Securing the e-commerce revolution
13th June, 2023 • Online
As customers move online, hackers follow. Protecting retailers and their clients is critical. But how?
“We want to keep shoppers’ data, identity and privacy safe, and to ensure that the retail sector is well equipped to face the cyber challenges associated with an ever-more digital world.”
– Dr Ian Levy, Technical Director, the National Cyber Security Centre
Retailers and those that manage their network infrastructure are among the most frequently targeted victims of cyberattacks. According to a recent survey, 24% of cyberattacks target retailers, with credential phishing, malware, ransomware and DDoS attacks the commonest threat vectors.
It’s perhaps no surprise that the industry is so targeted. The prize for the hackers is a treasure trove of easily monetizable data. Retailers store vast quantities of payment and card data as a result of heavily digitalised e-commerce models; they retain vast troves of additional personal data to finetune the personalised marketing and e-commerce portals upon which they depend.
Retailers are also easier to hack than some other sectors. They have been forced online and on to mobile not just by COVID but by rapidly changing customer habits. So, they have to maintain constantly updated e-Commerce sites even the simplest of which rely on an ecosystem of applications, browsers and proxies that contain vulnerabilities allowing hackers to compromise all elements of the order and payment process. The recent ‘Natural Fresh skimmer’, for example, shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form.
They also have to offer omnichannel payment options, constantly expanding their attack surfaces as the next Klarna, Venmo or Zelle comes along. They interact with voucher schemes and rewards schemes, often using sophisticated EPOS machines to gather yet more data. And they rely on third party systems such as payroll suppliers which have also been hacked.
Retailers are also vulnerable because their customers are. Retail customers straddle all age groups and demographics, and they are themselves constantly targeted by retailers’ marketing messages online and via apps, with the consequent possibility that those messages can be copied and falsified in ever smarter social engineering scams offering discounts and deals.
The penalty for being successfully attacked is also very high in the retail sector. Brand reputation is critical and can be lost easily if customers lose money to scams. DDoS attacks on e-Commerce sites can cost seven-figure sums per hour in lost revenues (imagine a pizza company that can’t take orders – its customers are hungry not loyal).
So, why are retailers also among the most breached companies around? Just being an attractive target is not a guarantee of loss, companies must also need better defences than they apparently have.
In the past, even large retailers were very publicly not in compliance with key standards, storing passwords in plain text and ignoring basic cyber hygiene. There are still problems of transparency and taking cybersecurity seriously at significant organisations and simple hacks are still causing chaos.