Top Overlooked Security Risks in eCommerce: Part 1

If you Google “security threats in eCommerce,” you’ll get hit by a deluge of articles and blog posts detailing the most widely talked about risks - malware, ransomware, and so on. But just because this group of “popular kids” is making waves in the world of cybersecurity, doesn’t mean there aren’t sneaky bad actors using more creative methods to get the job done.


Let’s take a look at some threats that are flying under the radar - remember, just because they are not the talk of the town, doesn’t mean they don’t pose a risk to your online business.



Malvertizing

Malvertising, a mashup term coined from “malicious advertising,” applies to advertisements controlled by bad actors. This is an authentic risk to both publishers (you as the eCommerce merchant) and your customers. Generally located within web browsers, these advertisements are loaded with all sorts of malware, scams, and potentially unwanted programs (PUPs). In essence, malvertising utilizes seemingly authentic online advertising to spread malware and other malicious threats by injecting malicious code within digital ads; unfortunately, this requires little to no user interaction on the part of the victim. If interaction is required, tricks like “You’ve won a Target gift card!” are favored by malvertizers such as ScamClub. Conversely, “a drive-by download” doesn’t even necessitate a click; simply loading the page containing the infected ad triggers the malicious activity.


In fact, malvertising may lurk within any inconspicuous advertisement on any website, even sites you may browse daily, such as news or social media portals. Recently, a fraudulent version of the remote desktop application, AnyDesk, appeared on seemingly real ads on Google search results; victims received a trojanized variant of the software. In a twist, the malvertising actually ranked higher on Google than AnyDesk’s own ad campaign. Commonly, the “mal-vertisement” installs a minuscule piece of code, which forwards your computer information to criminal command and control servers. The malevolent server then inspects your computer for information such as software used, and location, and then determines the most fitting malware for you.


As a side note, it’s important to distinguish the difference between malvertising and adware - while malvertising initiates an attack via an ad, adware is utilized to track a user’s online activity in order to present personalized or relevant ads. While all malvertising is considered criminal, many forms of adware are legal and authentic. Adware may be questionable ethically in regard to privacy and security concerns, but it does not allow bad actors to infiltrate a target’s system or peruse their data.


Malvertising is notoriously challenging to detect, both for users and website and business hosts, because of the sheer volume of online ads being created and the rate at which they are circulated. Because of this, it’s difficult for publishers to conduct ad assessment and verification adequately. Because malvertising does not necessarily infect every user, it’s also hard to pinpoint the nefarious presence on your online shop. Still, as an eCommerce merchant, there are steps you can take to protect your customers from malvertisements:

  • Meticulously assess third-party ad networks that will manage the choosing, checking, and running advertisements.

  • Refrain from using either Flash or Javascript in your ads.

  • Scan the ad creatives beforehand to detect malware or malicious code.

  • As an added benefit, work with a security partner to determine the best manner to display ads on your web application.


Inadequate Encryption Practices

While businesses are not neglecting encryption, many merchants are overlooking adequate encryption practices. It’s common to focus on ensuring that data in transit is encrypted, while failing to secure static data, which means you are not receiving the full value of encryption and instead, are left with a false sense of security. Happily, correct encryption is achievable, and it radically decreases your chances of experiencing a data breach. We’ve rounded up a few methods to boost your encryption practice.


Handling encryption key management is paramount to ensure that private data does not end up in the greedy paws of bad actors. Think of it this way - you may install a world-class door and security system at your house, but if you write the passcode to your security system on the whiteboard on your fridge that can easily be seen through the window, well… you may end up with uninvited guests! This means that you should never store your encryption key in your file system, database, or in an app config file.


We recommend encrypting your encryption key itself with a secondary encryption key, called a Key Encryption Key (KEK), which ideally should be stored in a third location. Your KEK can be further secured with a Master Encryption Key and a Master Signing Key. Boost your key security by transferring the key to your app safely, by installing authentication between your app and the key management server, and utilizing delivery via an encrypted connection. We realize this is quite an “encryption inception,” but if it sounds like you’re building a funhouse of mirrors to hide your encryption key, that’s exactly how you want it to appear for bad actors!


