6 cyber security tips to keep your e-commerce business safe

Cybersecurity in e-commerce is as important as the type of product or service we sell. We present 6 essential keys to better protect our interests and those of our clientele.

Tip 1: Protect your customer data

The personal and financial data of your clients is a valuable asset that you must protect with the maximum guarantees when we talk about cybersecurity in electronic commerce. It is not only a matter of complying with the Organic Data Protection Law, but also to encrypt the personal data of each purchase. Otherwise, we would expose the person who trusts in our offer to various types of fraud, such as:

• Phishing. An e-mail is sent to the customer’s personal account and personalised with the customer’s name. You are asked to take a specific action to access your current account. For example, you are asked to verify your bank details or update your password. If the customer clicks on the link provided, they will be redirected to a fake page that mimics a bank or e-commerce site and will steal their credentials.
• Fraud friend. The purchase process is legitimate, as the payment is made with the customer’s details, but fraud is reported. We ran out of goods and were unable to complain. For example, the customer receives the product and then complains to his bank which does not recognise the charge. The bank refunds the money and we lose the amount and the product.
• Triangulation. A customer’s card details are stolen to make a purchase at another illegitimate merchant. He places the order to a legitimate one by paying with the stolen card. The transaction would be legal until the complaint was filed. For example, the customer buys a mobile phone from a fraudulent online shop offering a very low price. The shop uses the data from another stolen card to buy the mobile phone in a real shop and sends it to the customer. The customer receives the mobile phone, but the owner of the stolen card reports the charge and the actual shop loses the money and the product.
• Identity theft. A customer’s personal data is obtained through techniques such as phishing, malware or physical theft of documents. This data is used to impersonate the identity of the customer and make fraudulent purchases in their name. For example, the customer’s e-mail address is accessed and the password is changed. This email is then used to reset passwords for other accounts, such as social networks, streaming platforms or online payment services. With these accounts, purchases can be made without the customer knowing it until the charges or notifications are received.
• Carding. A stolen or software-generated card is used to make online purchases without the cardholder’s authorisation. For example, software is used to generate random card numbers and test their validity on websites that do not require CVV or 3DSecure. If any card works, it is used to purchase digital products or services online that do not require a physical shipping address.
• Ransomware. The client’s computer or mobile device is infected with malware that locks their files or system access and demands a ransom to free them. For example, downloading a suspicious email attachment or visiting an infected website. The file or page executes a code that encrypts the client’s files and displays a message demanding a payment in bitcoins to send the decryption key.

Tip 2: Keep your website secure

Cybercriminals also take it upon themselves to breach a website in order to make a profit. The most frequent situations that occur in cybersecurity in electronic commerce are:

• The use of malware. If the page does not have the most appropriate security measures, a criminal can introduce a malware in the system. Any transaction will be recorded and your data may be used for financial gain. For example, a keylogger is installed which records everything that is typed on the keyboard, such as passwords, card numbers or security codes. This data is sent to the attacker, who can use it to access e-commerce or customer accounts and perform fraudulent transactions.
• XSS o Cross-Site Scripting. If a website has been dynamically generated, it is susceptible to attack in this way. The script hidden in a legitimate request is activated as soon as the prospect clicks on it. The gateways are the blog, the forum, the search engine and the website forms. After access, the objectives are to alter the cookies tracking, install advertising and even alter the SSL connection. For example, malicious code is inserted into a blog comment that redirects the user to a fake page asking for personal or bank details. If the user enters their data, it will be stolen by the attacker.
• The SQL injection attack. It consists in infiltrating an intrusive code that incorrectly validates the variables of the program running SQL. For example, an SQL query is entered into a text field that allows access to the website’s database and to extract or modify the information it contains, such as customer, product or transaction data.
• CSRF o Cross Site Request Forgery. The customer is forced to take unwanted actions without knowing it. This refers to the transfer of funds or the change of e-mail address. For example, an email is sent to the customer with a link that looks harmless, but actually performs a malicious action on the website to which it is authenticated. If the customer clicks on the link, he can change his password, modify his profile or make a purchase without his consent.
• Poor management of the error page. Error reports should be read in detail to identify where the problems are and to correct them. However, if these reports are shown to the public, they may reveal sensitive information about the system that can be exploited by attackers. For example, if an error is displayed indicating the version of the web server or programming language being used, the attacker can look for known vulnerabilities for that version and exploit them.
• Defacement. It involves modifying the appearance or content of a website without authorization from the owner. The objective can range from causing damage to the image or reputation of the e-commerce to misleading users into fraudulent actions. For example, the logo or the name of the e-commerce is changed to a similar one, or a fake message is inserted announcing an irresistible offer or a security alert.
• Brute force. It involves trying to guess passwords or access codes to the system by trial and error of different possible combinations. The attacker can use software that generates and tests thousands of passwords per second until the correct one is found. For example, you try to access the e-commerce administration panel by trying different usernames and passwords until you find a valid combination.
• Sniffing. It involves intercepting and analysing data traffic flowing through a network to obtain confidential or sensitive information. The attacker can use software that captures and filters the data packets sent and received between the server and the client. For example, the public Wi-Fi network of a shopping centre is monitored to capture data on the online purchases made by users connected to that network.

