Are you ready for Black Friday? Why retailers should care about web security – 10 minute mail

Every year, consumers look forward to Black Friday, but unfortunately, so do hackers. Black Friday is “scam central” and while most of the attacks in the past targeted consumers (like the Target data breach in 2013), retailers need to be prepared. An attack on one of the year’s most busy days can have serious consequences for e-commerce merchants, which is why organisations like the Retail Cyber Intelligence Center are offering members threat briefings and advice before the holiday season.

We have discussed Black Friday and security with Michael Hallberg, senior partner, and Magnus Blombergsson, tech lead, from Enferno, a Swedish e-commerce platform provider, and Michael Wictor, CEO of ehandel.se, a community for e-commerce merchants.

The importance of Black Friday

Michael Wictor, ehandel.se

Michael Wictor, CEO of ehandel.se

There is no doubt about it, Black Friday is important for business. In 2015, Amazon logged over 6 million visitors on Black Friday and a further 10 million visitors browsing the site using a mobile device. The e-commerce experts we talked to say that this one day in November can make or break a retailer. Michael Wictor, CEO of ehandel.se, says: “For certain businesses, Black Friday is extremely important, and in some industries, it can be absolutely crucial.”

Michael Hallberg and Magnus Blombergsson from Enferno agree, and have some interesting numbers to share:

“Most of our customers are Swedish but they sell internationally, so Black Friday does have an effect on their business. One of our clients says they usually have around 60.000 page visitors per day, but on Black Friday 2015, the figure jumped to 430.000 visitors. This year, they are expecting 600.000 visitors, that’s ten times their usual traffic. They estimate that their Black Friday campaign will generate more revenue than the Christmas season.”

Preparing for the shopping rush

The majority of retailers plan for Black Friday and prepare for traffic spikes and large order volumes.  Michael Wictor explains: “Everything is strengthened and extended in preparation for Black Friday; security, customer service staff, and warehouse staff.“ This is no surprise – according to ehandel.se’s annual report, the number of parcels handled by the Swedish postal services right after Black Friday in 2015 had increased by over 100% (compared to 2014).

Michael Hallberg, senior partner at Enferno

Michael Hallberg, senior partner at Enferno

The experts from Enferno point out that it is not unusual for e-commerce merchants to get ready for potential issues with the platforms they are using. “We have noticed that our customers have asked for extended support hours and would ideally like to have support 24/7. I know that payment platforms get plenty of similar requests and those that have the capacity offer support all day long. In general, retailers focus on performance and scale rather than specific security issues.”

Michael and Magnus add that most retailers work extensively with security when it comes to payments and personal data: “Because data privacy is regulated by law, the importance of keeping personal data safe is quite deeply ingrained in most of our customers’ minds.” But unfortunately, web security is not a priority among retailers.

The nightmare scenario

Surprisingly few e-commerce merchants focus on taking security precautions, even though thousands of shoppers place orders on Black Friday and falling victim to hackers is a nightmare scenario. “If a webshop is attacked on Black Friday, the impact is devastating because the volume of incoming orders is enormous. A downtime of an hour would be a slight setback in July, but on Black Friday, it’s a disaster,“ say Michael and Magnus from Enferno. They explain that a security breach could take a toll on brand reputation as well as revenue: “Being hacked would create badwill and that’s a consequence that plays a key role in business. If you have stocked up on products, not being able to sell them is a huge financial risk.”

Michael Wictor from ehandel.se agrees and emphasises the effect of security issues on sales volumes: “The worst that can happen is for sales to drop considerably.”

The future of e-commerce security

Magnus Blombergsson, tech lead at Enferno

Magnus Blombergsson, tech lead at Enferno

E-commerce security has come a long way, but it is still relatively narrow and focused on the payment process. However, the experts from Enferno say that this is beginning to change: “We have noticed that nowadays, new customers often know more about security and have more complex security requests, which also means that we need to constantly update our knowledge about security.”

