By protecting your website from these common hacker methods, your brand will be on its way to creating a more secure ecommerce site for your customers to shop confidently this holiday season.