In 2017, global online crime generated $1.5 trillion. To put that statistic in context, global eCommerce sales in 2016 totaled around $1.8 trillion. Both of those figures can be challenged and neither is likely to be entirely accurate, but it is clear that online crime is a huge, sophisticated, and professional industry. Much of that industry’s attention is focused on eCommerce retailers.
Anyone who runs an online retail store will find themselves a target sooner or later. By some estimates, 90% of login attempts to eCommerce stores are fraudulent. According to a recent study, about half of all website visitors are bots and around a third are there to attack your site. ThreatMetrix reported a billion bot attacks and 210 million attempted fraud attacks in the first quarter of this year.
But what do criminals gain from their focus on eCommerce stores? In reality, it’s much the same as they get from any site – resources, data, and traffic – but the specifics of eCommerce mean that online stores have a richer vein of those assets to mine.
Online retail stores have access to a lot of data about their customers. That includes names, addresses, and other data that can be used for identity theft.
Of course, the most valuable data is credit card numbers, and those are not often stored in eCommerce databases. One of the reasons retailers use payment processors is so that they don’t have to deal with the burdensome standards and risks associated with credit card data.
But, if an attacker can compromise a site and inject code of their own, sensitive data can be transmitted to a server under their control. This is called credit card skimming. We have recently seen a massive series of skimming campaigns against Magento and other eCommerce stores.
Traffic is valuable
Retailers spend a lot of money on marketing to bring people to their store. That traffic is a valuable resource that a criminal would otherwise have to generate themselves. We’ve already discussed credit card skimming, but criminals also want access to traffic so that they can redirect visitors to phishing websites, malware websites, spam pages, and a variety of other malicious content.
Server resources and bandwidth
No legitimate hosting provider wants to sell bandwidth and server resources to criminals, so they have to get them elsewhere. eCommerce stores are often hosted on high-end servers with a decent chunk of low-latency bandwidth at their disposal. That makes them a good target for spammers and botnet operators who need the bandwidth.
Another resource criminals are interested in is less tangible: your reputation. This can be exploited in a number of ways. For instance, SEO spammers embed links to malicious sites they want to boost in search engine results. It’s your reputation that causes shoppers to entrust their data to you in the first place. And it’s your reputation that will be destroyed if your store leaks sensitive data, hosts credit card skimmers, or infects shoppers with ransomware.
Combating Online Crime
Online security for eCommerce stores is a complex topic, but there are several things you can do to reduce the likelihood that your store will be victimized.
- Update your store and its extensions regularly. The importance of this is hard to overstate. Out-of-date stores are vulnerable.
- Make sure all plugins and extensions are downloaded from reputable sources.
- Use two-factor authentication. This will help prevent successful brute-force attacks.
- Choose your hosting wisely. If you don’t choose a competent hosting provider that cares about security, there’s little you can do to ensure that your store stays safe.
There is no silver bullet for eCommerce security, but these four simple tips will keep your store safe from opportunistic attacks by criminals in search of weaker sites to exploit.