This means that e-commerce merchants are becoming more aware of security issues and the importance of implementing preventive measures that reach beyond the payment process. Hopefully, the trend continues – consumers and retailers alike can benefit from a security-oriented mindset and open discussions about threat mitigation.

Are you running an e-commerce business and have security tips or best practices to share? Let us know at hello[at]detectify.com!

Disposable mail is an automated web security scanner that checks your website for over 700 vulnerabilities and notifies you if any security issues are identified. Sign up for a free trial to test your website with Disposable mail and see what security monitoring can do for your business »

Read more about e-commerce security:
How to choose the right e-commerce platform
7 most common e-commerce security mistakes
GDPR Compliance Checklist for eCommerce by our friends at Divante

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to choose the right e-commerce platform – 10 minute mail

In e-commerce, there is no one solution that fits every online store perfectly. When it comes to picking an e-commerce platform, there are many aspects of your business that need to be taken into consideration before you can make an informed decision. In this article, we have gathered some key points that can help you decide on a platform that suits you best.

E-commerce platform

1. Define what you are

The first step is to define what you are. First off, will you sell physical or digital goods? This may not have much to do with security, but it is good starting point that can help you narrow down and evaluate your options.

How many different products will you offer? If you go with a webshop-as-a-service solution, the price often varies depending on the amount of products. The question that naturally follows is whether what you want is an online store with the primary goal of selling a range of different products or a website with a lot of information and just a few products. Most CMS solutions available on the market today offer e-commerce support, which makes them a great alternative for businesses looking to focus on content rather than just e-commerce.

2. Budget

How much are you prepared to spend? This is something that might seem obvious, but it is a good idea to plan your budget before you start looking into different e-commerce platforms. Without a budget, you might end up picking something unnecessarily expensive, or settle on a cheaper option that doesn’t give you all the functionality you need. That said, a strict budget is not optimal either; if possible, aim for flexibility that leaves room for negotiation.

3. Self-hosted or shop-as-a-service

There are two main categories of e-commerce solutions and your options here depend on your technical competence. The first one is the self-hosted shop where you host everything on your own server and the alternative is the shop-as-a-service where you pay a monthly fee and leave the e-commerce magic to your platform provider.

Opting for a shop-as-a-service solution allows you to focus on running your business and let experts deal with running the site. Drifting an online store and making sure everything is up-to-date can be much harder than it sounds, so we would recommend choosing the shop-as-a-service option. Even if you are technically proficient or can hire someone who is, avoiding the hassle of hosting your online store can save you both time and money.

The main takeaway here is that there is no good reason to host your e-commerce site unless it’s absolutely necessary.

4. Security

Always look up the reputation of the service or platform that you plan to use. History is not everything, but repeated cases of security breaches often indicate a pattern. In this case, the best course of action is to do some research and ask a security expert for their opinion. Be aware that this could backfire as well, as people sometimes say they know more than they do.

While we, of course, believe that security is extremely important, it is vital to keep in mind that it is just one of the parameters to consider. When choosing an e-commerce platform, the decision needs to balance a large number of criteria. The most secure solution would most likely be host a .txt-file with instruction to email orders, but this is obviously not the best or most user-friendly option for an e-commerce business.

Disposable mail scans your website for over 700 vulnerabilities and can help you monitor your e-commerce solution’s security status. Sign up for a free 14-day trial and check if your site is vulnerable »

5. Vulnerabilities specific to e-commerce

If you coded your e-commerce solution yourself or are in any way technically involved in running your online store, it’s important to map out business logic-specific vulnerabilities alongside the more general security issues.

For example, an attacker might be able to figure out your stock levels by adding a product to their shopping cart until the website says the product is out of stock. Information about your inventory could be used by a competitor to plan future campaigns. These vulnerabilities are difficult to find using automation, but being aware of them and knowing how to spot them can help you keep your store safe.

