How to Secure Your Digital Storefront This Holiday Season
Retailers raked in $188.2 billion in online revenue during the 2020 holiday season, including $10.8 billion on Cyber Monday alone. This was a 32% YoY growth, likely due to limited brick-and-mortar shopping options in the midst of the COVID-19 pandemic. Experts predict this number will grow in 2021, albeit less steeply. And with the holiday shopping season right around the corner, cybercriminals are preparing to take advantage of ill-prepared companies.
A winning holiday strategy for any company with an online presence will be largely defined by its ability to defend its website and mobile apps from bot-driven fraud and client-side attacks like Magecart. However, before a company runs to invest in new bot management and application security tools, it is also important to note that many security solutions with high-friction measures can stifle the shopper experience, increase cart abandonment and drive away customers.
That said, nothing will drive customers away or tarnish brand reputation faster than a massive data breach or carding attack. Striking the balance between application security and a friction-free digital purchasing experience is the goal for all shopping sites. Of course, this is easier said than done. When it comes to holiday readiness, here are a few guidelines that all digital businesses should consider.
How to Stop Bot-driven Fraud: Identifying Good Bot Traffic From Bad
Good bots can help online shoppers find the right gift, improve SEO for websites, advertise items on social media and curate products in storefronts. With more than half of all internet traffic attributed to bots, many of them useful, taking a heavy-handed approach to blocking bots can result in a serious reduction of customer engagement and lost selling opportunities. Selecting a bot management solution that is extremely accurate to identify and separate bad bot activity from good is key. Solutions need to go beyond providing simple functions like configurable allow and deny lists. Advanced policy controls will give forward-thinking digital businesses the edge against competitors that do not have granular control over bot blocking.
Before Cyber Monday, every e-commerce company needs to be able to:
- Identify and categorize useful bot traffic and malicious bot traffic
- Block malicious bots and bot-enabled attacks, such as account takeover (ATO), credit card fraud and web scraping
Stop scalping bots from hoarding inventory during holiday flash-sales and limited offers
Think Beyond reCAPTCHA and Multi-factor Authentication: Keeping the Customer Experience Fluid
Many bot management solutions utilize CAPTCHAs to verify whether or not online shoppers are bots. Unfortunately, CAPTCHAs are slow, inaccurate and interrupt both the login and the checkout process. Many online shoppers find CAPTCHAs frustrating enough to abandon the site completely. Furthermore, sophisticated bots are now able to easily solve most CAPTCHAs, making them obsolete. This time of year, digital businesses need to expect more from their application security and bot management providers.
When it comes to human verification, digital merchants should look for a few key capabilities including:
- Detecting and blocking CAPTCHA-solving bots and services
- Providing alternative human verification techniques that are accurate, user-friendly and work well on smartphones
If your digital storefront does rely on CAPTCHA for any reason, real human users should seldom be subjected to CAPTCHA tests. Work now with your information security counterpart to make sure this is the case.
On a similar note, multi-factor authentication (MFA) also adds frustration to the customer experience. Many consumer-oriented vendors do not force MFA because they want to streamline the user experience, but this leaves their accounts vulnerable unless they have another security solution in place. Think carefully about the use of MFA, perhaps limiting it to high value transactions or those that involve changing key information such as credit card number or delivery address.
To learn more about these threats, read the white paper: The Hidden Threats to Your Website Conversions
Keep your Customers Secure: Use a Behavior-based Approach to Protect Customers' Personal Data
Attackers continue to exploit unpatched and zero-day vulnerabilities in first- and third-party scripts to inject skimming code on websites. It is essential to patch systems and deploy server-side defenses, but it is also clear that continuous, real-time, client-side visibility of script execution is the need of the hour. The increasing threat of client-side attacks is a clear call to action for all e-commerce sites and any site that takes payment information to implement a new approach for securing user data.
This holiday season, every e-commerce company should evaluate the following:
- Verify that the security controls for first-party code work with your Continuous Integration/Continuous Deployment (CI/CD) process.
- Analyze all the third-party code running on your site for vulnerabilities and security risk indicators.
- Consider implementing a solution for client-side attacks that provides full visibility and control of first-, third- and nth-party code running in production.
To learn more about Magecart attacks, and how to stop them, read the recent whitepaper, Magecart Attacks: The Biggest Threat to Online Transactions
Capture Mobile Shoppers: Arm Yourself Against Mobile Security Threats
During the first half of 2021, consumer spending in mobile apps hit a record $64.9 billion worldwide. M-commerce sales are expected to account for 54% of total online sales by the end of the year. Cybercriminals have followed this trend, deploying bots that target APIs used to support mobile storefronts.
Requests coming from native mobile applications will typically have identical characteristics, including the devices and application version. This makes it much harder to distinguish malicious requests from legitimate ones when relying on server side detection only. Traditional bot detection and human verification techniques that largely regard transient IP addresses as bot traffic simply no longer work.
Businesses need to select bot detection solutions that are advanced enough to identify suspicious activity on their mobile apps. As mobile shopping grows, there are three main mobile attack techniques that every merchant should be aware of and plan for, well ahead of Cyber Monday:
- Attackers can call an application’s APIs directly from any IP connection – without having to use the actual app or even a mobile device.
- Attackers can use a genuine application or a hacked version, running on thousands of instances of a mobile device emulator.
- Attackers can hack devices or applications on a device and then take over the application to launch their attack.
For e-commerce companies that interact with mobile customers, read more about blocking bots in the latest report, The Forrester New Wave™: Bot Management, Q1 2020."
Get the Sale: Protect Conversions From Invisible Threats
Cyberattacks to e-commerce businesses are sure to ramp during the holiday shopping season. They threaten your business and consumers on every page of your website, sometimes without you knowing it. Only by understanding the threats across the buyer journey — from scraping on the homepage to skimming at checkout — can you plan to safeguard your customers every step of the way, guiding them seamlessly through the path to purchase.