365Retail talks to Ramil Khantimirov, CEO and co-founder of StormWall to discuss the dangers of cyber attacks and how you can protect your e-commerce website.
How often do online stores fall victim to cyber-attacks? What information are the attackers interested in?
E-commerce is traditionally one of the most attacked industries because hackers can benefit from it directly.
The main beneficiaries of DDoS attacks in this sphere are obviously competitors: they use such activities as a tool to bring more traffic to their own websites. However, DDoS is not the only type of attack used for unfair competition. We often see attempts to produce undesirable automated actions on a website using bots. For example, bots create usernames, use promo codes, or automatically create fake orders to reduce the availability of some products for real clients.
Attackers also attempt to hack into an online store to gain access to the database of customer credentials or receive some kind of purchasing benefit for the goods. Interestingly, sometimes attacks are carried out blindly: for example, a hacker can perform automatic scans and vulnerability searches. These actions can seriously harm website owners, even if the attacker is unaware of who they are hacking.
Are the owners of e-commerce websites willing to spend money on cyber-security?
Commonly, e-commerce companies are aware of the need for DDoS protection, because many of them have already been attacked. Thus, they understand how extensive the damage from DDoS attacks can be. However, not all online store owners are yet ready to invest in more advanced protection such as WAF (Web Application Firewalls). To understand the need for advanced security measures, the company must have some expertise in cybersecurity or at least an understanding of how the cyberdefenses work and why they are necessary. Though, I must say that the market is already full of solutions that can minimize all sorts of threats. Some of them are complex, some are beginner-friendly. A lot can be purchased and installed directly from the cloud, which makes the integration quite effortless. Still, cybersecurity services are purchased mostly either by large companies or by companies who have fallen victim to some form of cyberattack.
How much influence do payment systems have on the level of protection of their partner-stores?
Most often, websites integrate payment systems using similar standard: users are redirected to a secure website hosted by the payments system, where the actual transaction is being processed, then the user is redirected back to the store. So there is hardly any impact here.
Have you encountered fake online stores that were set up to steal customers’ credentials?
Yes, fake stores are quite common. Coping with them requires coordinated work of both law enforcement agencies and, of course, hosting providers, who must promptly respond to complaints, if they are justified.
Who is more affected by cyberattacks on e-commerce: businesses or customers?
Of course, if we are talking about a DDoS attack, the business takes almost all the damage. However, if we are talking about cyberattacks in general terms, then everyone should be concerned because of potential leaks of personal data. Even if a website doesn’t store credit card information in its database and uses a secure payment gateway, it usually stores credentials like names, phone numbers, home addresses, and so on. Of course, if hackers get their hands on this data, they can use it for their future attacks.
Is online retail in the UK and EU protected well enough?
Evaluating the market as a whole is quite tricky because the degree of protection varies between different companies. Medium and large e-commerce sites are almost always already equipped with DDoS protection. Many are integrating or have already integrated a Web Application Firewall. As for smaller companies, most who haven’t yet experienced an attack aren’t thinking of protection yet.
What can e-commerce website owners do to protect their websites?
In addition to the obvious recommendations to purchase DDoS protection and, if possible, set up a Web Application Firewall (WAF), they should systematically run stress tests of their defense systems. YIf the budget allows it, it is also recommended to carry out the so-called Penetration Testing. This is when information security experts attempt to “hack” the website in order to find and report vulnerabilities. When choosing a DDoS protection provider, there are a few recommendations to keep in mind as well.
Pay attention to the following:
- Are the servers of the security provider located in the same geographical location as your own and of your clients?
- How long has the company been involved in DDoS protection and does it specialize in cybersecurity?
- How well does the support team work? To ensure full-time availability of your website, the technical support must work around the clock, always ready to respond to potential attacks.
- Ask the provider to show you a list of clients you might know. The number of clients is an indirect indicator of the real quality of the security provider and their services.
- Before making a purchase, if possible, we suggested testing the service. Run stress tests if you can and see how well the protection is really working and how quickly the technical support responds to incidents.
- Find out whether the security provider has any hidden payments. Some companies attempt to charge more based on the attack size or frequency. Never agree to these conditions — you never know what kind of attacks you may sustain or how frequently they could happen.
What should the consumers do to avoid getting into a tricky situation because of shopping on an unprotected website?
Unfortunately, there is not much a consumer can do on their own. That’s why the only thing I can suggest is to shop only on well-known and reliable e-commerce websites. But, unfortunately, even this does not give any guarantees.
Does the number of attacks tend to increase before holidays or times like Black Friday, when people rush to purchase gifts for family and friends? And if so then why?
Absolutely! After all, during such times we all flock to online stores to buy something. Of course, during the holiday period or Black Friday in particular, online retailers experience higher demand and, understandably, receive more profit. And some competitors quite often try to bring down the websites of their peers, especially if they share the same market segment or adjacent positions in the search results. By doing so, they attempt to bring more traffic to their own websites, since the resources or their competitors are unavailable. And now, just imagine how much a single day of downtime during the holiday season may cost to an e-commerce business.