'Tis the season to be careful: how to protect your ecommerce site during the holidays
The holidays are finally here and while most people will be filling the coming weeks with goodwill and cheer, there’s a subset of society that will be doing exactly the opposite – cybercriminals.
It’s predicted that cybercrime will cost the global economy more than $10.5 trillion every year by 2025 and according to the FBI, attackers are especially active during holiday periods.
Cyberattacks increased in the run up to Mother’s Day Weekend, Memorial Day Weekend and Fourth of July Weekend in 2021.
Now, it’s highly likely the same criminals are upping their efforts in the run up to the winter festive season.
So, in this blog we’ll look at the tactics cybercriminals use to target ecommerce sites at this time of year.
Plus, we’ll suggest a few ways online business owners can protect themselves against common holiday hacks.
5 common types of holiday season cyber attacks
1 – SQL Injection
Structured Query Language (SQL) is a programming language that’s used to retrieve data from databases.
In an SQL Injection attack, hackers find ways to manipulate this language in order to access the sensitive data stored in these databases.
These sorts of attacks can be used to steal everything from customer addresses and passwords to credit card details and gift card numbers and authentication codes.
2 – Zero-day attacks
Sometimes software and plugins come with vulnerabilities and weaknesses.
In a Zero-day attack, a hacker finds out about these vulnerabilities before the software or plugin developer can produce a fix or patch and gets to work exploiting them.
Zero-day attacks often lead to sensitive company or customer data being stolen.
3 – Cookie poisoning
Cookie poising attacks see hackers interfering with website cookies.
Website cookies are pieces of data about browsing behaviour that are passed back and forth between a user’s computer and the servers where the websites they visit are stored.
Hackers can alter, forge and steal cookie data.
On ecommerce sites, cybercriminals can use cookie poisoning techniques to gain access to user accounts.
The can then carry out all sorts of malicious actions, including stealing the sensitive data contained in those accounts and buying items using the account holder’s payment details.
4 – Denial of inventory attacks
In these sorts of attacks, hackers use bots to repeatedly add items of stock to carts in order to make the items unavailable to other customers.
Often, the attackers then ask store owners to pay them to cease their attack.
5 – Brute Force attacks
In Brute Force attacks cybercriminals try to hack into user accounts by repeatedly entering passwords.
They take a systematic approach, entering a logical combination of letters, numbers and characters until they discover the correct password.
8 ways to protect your ecommerce site from a holiday cyberattack
Words like SQL Injection, poisoning and Zero-day can sound intimidating, but there are some simple steps you can take to protect your ecommerce site from attacks.
Here are a few of them…
1 – Get an SSL for your site
Secure Sockets Layers (SSLs) certificates encrypt the data that’s shared between a customer using a browser to interact with a website and the server that the website is based on.
This means that visitors to a website can fill in forms and add payment information that can’t be intercepted by hackers.
SSL certificates come with other benefits, too. They increase customer trust, encouraging more clients to buy from your site.
Sites with SSL certificates also rank better in Google searches.
The good news it, it’s easy to add an SSL certificate to a site. You just need to buy one from a provider and follow a few simple steps to set it up.
At Media Temple prices for SSLs start at just $75 a year.
2 – Invest in a web application firewall
Website application firewalls intercept and scrutinise all traffic on its way to an ecommerce site.
If that traffic is deemed to be suspicious, it is blocked or tested again for authenticity.
Web application firewalls can protect against a variety of cyberattacks including the brute force, cookie poisoning, SQL Injections and Denial of Inventory attacks mentioned above.
3 – Demand these three things from your hosting provider
If you choose the right hosting provider, they will contribute to the security of your site.
Hosting plans like Media Temple’s Managed WordPress Ecommerce package includes daily malware scans.
Plus, the plan comes with daily backups, to protect your site’s data if the worst should happen.
4 – Reduce your attack surface
Whenever you add a new component like a plugin or an extension to your site, you’re adding an extra element that could potentially be exploited.
So, before you add something new to your site ask yourself the following:
- Does my site really need this?
- Does the vendor have a proven plan for addressing vulnerabilities if they happen?
- Does the vendor have a good security record?
It can also be beneficial to carry out a regular audit of your site to see if there are any elements on it that are no longer necessary.
Taking the time to remove these elements could save you trouble in the future.
5 – Ensure your site is PCI Compliant
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
If you choose to run your ecommerce site using Media Temple’s Managed WordPress Ecommerce Plan, you can rest assured that the plan meets the Payment Card Industry Data Security Standards.
6 – Don’t put off updates
Update alerts can be irritating. However, updates are often released to improve the security levels of a product.
Putting off updates leaves your website open to hackers.
7 – Set up a scan and alert system
For ultimate peace of mind, you can invest in a security monitoring product.
Media Temple offers a Security Pack that will continuously scan your site for everything from malware to SQL injections.
If anything malicious is found on your site, you receive an instant alert through email, SMS or even Slack and a team of experts will get to work purging the threats from your site.
8 – Ensure your customers use strong passwords
Even if you have impeccable cyber hygiene standards, you might still be vulnerable to cyberattacks due to the way your customers behave.
Many online shoppers are guilty of being lazy when it comes to password use. They use passwords that are easy to crack or they use the same passwords for multiple online accounts, for example.
If your ecommerce site is based on WooCommerce, you can add plugins like WPassword, to your site to ensure your customers use strong passwords.
If you don’t want to add an additional plugin to your site, you could feature password hygiene information in your welcome email to clients when they set up a new account.