6. Realise that consumers trust you

As an online retailer you want to have as little to do with credit card credentials as possible. However, even if you are using an external payment processor and technically have very little to do with the transaction, users do not see it that way. If you were to be hacked and someone switched out the payment process with a link to their own faked payment processor, a regular user could not tell the difference.

As soon as you start selling products online, you get a lot more attention from potential attackers. At the same time, your customers need to know that you are worthy of their trust. This is an issue you need to tackle regardless of whether you are hosting your own platform or using a dedicated solution, but again, the shop-as-a-service option is probably the best alternative for the majority of e-commerce businesses.

7. How long should the store be online?

We often find forgotten sites left behind after a limited campaign that has expired. These sites are rarely up-to-date and are often vulnerable, but can still contain sensitive customer information. If the shop you are setting up is used for a campaign that will eventually expire, make sure you are able to successfully delete it afterwards. This should be a relatively easy task, but it is often forgotten, leaving sensitive information at risk.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

7 most common e-commerce security mistakes – 10 minute mail

The first step of running an online store is simple: do not. In the majority of cases, hosting the platform is an unnecessary headache and opting for an e-commerce-as-a-service solution can be a much better alternative. However, if you have taken the plunge and are hosting your e-commerce site yourself using one of the more popular CMS solutions, keeping your online store secure is a top priority. Being aware of the most common security mistakes in e-commerce can help you identify and prevent security issues.

7 most common e-commerce mistakes

Price manipulation

When adding a product to the shopping cart, two values were sent to the server as a POST-request: the article ID and its price. An attacker could simply intercept this request and change the price.This vulnerability peaked a few years ago and while this specific method rarely works today, variations of it are still in use.

One of many is to instead change the currency, which can sometimes be exploited when using external payment processors with faulty configurations. Changing the currency from USD to WON (Korean) would make the order a thousandth of the price.

This exploit can also be part of the aftermath after being hacked. If an attacker were to come across login credentials for an admin they could log in and change the price of a product before ordering it, or perhaps add a discount code giving them 100% off. If you have many employees with access to such actions it is extremely important to design a system that allows you to minimise damage in case an attacker gets admin access.

Transferring funds between gift cards

Race conditions are often overlooked, and one place where that can be exploited is when funds are transferred between two gift cards.

A real life example of this vulnerability involved three Starbucks gift cards. This may sound like a very advanced and elaborate attack, but it is really easy to exploit, which is why we will probably see more of this type of exploits in the future.

Gift cards with incrementing IDs

It might sound strange, but when generating gift cards it is surprisingly common to just increment the card ID. If the attacker gets hold of a gift card with the ID 12345, they could try 12346 and use someone else’s money. This sounds like a really simple and obvious mistake, but unfortunately, it’s not unheard of.

Coupon codes

It doesn’t end with gift cards – sometimes, attackers can also guess coupon codes.

Imagine that you have generated two different coupon codes, one that gives customers 10% off and is intended to be spread online, and one that gives 50% off and can be sent to close friends. In this example, the coupon code for the first coupon is superCheap_10, while the one for the second coupon is superCheap_50. The problem here should be clear and is similar to incrementing gift card IDs. It might seem ridiculous and incredibly obvious, but it is surprisingly common.

Figuring out the stock

An attacker might be able to figure out your stock by adding a product to their shopping cart until the website says the product is unavailable. Information about how much of a specific product you have in stock could be used by a competitor to extrapolate future campaigns ahead of time and foil your plans. For example, the competitor could buy the same product, put together a better campaign and push it to the public before you.

DDoSing competitors

Something that is popular from time to time, but we have not seen much of recently is DDoSing a competitor. If the competitor’s site is down, they cannot sell anything, so customers start looking for alternatives and turn to the attacker’s online store instead. To make matters worse, considerable downtime also damages your reputation, so even when your site is back online again, the consequences of the DDoS attack remain.

Thanks to services like CloudFlare this is a problem that can be overcome and we would certainly recommend looking into DDoS protection solutions. DNS changes can take a while, so this is a preventative measure that needs to be taken before an attack takes place.

