Overcoming security issues in e-Commerce

All e-commerce websites face the challenge of trying to prevent security issues from arising whilst also having procedures in place to deal with issues when they do arise. Cyber crime is constantly evolving and as the technology get more sophisticated, so too do the criminals.

Choosing a secure e-commerce platform

Most e-commerce sites today are built upon platforms such as Magento, Opencart, WooCommerce and Shopify. Open source solutions (such as WooCommerce and OpenCart) come with more risk than hosted solutions such as Shopify simply because with an open source solution you must host the site yourself on your own server and configure it from scratch. With Shopify, hosting and configuration has been optimised with security, speed and user experience in mind.

Although a hosted solution such as Shopify comes at a greater cost, it also offers greater peace of mind in that Shopify have a team of experts constantly improving security and implementing many of the proactive security measures we’ll talk about below.

Identity Theft

Identity theft happens when a hacker gains access to someone’s personal information and poses as that person without their knowledge or permission. Online, it usually comes in the form of phishing scams which involves tricking people in to handing over personal information.

For example, a hacker may set up a fake paypal site and send an email to someone posing as paypal, encouraging the target to click on a link in the email. When the user clicks the link and accesses the fake paypal page, they may enter login details thinking that the fake site is in fact genuine. Once login details are entered, the hacker now has the user’s username and password for paypal and can then login to the real paypal site to transfer funds out of the target’s account.

In order to combat identity theft, an e-commerce site should have multi-factor authentication available (which makes phishing attacks much more difficult) and never give out personal information or passwords over the phone or by email to customers without first verifying who they’re talking to. Verification typically involves some personal information (i.e. date of birth and address), security questions (such as mother’s maiden name) and often companies will send a text message to the customer’s phone with a verification code. These techniques all help to reduce the threat of identity theft.

SSL / TLS / HTTPS protocols

A secure, encrypted connection for any e-commerce website is critical not only to prevent data from being intercepted or accessed by unauthorised people but also to build trust and confidence between the customer and the business.

TLS (transport layer security) is a protocol used to encrypt data for secure transmission. An e-Commerce business can purchase a TLS certificate which contains information about the business and is used to verify that the web site is legitimate and what it portrays to be. The server’s host name, issue and expiry time along with the public key for the web server are some of many details contained within the certificate which all help to add an extra layer of security and peace of mind for customers and the business.

DDOS / Spam

Distributed denial of service attacks are a common form of malicious hacking which result in multiple systems flooding a network to bring the network down or take a website offline.

Preventing DDOS attacks from occurring can be difficult as the first challenge is to identify rapid incoming traffic as malicious. Not all spikes in traffic will be malicious, therefore systems need to be put in place in order to distinguish between the two.

Cloudflare provide a cloud-based solution which actively tries to mitigate the threat of DDOS. If cloudflare detects suspicious activity from a certain address, they won’t block that user, but will instead get a user to confirm they’re human before being able to view the live site.

Strong Passwords and Login Rules

Having strict password policies in place ensures helps to prevent unauthorised people from accessing accounts. Having varying levels of roles with different privileges also restricts access to critical parts of the site.

Site admins should not only have strong passwords but also have two factor authentication enabled, meaning that they need both a regular password and also a randomly generated password from a physical device. That combination is virtually impossible to guess or crack as a hacker needs access to a physical device in order to log in to the site.

Logins can also be restricted to certain IP ranges and at certain times and it’s also best practice to automatically block login access for a short duration if there have been multiple failed login attempts within a short period of time. For example if there have been 20 failed login attempts in 60 seconds from the same IP address, that could be considered suspicious activity as it could be a robot randomly generating passwords.