With people expected to spend upwards of $3 billion in online shopping for the first time ever this year, according to a recent report from Adobe Digital Index, 2015’s Cyber Monday could become the biggest shopping day in online history. If the report is accurate, these predictions represent a growth rate of about 12 percent from last year, when the designated online shopping holiday netted just shy of $2 billion.
“It still is the king of all shopping days online,” said Tamara Gaffney, a principal research analyst with Adobe Digital Index. Overall, she estimates that online retail sales could reach as high as $83 billion in November and December combined; with more than a trillion visits to 4,500 e-commerce websites this holiday season.
While e-commerce isn’t the Wild West it had been in terms of IT security (there are many safeguards in place for consumers sharing personal financial information online – symbolized by that little padlock symbol to the left of a URL), rest assured that hackers are already busy crafting new scams, like pop-ups and malvertising campaigns.
As hackers refine their attacks in time for the biggest online shopping season of the year, e-commerce security experts are being forced to rethink the way retailers do business online, often finding ways of making the process safer, better and smarter now into the future.
The Key Word is Encryption
“One consistently used way to secure e-commerce is to use a strong authentication method for connections and transactions,” said Bruce Snell, cybersecurity and privacy director for Intel Security in Santa Clara, California. “A strong SSL [secure sockets layer] connection goes a long way in protecting against session hijacking and provides consumers with a level of trust that their transactions are secure.” He also said strictly following payment card industry standards can help any organization – big or small – pinpoint the areas they need to protect, which is crucial as these cyber-attacks become more sophisticated.
Since the majority of hacks and data breaches today come from either an unknown vulnerability or a system not being up to date on its patches and security fixes, organizations may risk compromise because either their security software is out of date or just simply poorly configured. Snell works in partnership with Intel and McAfee to address these issues with the goal of delivering up-to-date and effective security strategies to a wide range of clients, many of which operate within the retail realm.
“E-commerce sites typically make up a front-end Web server and a back-end database and/or processing server,” Snell said. “When securing these sites, it’s important to implement strict security policies on the servers themselves, as well as on any network defenses put in place.” He advised having an e-commerce front-end server sitting behind a firewall and a network intrusion prevention system (IPS) to guard against outside attacks against Web services. Additionally, a Web server itself should be up to date on OS and application patches, as well as locked down tight with application and change control solutions and host-based IPS. “Any customer data collected should be secured and encrypted,” Snell said.
The industry has come a long way despite some of the most damaging data breaches in recent history (hello, Target). It’s doing much better when it comes to putting good security policies in place compared to even a few years ago. More organizations are spending the proper amount of time on and paying attention to securing their assets.
“However,” Snell said, “we are seeing IT security groups required to protect more assets while not being given the appropriate budgetary and headcount to maintain a high-level of security. You not only need strong protection, you need smart people to implement and manage those protections – and that comes at a price.”
Seek and Destroy Any Weaknesses
Jeannine Gaudreau, information security director and architect at Carbonite in Boston, believes that an improvement in overall technology has made shopping online more secure today than ever. “Obfuscation of credit card data is becoming more pervasive throughout the industry,” said Gaudreau, who spends her time driving risk awareness and employing security processes to minimize cyber-threats for clients worldwide. “Technologies like tokenization and strong encryption renders the target information useless to the attacker,” she said. This is good news for both online and brick-and-mortar retailers who have converted to the newest processing systems.
But technology alone won’t curb every type of cyber-attack, which is why following continually evolving regulations will ensure even tighter standards are established, especially if they’re employed industry-wide. “Continuous or frequent vulnerability scanning of e-commerce applications provides awareness of any weaknesses exploitable by an attacker,” said Gaudreau, who has almost 20 years of experience in information and networking security. “Timely and comprehensive patching of all system components is critical.”
Since multi-factor authentication for employee access to sensitive data is highly effective in mitigating inherent weaknesses in username and password authentication, using a modern hash algorithm to protect stored customer credentials is essential. “Also ensure that deprecated standards, such as SSL 3.0 and certificates signed with SHA1, are no longer in use to facilitate encryption for data in motion,” Gaudreau said. “Replace it with TLS 1.2 and SHA2, respectively.”
Juniper Networks’ Security Chief Technology Officer Kevin Walker said that the industry is also taking important security steps by greatly bolstering the use of content delivery network and cloud-based protections to augment the more traditional inspection approaches.
“Many sources of good telemetry are now available and being leveraged,” said Walker, who was recently named the new CTO of the Sunnyvale, California-based networking company. He’s worked for more than 25 years in the industry at Intuit, Symantec, Veritas and Cisco, and has studied how security protocol has evolved to meet the needs of the ever-evolving online world. During his tenure, he’s come up with a list of tips for IT professionals, rules designed to not only curb cyber-attacks from the start, but to handle attacks when and where they happen.
One of the most important pieces of advice Walker has to give is for professionals to keep a “keen focus on the application stack, and simplifying the interactions laterally between services.” He said to positively authenticate and authorize services the trust model needs to continually improve. “Most organizations do a fairly good job defending the networks,” he said. “However, the applications are still among the most difficult to fully protect. Also, don’t overlook the basics. Most intrusions start with a simple attack.”
Admittedly, data breaches are not unique to the e-commerce world – many may have even become desensitized to the latest news about a breach at their favorite retailer. Society seems to expect that these incidents will happen and to put its blind trust in companies to do their best to prevent it.
Walker said real problems arise when consumers are directly targeted, which has been happening for many years now. The ability for consumers to protect themselves has become much more of a challenge for companies that operate online. “The thieves know this well and most e-commerce organizations are addressing fraud at many levels rather successfully,” he said. “The industry is addressing the well-known attacks quite well and with a high degree of competency. They are generally improving defenses and reducing the risks within their services and public applications. In my opinion, one area that the industry could improve upon is operational and intelligence sharing.”
More Than Half of Websites Have Been Attacked
More than half of all websites have experienced some sort of security breach in recent years, according to the Ponemon Institute in Traverse City, Michigan. The research firm surveyed hundreds of IT professionals from the business and government worlds and found that as many as half of them had reported some sort of breach in the past two years.
The good news is that security protocols have helped IT professionals not only better prepare for these inevitable attacks, but to effectively deal with breaches when they occur. Networking among peers – as Walker recommended – has also proven effective in taking a more vital approach to these threats across many industries. “In a world of increasingly stealth and sophisticated cyber-criminals,” the report said, “it is difficult, costly and ineffective to fight online attacks alone. Having the ability to connect and share information about existing and emerging threats could measurably improve and organization’s cyber-defenses.”
Another way to build well-secured websites is to have multiple layers of protection in place to prevent compromises and fraud. According to Karl Sigler, threat intelligence manager at Trustwave in Chicago, “Regular patching to keep website software and plugins up to date is essential. Secure e-commerce sites also typically isolate the system responsible for payment processing from the main website. This prevents vulnerabilities or flaws in the main website from putting your payment processing at risk.”
Sigler, who was one of the security researchers instrumental in identifying “Backoff” point-of-sale malware that impacted more than 1,000 retailers worldwide, said that in addition to the usual controls and methodology mentioned here, e-retailers might also want to consider shoring up their security with Web application firewalls to filter malicious content, as well as use regular Web application penetration tests to probe for vulnerabilities that arise from configuration and coding.
“We still see the same common attacks year after year,” said Sigler, who is focused on the research and analysis of current vulnerabilities, malware and threat trends for the company. He and his team manage an email advisory service and serve as a liaison with the Microsoft MAPP program. His own research has shown that cross-site scripting and structured query language injection vulnerabilities continue to plague e-commerce websites. “Other typical vulnerabilities criminals take advantage of are poor authorization and authentication controls,” he said. “These vulnerabilities allow criminals to access data that should be protected.”
Sigler said that even applying the most basic best security practices can go a long way toward securing an e-commerce website from unwanted infiltration. “It seems like the industry is starting to take security more seriously,” he said. “They are including security hardening up front as part of deploying the Web platform, as opposed to applying security as an afterthought after the system has been put into production.”
As online retailing becomes an even more popular method of buying and exchanging goods, hackers will always seek to find new ways to break the system to steal valuable information.
“Criminals will continue to target e-commerce and succeed where shops have left gaps in their security precautions,” said Sigler, who says that hardening an online environment can go a long way towards keeping an e-commerce system from being what he called the “low-hanging fruit.”
Snell agrees, pointing to the unstoppable growth of e-commerce. In fact, he expects to see more than 168 exabytes (or 168 million gigabytes) of IP traffic per month by 2019, most of which will be related to e-commerce.
“This presents a big target for hackers,” he said, “and we expect to see higher demands put on security organizations to keep public facing servers safe.” Snell predicts that fraud will continue to force e-retailers to focus on making sure the transactions that take place on their sites are legitimate. “We should expect to see a rise in multi-factor authentication use as a result,” he said.
How the industry establishes an appropriate risk model and protection strategy will be crucial in the coming years. “I think we’re in for a fun ride,” Walker said. “IoT will certainly become a real disrupter, [what with] automatic replenishment, diagnostics to self-order replacement parts, etc., as well as peer-to-peer commerce becoming viable.” He said the payments model will likely also change and the protection of the financial instruments will have to keep pace. “The current approaches will be taxed greatly.”
Other technologies that are gaining a foothold because of increased online security threats are PIN and chipped credit cards at point of sale, which are expected to help secure private banking and financial information. “There will be a shift in focus to card-not-present processors,” said Gaudreau, “which is an inherent part of e-commerce. It will be interesting to see what cybercriminals have up their sleeves to counter this disruption.”
Check out this informative infographic to stay safe shopping online on Cyber Monday!
Natalie Hope McDonald is a writer and editor based in Philadelphia.