Data is one of your eCommerce business’s most valuable assets. But it’s not only valuable to your business. It’s also valuable to criminals, who use personal data for identity theft and credit card numbers to commit fraud. Over the last few months, several major eCommerce retailers and many smaller stores were targeted by Magecart, a criminal group primarily focused on scraping credit card numbers.
Magecart is the most prominent victimizer of eCommerce stores, but they are far from the only one. eCommerce store owners should be alert to the risk of data theft and know how to fight it.
Store owners fighting this type of data leak should focus on preventing the attacker from injecting malicious code in the first place.
Keep software up-to-date. Attackers frequently exploit vulnerabilities in older software. If an attacker can compromise an eCommerce store via a known vulnerability in the operating system, utility software, or the store itself, they will inject malicious code, which will run in shoppers’ browsers. Updating fixes known vulnerabilities.
Ensure the database is only accessible via the web store. Database misconfiguration is a common source of data leaks. An eCommerce store’s database should only respond to requests from the application, not to requests from the internet. It should be password protected to prevent any access from unauthorized individuals.
Use a web application firewall such as ModSecurity. A web application firewall can mitigate the risk of attacks against a store’s front-end, including SQL injection attacks and cross-site scripting attacks. Hostdedi uses the advanced ModSecurity WAF on Magento and WooCommerce hosting accounts. To learn more, check out our post on Why ModSecurity Should Be Your Web Application Firewall.
Use two-factor authentication on your Magento or WooCommerce store. The easiest way for an attacker to breach a store’s defenses is to guess the right password. Simple passwords, popular passwords, and passwords based on dictionary words are easy to guess. Long and complex passwords are difficult to guess, and the longer they are, the more difficult it becomes. However, we can’t always trust users (or even developers) to choose a long and random password. Two-factor authentication, as provided by Hostdedi’ Sentry extension for Magento, helps to protect stores from poor password practices.
Disable unused store and server passwords. Unused accounts serve no purpose and increase the surface area of a store that can be attacked. Audit the user accounts on your store and server, deleting those you no longer need. On a related matter, when giving an employee or third-party access to your store, use a unique account created for the purpose. Once they no longer need access, delete the account.
If attackers can’t infect your store with malicious code, they can’t steal your shopper’s details or credit card numbers. By following a few security best practices, you substantially reduce the risk of data theft.