The Holiday Season Means Online Shopping: Secure Your Digital Storefront from the Top Cybersecurity Threats

How to Secure Your Digital Storefront This Holiday Season

Retailers raked in $188.2 billion in online revenue during the 2020 holiday season, including $10.8 billion on Cyber Monday alone. This was a 32% YoY growth, likely due to limited brick-and-mortar shopping options in the midst of the COVID-19 pandemic. Experts predict this number will grow in 2021, albeit less steeply. And with the holiday shopping season right around the corner, cybercriminals are preparing to take advantage of ill-prepared companies.

A winning holiday strategy for any company with an online presence will be largely defined by its ability to defend its website and mobile apps from bot-driven fraud and client-side attacks like Magecart. However, before a company runs to invest in new bot management and application security tools, it is also important to note that many security solutions with high-friction measures can stifle the shopper experience, increase cart abandonment and drive away customers.

That said, nothing will drive customers away or tarnish brand reputation faster than a massive data breach or carding attack. Striking the balance between application security and a friction-free digital purchasing experience is the goal for all shopping sites. Of course, this is easier said than done. When it comes to holiday readiness, here are a few guidelines that all digital businesses should consider.

How to Stop Bot-driven Fraud: Identifying Good Bot Traffic From Bad

Good bots can help online shoppers find the right gift, improve SEO for websites, advertise items on social media and curate products in storefronts. With more than half of all internet traffic attributed to bots, many of them useful, taking a heavy-handed approach to blocking bots can result in a serious reduction of customer engagement and lost selling opportunities. Selecting a bot management solution that is extremely accurate to identify and separate bad bot activity from good is key. Solutions need to go beyond providing simple functions like configurable allow and deny lists. Advanced policy controls will give forward-thinking digital businesses the edge against competitors that do not have granular control over bot blocking.

Before Cyber Monday, every e-commerce company needs to be able to:

Stop scalping bots from hoarding inventory during holiday flash-sales and limited offers

Learn How to Beat Bad Bots this Cyber Monday.

Read the E-book

Think Beyond reCAPTCHA and Multi-factor Authentication: Keeping the Customer Experience Fluid

Many bot management solutions utilize CAPTCHAs to verify whether or not online shoppers are bots. Unfortunately, CAPTCHAs are slow, inaccurate and interrupt both the login and the checkout process. Many online shoppers find CAPTCHAs frustrating enough to abandon the site completely. Furthermore, sophisticated bots are now able to easily solve most CAPTCHAs, making them obsolete. This time of year, digital businesses need to expect more from their application security and bot management providers.

When it comes to human verification, digital merchants should look for a few key capabilities including:

If your digital storefront does rely on CAPTCHA for any reason, real human users should seldom be subjected to CAPTCHA tests. Work now with your information security counterpart to make sure this is the case.

On a similar note, multi-factor authentication (MFA) also adds frustration to the customer experience. Many consumer-oriented vendors do not force MFA because they want to streamline the user experience, but this leaves their accounts vulnerable unless they have another security solution in place. Think carefully about the use of MFA, perhaps limiting it to high value transactions or those that involve changing key information such as credit card number or delivery address.

To learn more about these threats, read the white paper: The Hidden Threats to Your Website Conversions

Read the Whitepaper

Keep your Customers Secure: Use a Behavior-based Approach to Protect Customers' Personal Data

Magecart is a type of client-side web skimming attack where vulnerable code is modified or new functionality injected into an e-commerce site in order to steal credit card numbers and other sensitive information. This type of attack has hit nearly 20,000 domains, including well-known brands such as Forbes, Garmin, Procter & Gamble, Claire’s, NutriBullet and even British Airways. By placing malicious JavaScript skimmers on online payment forms, cybercriminals threaten online shoppers and put businesses at risk of violating Europe’s General Data Protection Regulation (GDPR) law and the California Consumer Privacy Act (CCPA).

Attackers continue to exploit unpatched and zero-day vulnerabilities in first- and third-party scripts to inject skimming code on websites. It is essential to patch systems and deploy server-side defenses, but it is also clear that continuous, real-time, client-side visibility of script execution is the need of the hour. The increasing threat of client-side attacks is a clear call to action for all e-commerce sites and any site that takes payment information to implement a new approach for securing user data.

This holiday season, every e-commerce company should evaluate the following:

  • Verify that the security controls for first-party code work with your Continuous Integration/Continuous Deployment (CI/CD) process.
  • Analyze all the third-party code running on your site for vulnerabilities and security risk indicators.
  • Consider implementing a solution for client-side attacks that provides full visibility and control of first-, third- and nth-party code running in production.

To learn more about Magecart attacks, and how to stop them, read the recent whitepaper, Magecart Attacks: The Biggest Threat to Online Transactions

Read the Whitepaper

Capture Mobile Shoppers: Arm Yourself Against Mobile Security Threats

During the first half of 2021, consumer spending in mobile apps hit a record $64.9 billion worldwide. M-commerce sales are expected to account for 54% of total online sales by the end of the year. Cybercriminals have followed this trend, deploying bots that target APIs used to support mobile storefronts.

Requests coming from native mobile applications will typically have identical characteristics, including the devices and application version. This makes it much harder to distinguish malicious requests from legitimate ones when relying on server side detection only. Traditional bot detection and human verification techniques that largely regard transient IP addresses as bot traffic simply no longer work.

Businesses need to select bot detection solutions that are advanced enough to identify suspicious activity on their mobile apps. As mobile shopping grows, there are three main mobile attack techniques that every merchant should be aware of and plan for, well ahead of Cyber Monday:

  • Attackers can call an application’s APIs directly from any IP connection – without having to use the actual app or even a mobile device.
  • Attackers can use a genuine application or a hacked version, running on thousands of instances of a mobile device emulator.
  • Attackers can hack devices or applications on a device and then take over the application to launch their attack.

For e-commerce companies that interact with mobile customers, read more about blocking bots in the latest report, The Forrester New Wave™: Bot Management, Q1 2020."

Read the Report

Get the Sale: Protect Conversions From Invisible Threats

Cyberattacks to e-commerce businesses are sure to ramp during the holiday shopping season. They threaten your business and consumers on every page of your website, sometimes without you knowing it. Only by understanding the threats across the buyer journey — from scraping on the homepage to skimming at checkout — can you plan to safeguard your customers every step of the way, guiding them seamlessly through the path to purchase.

© PerimeterX, Inc. All rights reserved.