On the same topic, make sure to avoid the mistake of using one encryption key for all of your sensitive data; instead, opt to break up your data with different encryption keys for added security. Finally, utilize key rotation - don’t use the same key for the same set of data indefinitely. Yes, these practices complicate everyday processes, but they also complicate things for hackers!


Untrained Employees

A recent joint study by Stanford University and security firm Tessian found that a staggering 88% of data breach incidents were caused by human error; furthermore, the study “Psychology of Human Error” by Tessian confirms that employees are not inclined to expose their own errors for fear of severe judgment by their employer. While the actual percentage of data breaches worldwide may vary by the factors involved in the study conducted, there’s no argument that human error is a major factor in security incidents. This all culminates in a security risk that could occur under your very nose regardless of all the top-notch security measures and tools you have in place. The recent Colonial Pipeline hack was found to have been caused by the theft of a single password - not a complex attack by any means!


That’s why training your staff to understand your security protocols, and what to look out for, is crucial to the safety of your business. Luckily, we’ve written extensively on this topic, as it’s something that we at Lokte are passionate about. Our in-depth article about security education in the workplace takes a deep dive into implementing security measures and creating a culture of cybersecurity within the work space. We also talk about creating security strategy, and the importance of password hygiene and multi-factor authentication. Remember, bad actors look for an easy way in - that is often low-level, untrained employees that have access to sensitive information.


Internet of Things

The term itself may call to mind a Dr. Seuss creature, but unlike a fictional character, the threat that unlikely IoT devices pose is very real. Internet of Things is a description for the billions of physical devices around the world that are all connected to the internet, such as your smart fridge or a lightbulb that you control with your smartphone. When you think of IoT devices, you think of smart accessories, such as an Apple pen, or connected appliances, like a smart TV. However, IoT also encompasses larger items, such as industrial control systems. Indeed, Target’s 2013 data breach began with an attack on their HVAC system.


This is simply a great example that businesses are often oblivious to how new IoT devices outside crucial infrastructure may put them at great risk. This is a critical factor to investigate now that a large portion of the workforce is working from home, where a smart fridge may place corporate data in harm’s way. However, most people are unaware of the risk posed and their home networks are not properly secured; this is a threat that directly impacts their employer. If a bad actor is able to gain entry into your smart fridge, which is on the same network as your laptop, they can easily access your sensitive work data.


Businesses know to secure their infrastructure, but they are often unaware of how home appliances, such as door locks or security cameras, may influence security measures. In 2017, bad actors stole a casino’s list of top patrons by infiltrating the smart thermometer of a fish tank, of all things!


Data encryption, once again, is a great way to address this security threat. Data encryption hinders data visibility in case of unauthorized access or attempted theft. As we mentioned before, it’s often utilized for data in transit, but it’s a fantastic idea to utilize the benefits of encryption for data at rest as well. Data encryption ensures that data privacy is safeguarded, and the risk of a data breach is minimized. It’s a competent form of protection against eavesdropping attacks, a form of attack often used in industrial espionage wherein a bad actor passively gains access to data as it is transmitted on a network. Cryptography is also the number one defensive “weapon of choice” against active eavesdropping, or Man-in-the-Middle attacks, where a bad actor intercepts relevant data and injects new messages between two devices.


Finally, refer to the previous threat - untrained employees. You may have a security protocol for your employees in the office, but make sure you create a separate protocol and security measures for employees working from home.


In Conclusion

To reiterate, just because a security risk isn’t an obvious or widely used one, doesn’t mean it can’t be used against your business and customers. Protect your online shop and customers by staying several steps ahead of the bad guys by reviewing your weak points before they are exploited. Lokte’s Data Breach Monitoring is an efficient way to receive alerts instantly if the tool spots any suspicious activity on your site - read more about our unique tool here.







19 views