How to Secure Your Digital Storefront?
The National Retail Federation (NRF) reports that 83.3 million shoppers spent over $9.4 billion dollars on Cyber Monday in 2019, with $3 billion coming from mobile shoppers alone. Considering that the COVID-19 pandemic has limited brick-and-mortar shopping options for many, it is reasonable to expect online and mobile shopping to grow even more this coming holiday season. Regretfully, it is also likely that cybercriminals will be looking to take advantage of ill-prepared companies this holiday shopping season.
A winning holiday strategy for any company with an online presence will be largely defined by its ability to defend its website and mobile apps from bot-driven fraud, client-side attacks like Magecart and revenue-impacting browser extensions. However, before a company runs to invest in new bot management and application security tools, it is also important to note that many security solutions can stifle the shopper experience, increase cart abandonment and drive away customers with high-friction security measures.
That said, nothing will drive customers away or tarnish brand reputation faster than a massive data breach or carding attack. Striking the balance between application security and a friction-free digital shopping experience on Cyber Monday is the goal for every e-commerce business. Of course, this is easier said than done. When it comes to holiday readiness, here are a few guidelines that every digital business should consider.
How to Stop Bot-driven Fraud: Identifying Good Bot Traffic From Bad
Good bots can help online shoppers find the right gift, improve SEO for websites, advertise items on social media and curate products in storefronts. With more than half of all internet traffic attributed to bots, many of them useful, taking a heavy-handed approach to blocking bots can result in a serious reduction of customer engagement and lost selling opportunities. Selecting a bot management solution that is extremely accurate to identify and separate bad bot activity from good is key. Solutions need to go beyond providing simple functions like configurable allow lists and deny lists. Advanced policy controls will give forward-thinking digital businesses the edge against competitors that do not have granular control over bot blocking.
Before Cyber Monday, every e-commerce company needs to be able to:
- Identify and categorize useful bot traffic and malicious bot traffic
- Block malicious bots and bot-enabled attacks, such as account takeover (ATO), carding fraud, scalping and web scraping attacks
- Protect against scalping bots during flash-sales and limited offers with a high degree of policy flexibility
Think Beyond reCAPTCHA: Keeping the Customer Experience Fluid
Many bot management solutions utilize CAPTCHAs to verify whether or not online shoppers are bots. Unfortunately, CAPTCHAs are slow, inaccurate and interrupt both the login and the checkout process. Many online shoppers find CAPTCHAs frustrating enough to abandon the site completely. Furthermore, sophisticated bots are now able to easily solve most CAPTCHAs, making them obsolete. This time of year, digital businesses need to expect more from their application security and bot management providers.
When it comes to human verification, digital merchants should look for a few key capabilities:
- Detecting and blocking CAPTCHA-solving bots and services
- Providing alternative human verification techniques that are accurate, user-friendly and work well on smartphones
If your digital storefront does rely on CAPTCHA for any reason, real human users should seldom be subjected to CAPTCHA tests. Work now with your information security counterpart to make sure this is the case.
Keep your Customers Secure: Use a Behavior-based Approach
Attackers continue to exploit unpatched and zero-day vulnerabilities in first- and third-party scripts to inject skimming code on websites. It is essential to patch systems and deploy server-side defenses, but it is also clear that continuous, real-time, client-side visibility of script execution is the need of the hour. The increasing threat of client-side attacks is a clear call to action for all e-commerce sites, and any site that takes payment information, to take a new approach for securing user data.
This holiday season, every e-commerce company should check the following boxes:
- Verify that the security controls for first-party code work with the Continuous Integration/Continuous Deployment (CI/CD) process.
- Consider implementing a solution for client-side attacks that provides full visibility and control of first-, second-, third-, fourth-, and fifth-party code running in production.
- Deploy an application security solution powered by AI and behavioral analysis, that analyzes client-side activity signals at runtime.. This is the best method of spotting issues and triggering defenses in real time to protect against digital skimming attacks and reduce e-commerce fraud.
To learn more about Magecart attacks, and how to stop them, read the recent whitepaper, Magecart Attacks: The Biggest Threat to Online Transactions
Capture Mobile Shoppers: Arm Yourself Against Mobile Threats
As mobile shopping grows, there are three main mobile attack techniques that every merchant should be aware of and plan for, well ahead of Cyber Monday:
- Attackers can call an application’s APIs directly from any IP connection – without having to use the actual app or even a mobile device.
- Attackers can use a genuine application or a hacked version, running on thousands of instances of a mobile device emulator.
- Attackers can hack devices or applications on a device and then take over the application to launch their attack.
For e-commerce companies that interact with mobile customers, read more about blocking bots in the latest report, The Forrester New Wave™: Bot Management, Q1 2020."
Get the Sale: Protect Conversions From Invisible Threats
Digital and e-commerce leaders should be aware of invisible threats that eat away at conversion rates and online revenue. The culprit: browser extensions. They inject unwanted coupons, promotions and ads that appear as if they are coming from your site, when in fact they are not. Because they are carried by the shopper’s browser, you - the site owner - never see them. In fact, up to 20% of online shoppers that visit a site experience these pop-ups and ads. They redirect shoppers to competitors, display unwanted ads and content, or fraudulently tag user traffic to collect affiliate and referral fees. This leads to increased cart abandonment, lower conversion rates and stolen online revenue.
Going into the holiday season, digital and e-commerce leaders should look for a solution to protect their digital storefront that can:
- Detect coupon pop ups and ads interacting with their site through a shopper’s browser
- Analyze the impact to their site and to their digital KPIs
- Block the ads and pop ups that disrupt a shopper’s experience, hurt conversion rates and eat away at online revenue
For any business with an online presence, the holidays are going to bring both new and familiar security challenges. Making sure that your digital storefront is secure and optimized from sign-in to check out is the goal.
To learn more about these threats, read the white paper: The Hidden Threats to Your Website Conversions