Being a good custodian of your customers’ data is a basic part of running any successful online storefront. Unfortunately, the holidays are a particularly risky time of year for eCommerce security. With all the credit and debit card numbers traveling to and fro, hackers have a smorgasbord of opportunities for data theft.
A 2015 report by IDG notes not even large, well-funded online retailers are exempt from sophisticated hackers. In the case of Neiman Marcus, a January 2016 data breach affected 5,200 customers. Read more about how hackers find the sites they attack.
But data hacks aren’t limited to the big players in online retail. Small eCommerce sites are also at high risk. If your website accepts or stores personally identifiable information like names, addresses, card numbers or passwords, you’re a potential target.
Want to check the windows and doors on your website now? Review our tips on auditing your site security.
Before we walk through the steps you can take to protect your customer’s data and your online business and reputation, let’s look at some of the most common hacking ploys.
The hacker playbook
People who make money hacking have an array of tricks they use to worm their way into eCommerce websites like yours. Once they’re in, they’re free to do all sorts of mischief. Here are the most common hacks that compromise eCommerce security:
1. Malware infection
The most common way in is malware. This is an overarching term that covers viruses, worms, Trojan horses, ransomware, spyware and more.
Malware is bad news. It can erase all your data, steal your customer information, infect your site visitors and more. Ensuring you have a plan for 24/7 malware monitoring, scanning and alerts will save you from potential data hacks and business downtime.
Editor’s note: If your site has already been infected with malware, clean it up fast with a tool like GoDaddy’s Express Malware Removal. You’ll get a response within 30 minutes.
2. Distributed Denial of Service (DDoS)
A DDoS attack has the potential to crash an eCommerce site by overwhelming it with an onslaught of automated traffic. Also, bad news, since your business loses money every second your website is down.
3. Brute force attacks
In this situation, an application will cycle through every possible password combination until it finds a combo that works to unlock your website. Then, hackers will access your system to steal data. Once in, a lot of damage can be done to your site.
Here, a hacker sends malicious data as part of a command or query that tricks your eCommerce site into doing something it shouldn’t — like giving the hacker your entire customer database.
5. Cross-site scripting (XSS)
In the scenario of cross-site scripting attacks, an attacker sends user-supplied data to a web browser prior to validating it. Hackers use these flaws to draw legitimate shoppers away from a site, thus costing the eCommerce site business.
6. Zero-day Exploits
This type of attack preys on new vulnerabilities the hacker finds, prior to a patch being available to protect the site. These are challenging to predict, but there are steps to take to “virtually patch” your site quickly when a zero-day attack is identified.
Improve eCommerce security with these 3 steps
Hackers don’t really care where they get their info — they’re simply looking for data they can sell on the dark web. Here’s how to strengthen your eCommerce security and fight back against those unwanted attacks:
- Invest in a malware scanner.
- Get an SSL certificate.
- Install a Web Application Firewall (WAF).
If you don’t have good measures in place to protect your customer’s data, now’s the time to do it. You’ll want to have your site as secure as possible before the holiday shopping season begins in earnest. Anything you do now will pay off in a more restful, worry-free shopping season for you.
1. Invest in a malware scanner
Hackers look for the tiniest gap in security and use it to take over a website. One of the easiest proactive measures you can take is to get a malware scanner for your eCommerce website. These find and close the gaps hackers use to hijack websites and steal valuable information.
There are many comprehensive malware scanners available — including GoDaddy’s Website Security, powered by Sucuri.
When shopping for website security services, you’ll want to look for providers that:
- Automatically scan your site every day for malware, viruses and other signs of tampering.
- Provide alerts as soon as a problem is found, along with recommended solutions or automatic removal.
- Notify you if your site has been placed on a blacklist.
- Provide regular backups and updates to your site.
- Include a trusted site seal to reassure wary shoppers your website is safe.
2. Get an SSL certificate
An SSL certificate encrypts data as it moves between your system and your customers and is an essential step to secure your site from hackers. Hackers can’t intercept these exchanges, so anything your customer submits to your site — passwords, credit card numbers and other private details — is safe.
SSLs are becoming so important to search engines that Google Chrome now displays a warning when anyone attempts to visit a site that accepts personal information but isn’t protected by one.
Not only does Google favor websites with SSL certificates in search rankings, soon consumers will be more aware of this and will not want to shop on online stores that don’t have SSL protection. Learn more here about choosing the right SSL certificate for your eCommerce store.
3. Install a Web Application Firewall (WAF)
We touched on malware earlier, but let’s talk about how to ensure your site isn’t impacted by it through the application of a WAF. A WAF is a must-have if you’re serious about eCommerce security.
A WAF is a cloud-based firewall service that screens web traffic in real time, determining whether the traffic is normal or malicious. The WAF blocks malicious traffic from reaching your site but allows legitimate shoppers to proceed.
Its main job is to protect web applications by inspecting the semantics of the flowing traffic and looking for typical attacks like SQL Injections, Buffer Overflow, Cross Site Scripting (XSS), File Inclusion, Cookie Poisoning, Schema Poisoning, Defacements, etc.
Note: WAF is included with the Express and Deluxe plans of GoDaddy’s Website Security, powered by Sucuri.
More best practices for eCommerce security
We’ve covered the most common hacks and shared some key steps to take to keep your site safe during this holiday season (and all year round). Here are some key items as an online store owner you’ll need to commit to for keeping your site as safe as possible.
- When you receive an alert from your website security vendor, act immediately. The alert should come with recommendations for addressing the issue.
- Make sure you respond promptly to alerts for software updates, theme updates, plugin updates and security patches.
- Back up your site weekly, and possibly daily depending on traffic and the frequency of site content updates. This way, if you have a crash, you can quickly restore your site.
- Limit how many people have access to your website network. Only employees who are involved with your website maintenance should have access. You can also control access roles and should give employees only the permissions they need to do their jobs effectively.
May your shopping carts overflow!
We wish you a successful holiday season with online shopping carts overflowing on your eCommerce site. Hopefully, you’ve found this information on eCommerce security helpful. A little planning now can save you the embarrassment and possible liability that comes with a data breach.
View our free checklist, “How to sell more this holiday season”