How to secure your e-commerce business
Alain Penel, regional vice president – Middle East, Fortinet: It is time for e-commerce businesses to review how they are securing their web storefront
Significant social events are usually a catalyst for new threats to emerge – there are always evil people looking to exploit others during times of crisis – and the current situation is no different. And because people will be using their credit cards to make even more online purchases, attackers are looking for ways to intercept transactions, spread malware, and access databases filled with customer data. It’s also time for e-commerce businesses to review how they’re securing their web storefront.
First, your website code needs to be tested to ensure that it is not vulnerable to attacks that allow skimming software to be injected into your site. Second, you need a solution like a web application firewall (WAF) that can monitor and prevent injection attacks. And finally, you can use your WAF to monitor outbound traffic to detect and block traffic returning to the cybercriminals’ command and control (C&C or C2) server.
Passwords are often another weak link in any security strategy, and cybercriminals primarily use three tactics to breach a customer’s account looking for financial information or a vulnerable link back into the internal database.
Brute Force attacks. In this strategy, criminals test multiple passwords, often from a modified dictionary or other source, against a single account hoping the account owner used an easy-to-guess password. Algorithms allow password cracker software to combine words, add common replacements (a zero for a the letter O, a 3 for an E, etc.), and use combinations of personal data gleaned from the dark web or social media sites, such as the names of your family or pets, your graduation dates and birthday, etc.
Password Spraying is very similar, except rather than using multiple password attempts against a single account, hackers use common passwords against a large number of accounts looking for that one weak link. This attack exploits a common flaw in password software that either allows an attacker to target multiple accounts simultaneously using usernames pulled off the dark web or other sources.
Credential Stuffing is a little more complicated. It uses a two-step process. First, it accesses the literally billions of stolen accounts and passwords available on the dark web and collects known username and password pairs, known as combolists. It then counts on users to make a very common – and very dangerous – mistake: they reuse their username and password on multiple accounts. Hackers then simply use their combolists to attempt to login to the targeted website by using dev tools to run combolists against a login URL.
Web Application Firewalls
e-commerce website owners must ensure that their website and shopping cart are updated and patched, and install a WAF solution which use a comprehensive approach for protecting Web applications, including IP reputation, DDoS protection, protocol validation, application attack signatures, bot mitigation, injection prevention, tampering detection, and more.
Advanced WAF solutions also leverage machine learning to automatically build and maintain a model of normal user behavior to identify both benign and malicious application traffic without time-consuming manual application learning.