Stolen credit cards

While attackers seldom use stolen credit cards with the intention to damage a business’ reputation, the issue is still one that retailers are familiar with and hope to prevent.

The attacker gets hold of a bunch of credit cards knowing they are stolen and will soon be reported as such. They use the cards to buy products online and once the bank finds out what has happened, a chargeback will be issued. A chargeback means a lot of extra work for the business owner as well as a fee that can often be quite high. If the order has already been shipped, the shop owner also needs to deal with the headache of trying to retrieve the products.

At the checkout, it is vital to make sure the customer is actually using their own credit card, but at the same time the process should be as smooth as possible to avoid scaring away any legitimate buyers. Finding the right balance between security and a user-friendly process is a challenge, but awareness of security issues in e-commerce is the first step towards running a safer online.

How Disposable mail can help

Disposable mail scans your website for over 700 vulnerabilities, including security issues that frequently occur in popular e-commerce solutions. Continuous security monitoring can help you keep an eye on your e-commerce store and avoid the most common mistakes. Sign up for a free trial and check your store’s security »

Read more about e-commerce security:
How to choose the right e-commerce platform
Are you ready for Black Friday? Why retailers should care about web security

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

E-commerce security: the majority of online stores don’t force HTTPS – 10 minute mail

Online retail has been around since the early days of the internet and has grown dramatically over the last two decades. Two of today’s biggest players in the field, Amazon and eBay, launched in 1995 and today, shopping online is an everyday task. In Sweden, where Disposable mail is based, about 85% of the population have bought something online within the last year. To find out whether retailers are aware of e-commerce security risks, we have looked into the HTTPS configurations of 915 Swedish online stores. The results show that it is high time for online stores to catch up with security best practices.

e-commerce security - Disposable mail

With great e-commerce comes great responsibility

Even though the online store itself does not handle credit card credentials, consumers expect it to be trustworthy. Most regular users don’t know that credentials are sent to a payment processor through an iframe or an external page. This is something retailers often forget, but it certainly shows that there is great responsibility in e-commerce. A security breach can have a devastating impact on business and it can take a long time and plenty of effort to win back consumers’ trust.

Over 60% of e-commerce sites lack HTTPS per default

It would be possible to measure security in a variety of ways, but just to get a quick overview we decided to scan 915 online stores active in Sweden to see whether they force HTTPS or not. We did this using publicly listed information and a python script that tries to connect to all targets over HTTP and follows the redirects.

If the redirects lead to an HTTP site, any attacker with access to the network can intercept the credit card details, potentially leading to grave consequences. An everyday user cannot be expected to manually switch to HTTPS, so all requests must be automatically redirected to a HTTPS site in order for HTTPS to serve its purpose.

HTTPS research graph

Only 37 % of the sites we analysed force HTTPS

With the results in hand this is indeed a bit worrying, and the question is whether the site owners understand the magnitude of the risks involved. HTTPS is one of the easiest security measures to implement, and when it is not in place, it can be assumed that the majority of other preventive steps have been ignored as well. In total, only 37% of all scanned sites used HTTPS per default.

Consumer culture seems to have changed faster than businesses’ security awareness. News about hacker attacks and privacy issues have rendered people more aware of security issues, but e-commerce is still somewhat slow-moving. Business owners will eventually need to catch up on security and realise that they are not only running a website, but handling sensitive data and risk losing their customers’ trust.

Security as a competitive advantage

It is not longer possible to compete on price because a consumer can easily find the cheapest option using services like Pricerunner. Instead, what matters is the overall reputation of a brand, based on a number of factors including security.

An e-commerce site that has been hacked will have a hard time bouncing back as consumers will no longer trust it with their credit card details. The good news is that prioritising security is a wise strategic decision that does not only make the internet a more secure place, but is also good for business.

