CAll Us: +1 888-999-8231 Submit Ticket
How To Prevent Data Leaks On Your eCommerce Store

How To Prevent Data Leaks On Your eCommerce Store

Data is one of your eCommerce business’s most valuable assets. But it’s not only valuable to your business. It’s also valuable to criminals, who use personal data for identity theft and credit card numbers to commit fraud. Over the last few months, several major eCommerce retailers and many smaller stores were targeted by Magecart, a criminal group primarily focused on scraping credit card numbers.

Magecart is the most prominent victimizer of eCommerce stores, but they are far from the only one. eCommerce store owners should be alert to the risk of data theft and know how to fight it.

Attackers like Magecart rely on malware injected into an eCommerce store’s pages. Malicious JavaScript code grabs credit card numbers as they are entered into forms, sending them to servers owned by the attacker, a typical cross-site scripting attack (XSS). Cross-site scripting attacks only work if attackers can execute JavaScript in the context of a store’s pages. They use several strategies to inject JavaScript, all of which depend on flaws in the store’s security.

Store owners fighting this type of data leak should focus on preventing the attacker from injecting malicious code in the first place.

Keep software up-to-date. Attackers frequently exploit vulnerabilities in older software. If an attacker can compromise an eCommerce store via a known vulnerability in the operating system, utility software, or the store itself, they will inject malicious code, which will run in shoppers’ browsers. Updating fixes known vulnerabilities.

Ensure the database is only accessible via the web store. Database misconfiguration is a common source of data leaks. An eCommerce store’s database should only respond to requests from the application, not to requests from the internet. It should be password protected to prevent any access from unauthorized individuals.

Use a web application firewall such as ModSecurity. A web application firewall can mitigate the risk of attacks against a store’s front-end, including SQL injection attacks and cross-site scripting attacks. Hostdedi uses the advanced ModSecurity WAF on Magento and WooCommerce hosting accounts. To learn more, check out our post on Why ModSecurity Should Be Your Web Application Firewall.

Use two-factor authentication on your Magento or WooCommerce store. The easiest way for an attacker to breach a store’s defenses is to guess the right password. Simple passwords, popular passwords, and passwords based on dictionary words are easy to guess. Long and complex passwords are difficult to guess, and the longer they are, the more difficult it becomes. However, we can’t always trust users (or even developers) to choose a long and random password. Two-factor authentication, as provided by Hostdedi’ Sentry extension for Magento, helps to protect stores from poor password practices.

Disable unused store and server passwords. Unused accounts serve no purpose and increase the surface area of a store that can be attacked. Audit the user accounts on your store and server, deleting those you no longer need. On a related matter, when giving an employee or third-party access to your store, use a unique account created for the purpose. Once they no longer need access, delete the account.

Be aware of supply-chain attacks. The Magecart malware often finds its way onto eCommerce stores via a supply-chain attack. Instead of attacking stores directly, criminals target software used by stores: JavaScript libraries, extensions, themes, and so on. When the eCommerce store is updated, the compromised software is installed and the malicious code injected. Supply-chain attacks are difficult to defend against, but store owners should exercise caution when sourcing software. Use extensions from official repositories or trusted developers. Keep an eye on vulnerability reports for software downloaded from third-party sources, such as CDNs or GitHub. Consider implementing Content Security Policy and Subresource Integrity on your store.

If attackers can’t infect your store with malicious code, they can’t steal your shopper’s details or credit card numbers. By following a few security best practices, you substantially reduce the risk of data theft.

Posted in:
eCommerce, Magento

Source link

About the Author

Leave a Reply