E-commerce Cyber Security Threats That Companies Should Watch Out For

 

E-commerce has changed the way people shop from the comfort of their place, in just a few clicks. Customers expect a more personalized experience which brought e-commerce retailers to develop their own apps and give them a highly convenient experience of shopping on the go.

With the proliferation of mobile apps, cyber threats have also increased, primarily because of the vulnerabilities found in these apps due to the inadequate technical controls and also due to the poor security practices of the mobile app owners.

The GAO stated that “the number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.”

Cyber crimes have posed a serious concern for e-commerce retailers leading to significant business implications and bad PR. E-commerce retailers should take proactive measures to protect their mobile apps from these malicious hackers and safeguard their customer's personal information that they leave while shopping on the app.

In this blog, we’ll highlight some e-commerce companies that got hacked in the past and e-commerce cyber security threats that companies should watch out for.

Here Are Some of The Companies That Got Hacked

eBay:

The breach at eBay Inc was poised to be one of the biggest data breaches in history, based on the number of accounts compromised. Around 145 million records were accessed by hackers that contained passwords as well as email addresses, birth dates, mailing addresses and other personal information. The hackers got the login credentials of a small number of employees that allowed them to gain access to eBay's corporate network.

Target Corporation:

More than 70 million credit and debit card accounts of customers were impacted by the breach that happened in the U.S stores of Target Corporation. This breach was as a result of compromised point-of-sale terminals which were hacked to get customer data during the busiest shopping season of the year.

Starbucks:

Last year Starbucks app was hacked twice in a gap of few months, where in hackers stole money from several Starbucks customers by gaining access to their credit card information through the app and using the autoload function. Criminals were using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they could steal hundreds of dollars in a matter of minutes.

Zappos:

The E-commerce company owned by Amazon became a target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. The Hackers could access customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords.

Must ReadM-Commerce Security Report Finds High Level Vulnerabilities in 84% Apps

 

List of E-commerce Cyber Security Threats

1. Unprotected Services

If a service is exported and not protected with strong permissions, then any application can start and bind to the service. This permits leakage of information and allows an application to perform unauthorized tasks.
To guard against such eventualities, an exported service should always be protected with strong permissions.

2. Broken Trust Manager For SSL

Android apps that use SSL/TLS protocols for secure communication should properly verify server certificates. The basic verification includes:

  • Verify that the subject (CN) of X.509 certificate and the URL matches
  • Verify that the certificate is signed by the trusted CA
  • Verify that the signature is correct
  •  Verify that the certificate is not expired

A developer has the freedom to customize their SSL implementation. Keeping that in mind, the developer should properly use SSL as appropriate to the intent of the app and the environment the apps are used in. If the SSL is not correctly used, a user's sensitive data may leak via the vulnerable SSL communication channel.

3. Broken hostnameverifier for SSL

The app does not verify if the certificate is issued for the URL the client is connecting to. For example, when a client connects to example.com, it will accept a server certificate issued for some-other-domain.com.

As a fix, using HttpURLConnection is recommended for HTTP client implementation.

4. Insufficient Transport Layer Protection

Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecure channels. Whether the data is transmitted through the carrier network or through WiFi, it will end up through the Internet either way before it could reach the remote server. There are several ways where unprotected data transmitted over the network could be sniffed; things like routers, proxies, cell towers, are some of the few ways data could be sniffed while in transit.

5. Remote Code Execution through Javascript interface

For API level JELLY_BEAN or below, allowing an app to use the addJavascriptInterface method with untrusted content in a WebView leaves the app vulnerable to scripting attacks using reflection to access public methods from JavaScript.

Sensitive data and app control should not be exposed to scripting attacks.

6. Phishing

The term "Phishing" can be profiled as a cybercrime where a target or a group of targets are put into contact either by email or telephone/text. Later, someone identifying themselves as some legitimate institution tries to lure individuals into making their sensitive personal data such as identifiable information, important passwords, banking, and other credit card details available to them.

The information obtained this way can then be used to access important accounts which can further lead to identity theft in some form or the other apart from the evident financial loss in the case of the e-commerce industry.

There are a number of phishing techniques that can be categorized as spear-phishing where specific people or departments are targeted, whale phishing that attacks important people like CEOs, SMiShing which is a type of phishing via text messages, and vishing or voice phishing where victims are impersonated over the phone.

7. Malware

Malware is basically a piece of software protocol that usually is designed by a group of cybercriminals who have the intention of gaining access or becoming a cause of damage for a computer network.

Malware files that are inserted into web pages through several techniques such as SQL injection can make an easy way for hackers to take control of your computers and networks either by faking their identity or by tampering with your databases.

Hackers can also get accustomed to sending malicious emails on your behalf by gaining complete access to all the data on your system. Tampering with your databases can become all the more common since malware strategies are constantly evolving, so too must your anti-virus protocols.

In order to protect your site against any kind of security threats that may hamper your e-commerce business, installing a firewall for activity monitoring and storing as little sensitive information as possible on your site should be taken into consideration.

8. Ransomware

In case of a ransomware attack, unsuspicious email is received by the victims which are attached with malware. Once you open the email, that might contain an attachment or a URL looking like an invoice, but actually containing the malicious ransomware code, their computers get infected with malicious software updates.

Many organizations and users are mostly unaware of the fact that they have been infected until they are unable to access their information or until malicious messages start becoming visible to them on their systems that demand a ransom payment in exchange for a decryption key.

These messages may include detailed information and direction on how the victim needs to pay the ransom. Since bitcoins provide virtual anonymity, they are usually considered to be taken as  the preferred mode of ransom payment

9. E-Skimming

These are hacking methods that are deployed for stealing payment-related information that comes from payment card processing pages on e-commerce websites. It poses severe and all the more significant security risks in the e-commerce sector since shoppers can be manipulated by misleading portals to payment pages and other external links. There is indeed another fatal risk of cyber-criminals gaining access to your website through third-party sources, cross-site scripting in a successful phishing attempt.

These are a few methods that make it easy for hackers to capture shopper payment information in real-time as soon as the payment page becomes accessible to the customer. In order to avoid this, you must make sure that your website is secure, keep reminding customers to stay away from entering personal details on unverified websites, and constantly remind them to check whether a payment page is genuine or not.

Summary

E-commerce is growing at a fast pace and mobile is a strong support platform to help achieve high growth and reach. Considering the fact that there are a lot of sensitive information and transactions going through e-commerce apps, it is essential that companies take extra care of their application security to avoid disasters that can result in a very bad PR and tremendous loss of business as well.

Mobile apps have opened newer channels of exploitation for hackers today.  We recently released an e-commerce report that found high level vulnerabilities in 84% Mobile Apps.

Get detailed insights in our exclusive report.

Download E-commerce Report

Published on Oct 26, 2015
Hardeep Singh
Written by Hardeep Singh
Outreach Manager @appknox. #ProactiveAlways towards Social Media, Startups and Tech Evangelism.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now