Leaks and automation

Make no mistake, online stores do get hacked. We have written before about big companies and services falling victim to hackers and e-commerce is no exception. Leaked credit cards details are so common nowadays that they can be sold for just a few dollars online, on marketplaces available to anyone with a few hours to spare. Many stolen credit card credentials come from smaller leaks, but larger leaks involving millions of credit card details are not unheard of.

One of the more interesting attacks that has recently grown in popularity is hacking smaller online stores and including a piece of JavaScript that will intercept the credit card entered by a unsuspecting user. Such an attack can often be automated, and as no server code needs to be modified, it can take a while before someone discovers it. Gathering a list of thousands of e-commerce sites, as we did in the beginning of this article, and running a automated script against each one of them is easier than manually focusing on a specific target.

Research has shown that thousand of sites are affected by this and the hidden statistic is probably far larger than one would want to imagine.


Author: Linus Särud, Security Researcher

Twitter: @_zulln


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail talked about e-commerce security on TV4’s Nyhetsmorgon – 10 minute mail

Earlier today, Disposable mail’s Security Advisor Frans Rosén shared some online shopping security tips on TV4’s Nyhetsmorgon. Black Friday is closing in but unfortunately, most customers are not aware of the security risks they are exposed to. Watch the full video here. 

frans

On Nyhetsmorgon, Frans shared some insights from our research of the state of online store security. To find out whether e-commerce retailers are secure or not, our security researcher Linus Särud looked into the HTTPS configurations of 915 Swedish online stores. The results show that over 60% of e-commerce sites lack HTTPS per default. Read the full research report here.

Throughout November, we have been focusing on E-commerce Security and gathered a great deal of guides, research and best practices. Make sure to read up on our blog series about e-commerce security to prepare yourself for Black Friday.

Read more about e-commerce security:
Are you ready for Black Friday? Why retailers should care about web security
How to choose the right e-commerce platform
7 most common e-commerce security mistakes
E-commerce security: the majority of online stores don’t force HTTPS

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Magento security 101: How to secure your Magento site – 10 minute mail

Due to its popularity as an e-commerce platform, Magento is an attractive target for hacker attacks, but basic security precautions can go a long way. We know that getting started with security can feel a little daunting, so we have put together this short guide to help you out. Follow our Magento security 101 and improve your Magento site’s security!

1. Use the latest version

Make sure that you are using the latest version of Magento as software updates often include security patches. If you are using Open Source (formerly known as Community Edition), the latest version as of October 2017 is 2.2. If you are running an older version, we strongly recommend you to upgrade and check Magento’s technical resources page for the latest release information.

2. Use a strong password

This may sound like a no-brainer, but it’s still worth mentioning because weak passwords are more popular than one might think. Seriously, take a look at the Worst passwords of 2016 (a list based on 5 million leaked passwords) and prepare to be amazed.

Once you’ve got your strong password in place, don’t change it too often. Contrary to popular belief, changing your password regularly can do more harm than good as you are more likely to choose a weak password that’s easy to remember. To generate strong passwords without having to worry about forgetting them, consider using a password manager.

3. Add two-factor authentication

Strong passwords are great, but there’s always an extra layer of security to add to the mix. A simple yet powerful measure is to add a two-step authentication to your login. To do this, you can buy an extension on Magento Marketplace.

4. Manage your admin panel

Change the Admin Directory to something unique (do not use /index.php/admin/), add an SSL certificate and make sure to restrict access to the admin panel to your IPs. This is a simple step that is often overlooked – our research showed that over 23.17% of all Magento sites use the default admin directory.

When the admin panel is exposed it gives the attacker the opportunity to bruteforce the login. The attacker can test common passwords, which has a high chance of succeeding as many people reuse their passwords. Exposing the admin panel also widens the attack surface and gives attackers one more page to check for vulnerabilities. To find out more about how attackers approach Magento sites, check out our video seminar where our security researchers explain how hackers think.

