A COVID Christmas: Protecting Your Critical Ecommerce Assets

In this article we will address the current situation, how hackers can exploit your websites, what you can do to protect yourself and where AppCheck comes in as an automated penetration testing tool to make sure you’re not leaving yourself vulnerable.

With the latest Government announcement making Christmas gatherings look less likely and Christmas shopping even more stressful (if that’s possible) online sales will become even more important this year. 

With traffic sure to rise to astronomical figures as more and more turn to online shopping for their present buying solutions, leaving yourself open to attack just isn’t an option.  

In this article we will address the current situation, how hackers can exploit your websites, what you can do to protect yourself and where AppCheck comes in as an automated penetration testing tool to make sure you’re not leaving yourself vulnerable.  

 

The Impacts of COVID-19 on Ecommerce Traffic 

According to the Citizens Advice Bureau, people in the UK are now spending almost £2 billion per week online, with online shopping now making up almost a third of all retail sales in the UK. Additionally, 51% of people are now more reliant on parcels than before the coronavirus outbreak.  

All the signs and stats are pointing towards the biggest online period ever, which is fantastic for ecommerce sites sales figures. However, are you considering the impacts of your site being compromised during this busy time? 

With sales set to skyrocket with the onset of Black Friday, Cyber Monday and Christmas, what are you doing to protect your most critical assets?  

 

How can hackers exploit your website?  

The first thing we need to consider is what is at risk. Your websites, certainly in that they can be compromised and held to ransom, potentially leading to all online trading coming to a halt. Also given the nature of ecommerce there will be a host of sensitive data to secure, from credit card details, passwords and personal information. On top of that, your customers could get re-directed to malicious websites meaning they too could be compromised. Lastly, there will be GDPR and ICO fines along with your reputation to consider.  

We recently covered common ecommerce vulnerabilities and how to remedy which provides an excellent look at the different attack vectors and specific ecommerce vulnerabilities you may encounter, as well as how to help avoid these.    

There are a whole host of vulnerabilities an attacker can exploit to gain information or even control of your website including SQLi  and XSS  to name a couple of big ones. But more specific to ecommerce we see click-jacking, price manipulation, Insecure Direct Object Reference (IDOR), card skimming, weak authentication, pharming & server-side masqueradingDDos attacks and Subdomain Takeover to name but a few.  

I think we’d all agree these are not things we want to find in our stockings this year.  

With many companies implementing change freezes approaching this busy time vulnerabilities may be present for longer as code is reviewed less often, giving hackers a longer window of attack. Conducting security tests before change freezes happen will mitigate that risk and allow organisations to concentrate on optimising their websites before the busy festive schedule and in turn, maximise their revenue.

So how can you prevent these attacks, keep your website running and make sure your security posture is up-to-date? 

 

What can you do to protect your website? 

There are several actions you can take yourself to help prevent these attacks. The most simple (and often overlooked) is to make sure your software is patched and up to date.  

You can use a third-party payment provider, as many probably already do. This way you negate the risk of storing information yourself, but as we have seen even some of the larger third-party companies are not bulletproof.  

A good WAF [web application firewall] can even parry some more common attacks, but it is important to note they do not provide complete mitigation.  

Larger e-commerce providers may also want to consider options for DDoS mitigation. 

At AppCheck we believe that prevention is better than the cure. So, we would always encourage organisations to introduce security training for their development team, because you don’t need to fix vulnerabilities that were never introduced. We do however appreciate the challenge around finding and fixing vulnerabilities, so look into methods that are suitable for your organisation that allows you to run regular tests, to spot vulnerabilities and fix them before hackers have a chance to exploit them.  

Get a free vulnerability scan for your business

Enquire now

 

How can AppCheck Help? 

While one-off tests are a great way to detect vulnerabilities, they provide only a snapshot in time. For year-round coverage it’s best to pair them with an automated tool, such as AppCheck. 

On top of detecting 100,000+ known vulnerabilities, including the OWASP Top 10, AppCheck detects zero-day vulnerabilities, giving you the edge.  

Here’s some ecommerce specific features you will find within our automated tool: 

  • Pre-defined templates for e-commerce sites, including dedicated profiles for card skimming detection, subdomain takeover and Magento shopping card vulnerabilities; 
  • Custom detection from first principles of many common vulnerability types, ensuring that “zero-day” vulnerabilities can be detected even where not previously known of or published; 
  • All standard OWASP Top 10 checks including checks for common e-commerce risks including SQLi and Cross-Site Scripting (XSS) 
  • Checks for weak passwords on interfaces; and 
  • Checking that web applications implement appropriate HTTP headers to protect e-commerce sites against frame-jacking. 

So don’t give yourself a nightmare headache before Christmas, unwrap AppCheck’s free vulnerability scan and find out where you’re most vulnerable this year.  

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch