Holiday Readiness Guide for E-commerce: Secure Your Digital Storefront this Cyber Monday

How to Secure Your Digital Storefront?

The National Retail Federation (NRF) reports that 83.3 million shoppers spent over $9.4 billion dollars on Cyber Monday in 2019, with $3 billion coming from mobile shoppers alone. Considering that the COVID-19 pandemic has limited brick-and-mortar shopping options for many, it is reasonable to expect online and mobile shopping to grow even more this coming holiday season. Regretfully, it is also likely that cybercriminals will be looking to take advantage of ill-prepared companies this holiday shopping season.

A winning holiday strategy for any company with an online presence will be largely defined by its ability to defend its website and mobile apps from bot-driven fraud, client-side attacks like Magecart and revenue-impacting browser extensions. However, before a company runs to invest in new bot management and application security tools, it is also important to note that many security solutions can stifle the shopper experience, increase cart abandonment and drive away customers with high-friction security measures.

That said, nothing will drive customers away or tarnish brand reputation faster than a massive data breach or carding attack. Striking the balance between application security and a friction-free digital shopping experience on Cyber Monday is the goal for every e-commerce business. Of course, this is easier said than done. When it comes to holiday readiness, here are a few guidelines that every digital business should consider.

How to Stop Bot-driven Fraud: Identifying Good Bot Traffic From Bad

Good bots can help online shoppers find the right gift, improve SEO for websites, advertise items on social media and curate products in storefronts. With more than half of all internet traffic attributed to bots, many of them useful, taking a heavy-handed approach to blocking bots can result in a serious reduction of customer engagement and lost selling opportunities. Selecting a bot management solution that is extremely accurate to identify and separate bad bot activity from good is key. Solutions need to go beyond providing simple functions like configurable allow lists and deny lists. Advanced policy controls will give forward-thinking digital businesses the edge against competitors that do not have granular control over bot blocking.

Before Cyber Monday, every e-commerce company needs to be able to:

Learn How to Beat Bad Bots this Cyber Monday.

Read the E-book

Think Beyond reCAPTCHA: Keeping the Customer Experience Fluid

Many bot management solutions utilize CAPTCHAs to verify whether or not online shoppers are bots. Unfortunately, CAPTCHAs are slow, inaccurate and interrupt both the login and the checkout process. Many online shoppers find CAPTCHAs frustrating enough to abandon the site completely. Furthermore, sophisticated bots are now able to easily solve most CAPTCHAs, making them obsolete. This time of year, digital businesses need to expect more from their application security and bot management providers.

When it comes to human verification, digital merchants should look for a few key capabilities:

  • Detecting and blocking CAPTCHA-solving bots and services
  • Providing alternative human verification techniques that are accurate, user-friendly and work well on smartphones

If your digital storefront does rely on CAPTCHA for any reason, real human users should seldom be subjected to CAPTCHA tests. Work now with your information security counterpart to make sure this is the case.

Keep your Customers Secure: Use a Behavior-based Approach

Magecart is a type of client-side web skimming attack where malicious code is injected into an e-commerce site in order to steal credit card numbers and other payment data. This type of attack has hit nearly 20,000 domains, including some of the world’s best-known brands such as Claire’s, NutriBullet, Forbes, Garmin, Procter & Gamble and even British Airways. By placing malicious JavaScript skimmers on online payment forms, cybercriminals threaten online shoppers and put businesses at risk of violating Europe’s General Data Protection Regulation (GDPR) law and the new California Consumer Privacy Act (CCPA).

Attackers continue to exploit unpatched and zero-day vulnerabilities in first- and third-party scripts to inject skimming code on websites. It is essential to patch systems and deploy server-side defenses, but it is also clear that continuous, real-time, client-side visibility of script execution is the need of the hour. The increasing threat of client-side attacks is a clear call to action for all e-commerce sites, and any site that takes payment information, to take a new approach for securing user data.

This holiday season, every e-commerce company should check the following boxes:

  • Verify that the security controls for first-party code work with the Continuous Integration/Continuous Deployment (CI/CD) process.
  • Consider implementing a solution for client-side attacks that provides full visibility and control of first-, second-, third-, fourth-, and fifth-party code running in production.
  • Deploy an application security solution powered by AI and behavioral analysis, that analyzes client-side activity signals at runtime.. This is the best method of spotting issues and triggering defenses in real time to protect against digital skimming attacks and reduce e-commerce fraud.

To learn more about Magecart attacks, and how to stop them, read the recent whitepaper, Magecart Attacks: The Biggest Threat to Online Transactions

Read the Whitepaper

Capture Mobile Shoppers: Arm Yourself Against Mobile Threats

According to App Annie, shopping apps reached 14.4 million downloads in the U.S. between March 29th and April 4th. This is a 20% increase from January of 2020 - in a period of just one week! By 2021, m-commerce sales are expected to account for 54% of total online sales. Cybercriminals have followed this trend, deploying bots that target APIs used to support mobile storefronts. Mobile SDKs tend to be less capable at identifying and thwarting bots than average desktop JavaScript sensors, potentially making m-commerce shoppers more vulnerable. Businesses need to select bot detection solutions that are advanced enough to identify suspicious activity on their mobile apps. Traditional bot detection and human verification techniques that largely regard transient IP addresses as bot traffic will simply no longer work.

As mobile shopping grows, there are three main mobile attack techniques that every merchant should be aware of and plan for, well ahead of Cyber Monday:

  • Attackers can call an application’s APIs directly from any IP connection – without having to use the actual app or even a mobile device.
  • Attackers can use a genuine application or a hacked version, running on thousands of instances of a mobile device emulator.
  • Attackers can hack devices or applications on a device and then take over the application to launch their attack.

For e-commerce companies that interact with mobile customers, read more about blocking bots in the latest report, The Forrester New Wave™: Bot Management, Q1 2020."

Read the Report

Get the Sale: Protect Conversions From Invisible Threats

Digital and e-commerce leaders should be aware of invisible threats that eat away at conversion rates and online revenue. The culprit: browser extensions. They inject unwanted coupons, promotions and ads that appear as if they are coming from your site, when in fact they are not. Because they are carried by the shopper’s browser, you - the site owner - never see them. In fact, up to 20% of online shoppers that visit a site experience these pop-ups and ads. They redirect shoppers to competitors, display unwanted ads and content, or fraudulently tag user traffic to collect affiliate and referral fees. This leads to increased cart abandonment, lower conversion rates and stolen online revenue.

Going into the holiday season, digital and e-commerce leaders should look for a solution to protect their digital storefront that can:

  • Detect coupon pop ups and ads interacting with their site through a shopper’s browser
  • Analyze the impact to their site and to their digital KPIs
  • Block the ads and pop ups that disrupt a shopper’s experience, hurt conversion rates and eat away at online revenue

For any business with an online presence, the holidays are going to bring both new and familiar security challenges. Making sure that your digital storefront is secure and optimized from sign-in to check out is the goal.

To learn more about these threats, read the white paper: The Hidden Threats to Your Website Conversions

Read the Whitepaper

© PerimeterX, Inc. All rights reserved.