Ecommerce Cybersecurity
The global cost of e-commerce fraud in 2023 is predicted to amount to $48B
(Juniper Research, 2021)
An estimated 3% of e-commerce attacks, costing $6B, bypass security measures each year
(DUE)
Online shopping is continuing its upward trend, after gaining a significant boost during the Covid-19 pandemic. The following statistics, reported by SellerCommerce, illustrate this:
More than 2.7 billion people, the equivalent of over 33% of the world’s population, shop online, and 34% do so at least once a week. They are free to choose from more than 26.6 million online stores operating globally; more than half of online shoppers turn to international sites. E-commerce sales are expected to exceed $6.3 trillion in 2024, with 20.1% of retail purchases taking place online, and are projected to reach 22.6% by 2027.
With e-commerce so prevalent, and with its wealth of sensitive customer data, including personal information, credit card numbers, and financial details, it is no wonder that cybercriminals are increasingly targeting e-commerce businesses. This data, if stolen, can be sold on the dark web and used to commit identity theft and launch phishing campaigns. Even one successful attack can yield millions of records.
Customer trust and loyalty are essential to a thriving e-commerce business. The loss of sensitive data as a result of a security breach will have a negative impact and result in financial loss to the business, and potentially, to the customer as well.
Furthermore, e-commerce businesses are required to operate in full compliance with data protection laws and regulations. Failure to do so places them at risk of heavy penalties.
The main laws and regulations applicable to e-commerce businesses serving customers in the USA and Europe are:
- The European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. In general terms, the GDPR deals with data protection, and is relevant to e-commerce businesses in light of the vast amount of sensitive information they hold. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that e-commerce businesses are obligated to collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data, which had been collected by the business, be deleted upon request.
Noncompliance with the GDPR can result in devastating penalties that are potentially lethal to an e-commerce business: Up to €20 million, or 4% of the global annual turnover – the higher of the two.
- The California Consumer Privacy Act of 2018 (CCPA), which gives consumers more control over the personal information that businesses collect about them, and the CCPA regulations, which provide guidance on the law’s implementation. The law applies to any business that collects personal information from California residents, which has 100,000 or more customers and a minimum of $25 million in annual gross revenue. It includes:
- Consumers’ right to know about the personal information a business collects about them and how it is used and shared
- The right to delete personal information collected from them (with some exceptions)
- The right to opt-out of the sale or sharing of their personal information, and
- The right to non-discrimination for exercising their CCPA rights.
A later amendment added new privacy protections, which came into effect on January 1, 2023, including:
- The right to correct inaccurate personal information that a business has about consumers, and
- The right to limit the use and disclosure of sensitive personal information collected about them.
Civil penalties of up to $7,500 can be imposed on businesses found to have intentionally violated the CCPA for each violation. The maximum fine for other violations is $2500 per violation.
To operate successfully, the e-commerce sector must overcome a variety of threats:
- Malware – which includes software used to breach a targeted organization’s system, steal sensitive data, cause disruption, inject viruses, etc.
- Phishing and social engineering attacks – phishing attacks are becoming increasingly sophisticated, more personalized, and harder to identify by untrained persons. A new and concerning trend is vishing – or voice phishing, in which the perpetrators impersonate a member of the company using deep fake technology and trick them into disclosing sensitive information.
- Credential stuffing – in this type of attack, cybercriminals use stolen account credentials to access user accounts. The risk involved is amplified when the criminals use bots to gain unauthorized access to the e-commerce sites of other businesses.
- Megacart attack – in which malicious JavaScript-based code is injected into the e-commerce website’s checkout page with the aim of stealing valuable information, for example, credentials and billing addresses of customers. Megacart attacks are considered as particularly severe for e-commerce businesses.
- Distributed Denial of Service (DDoS) – in which a targeted website is overwhelmed with fake traffic, making access for legitimate users impossible.
- Application Programming Interface (API) abuse – the exploitation of APIs by cybercriminals impairs not only the user experience, but also the security of the platform and the protection of data.
- Exploitation of Internet of Things (IoT) vulnerabilities – following the introduction of wearable devices and other IoT devices, consumers now interact with e-commerce platforms differently than before. If these devices are not sufficiently secure, they are vulnerable to hacking.
- Supply chain attacks – as e-commerce businesses rely on external providers for a variety of services, security gaps in the providers’ systems also place the e-commerce business itself at risk.
- Insider threats – authorized users who are in fact malicious actors. These can be, for example, employees who feel that they are being treated unfairly or have been unfairly terminated (and whose login credentials have not been deleted from the system). They therefore bear a grudge and are out to exact revenge and/or line their pockets. Malicious actors might also be motivated by financial gain. They access the system to steal sensitive data like trade secrets, client names or marketing plans at the request of well-paying competitors.
- Cryptojacking – cybercriminals are increasingly targeting e-commerce websites to carry out cryptojacking attacks, in which they inject malicious code in order to covertly use the victim’s computer power to generate cryptocurrency.
ACID helps e-commerce businesses maintain business continuity, preserve their customers’ trust and build customer loyalty.
Clusters of robots are deployed and sophisticated algorithms implemented to continuously monitor the dark web and numerous additional sources in order to detect signs of impending attacks while still in their planning stage, attacks that are in progress, and leaked data indicating a breach.
Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results. Once a threat is detected, ACID sends real-time alerts to the targeted e-commerce business, to enable it to implement countermeasures to diminish the effects of the attack. In some cases, the real-time alerts and precise information enable the targeted business to thwart the attack before it is actually launched.