Not sure if your admin panel is secure? If you run a Disposable mail security check on your Magento website, the scanner will notify you when an exposed or disclosed Magento Admin panel is found.

Magento admin panel disclosure

Run a Disposable mail scan to check for Magento Admin Panel Disclosure

5. Stay up to date with the latest vulnerabilities

What is considered secure today could easily become vulnerable tomorrow, which is why reading up on the latest security research can help you keep your site secure. Magento’s Security Center is a good place to start – the center offers patch information as well as a number of security best practices for Magento users. However, when it comes to security, it’s always a good idea to have more than one source of information and that’s where automated tools come into play.

If you find security research a little overwhelming (don’t worry, we’ve all been there), automated security scanning tools like Disposable mail can help you out. Disposable mail’s researchers add new security tests to the scanner on a regular basis, ensuring that you can always check your site for the latest vulnerabilities.

Magento downloader vulnerability finding

Security never stands still. To help you stay one step ahead of hackers, we are always adding new security test modules to our scanner.

6. Monitor your Magento site’s security

Working with security is a long-term commitment, which is why we recommend testing your e-commerce store for vulnerabilities on a regular basis. Disposable mail tests your site for over 700 vulnerabilities (including security issues specific to Magento) and gives you a clear overview of its security status.

Disposable mail Magento findings

Your Disposable mail threat score is a handy summary of your site’s security status

The informative scan reports list all the security issues discovered as well as their severity level and tips on how to fix them. Disposable mail does not only look for Magento-specific security issues, but also checks your company blog, email settings, and much more. You can schedule regular scans, which means Disposable mail will keep an eye on your site’s security while you focus on your customers.

Disposable mail report Magento findings

Check your Disposable mail report for the exact location of vulnerabilities

Ready to get on top of your site’s security? Sign up for our 14-day free trial (no credit card required) and check your Magento store for vulnerabilities!

Start your free trial

More Magento security reading

Is your Magento store vulnerable? Why it’s time to put security first

Thousands of vulnerable Magento web stores out there

GDPR Compliance Checklist for eCommerce by our friends at Divante

[VIDEO SEMINAR] Magento security from a hacker’s perspective

Magento 2 Security Guide – An Actionable Checklist for 2019

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[VIDEO SEMINAR] Magento security from a hacker’s perspective – 10 minute mail

Have you ever wondered how a hacker would analyze and attack a Magento website? We picked the brains of two ethical hackers to find out. Linus Särud, 18, and Fredrik Almroth, 27, share their best insights and advice on Magento security to help you keep your Magento store safe from hackers.

What you will learn in 15 minutes:

  • How Fredrik Almroth hacked one of the world’s largest e-commerce sites.
  • What any Magento website owner should know about security to be able to keep up with black-hat hackers.
  • A step by step-explanation on how a hacker would analyze an e-commerce page.
  • What the most common Magento security issues are based on our exclusive security data research on 30000 Magento sites.
  • What to do if you are hacked.

Get the free video seminar
Sign up through this form, and we will send you the video immediately per email, so that you can watch it whenever you want. We require double opt-in. Remember to check your spam filter if you don’t receive the confirmation email. And of course, the video seminar is for free!

magento-seminar-featured-image_720

About the hackers 
Fredrik Nordberg Almroth (Twitter: @almroot), 26, is internally known as “Godfather of Hacking”, since he has basically hacked everything that can be legally hacked. Fredrik has been appointed Security Expert of the Future by Symantec, and was one of the persons behind the famous read access on Google production servers hack, which earned him a bounty of 10,000 USD.

Linus Särud (Twitter: @_zulln), 18, started his career in IT security at the young age of 13. He has found serious security security flaws in Google’s system, written about IT security for IDG Sweden, and now works as a Security Researcher at Disposable mail in addition to going to high school. At Disposable mail, he is responsible for extensive security investigations like how top domains were vulnerable to email spoofing, writing articles and guiding customers in the support.

Send me the free 15-minute Magento security seminar

Sign up


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.