Tip 3: Protect your payments

Crediting with a stolen card number or another customer’s details is a legal problem that could complicate the future of a business. At Pasiona we recommend in the cibersecurity in an e-commerce use the following payment gateway protection measures:

• The CVV application. These are the three digits on the back of the card; It is only useful if the customer uses a card with a temporary CVV for payments.
• 3DSecure. Mastercard and Visa developed it and its use is becoming more and more widespread. The customer must verify that he/she is making the purchase by entering a unique PIN, to which is added another PIN that is sent by SMS to the cardholder’s phone number.
• Virtual cards. These are cards that are generated on a temporary basis and can only be used for a specific purchase or period of time. This prevents the actual card details from being stolen or used for other unauthorised purchases.
• Mobile payment. It is a payment method that allows you to use your mobile phone as if it were a card, without having to enter any bank details on the website. Customers simply hold their mobile phone up to the payment terminal or scan a QR code to make a purchase. Payment is made through applications such as Google Pay, Apple Pay or Samsung Pay, which use technologies such as NFC or tokenisation to ensure the security of the transaction.
• Intermediary services. Son platforms that act as intermediaries between e-commerce and the customer, facilitating the payment process without sharing the customer’s bank details with the merchant. Customers simply register for the service and link their card or bank account. You can then make purchases using your email address and password or your fingerprint; Some examples of these services are PayPal, Stripe or Bizum.

Tip 4: Update your software

We start by performing a security analysis of the programmes we use to detect any type of incident. Often a CMS, such as WordPress or Shopify, is used to create the commerce. These platforms work with freely selectable plug-ins. Only the most frequently used ones should be kept, as they are the ones that are updated most frequently. At the same time, let’s not forget to update the CMS to new versions that arise.

In addition, we must also take into account other aspects when choosing and configuring our CMS, such as:

• The choice of hosting. It is important to choose a web hosting provider that offers a secure, reliable and fast service. Avoid free or very cheap hostings, as they may have security, performance or availability problems. You should opt for a hosting that offers an SSL certificate, a firewall, an antivirus, a backup system and an efficient technical support.
• The use of SSL certificates. These are digital files that encrypt the communication between the server and the client, guaranteeing the confidentiality and integrity of the data exchanged. A website using SSL displays a green padlock and the https prefix in the address bar of the browser, indicating to the user that they are browsing a secure and verified page. The use of SSL is mandatory for websites that handle personal or financial data, as it prevents them from being intercepted or modified by third parties.
• Establishing appropriate permissions. These are the rules that define who can access which system resources and what actions can be performed on them. It is important to set appropriate permissions to prevent unauthorised users from accessing sensitive information or modifying the operation of the website. Assign the minimum necessary permissions for each user or role, following the principle of least privilege.
• Making periodic backups. These are backups that are made at a certain frequency to save the state of the website and its data at a certain point in time. These copies allow you to restore your website in the event of a problem, such as an attack, error or data loss. It is advisable to make daily or weekly backups and store them in a safe place different from the hosting.

We complete the process of cibersecurity in an e-commerce through the periodic updates proposed by the operating system we use in our business computers.

Remember that it is essential to have a specific anti-virus to detect any irregularities as soon as they occur. We also need to update it and acquire new pricing schemes to enhance its effectiveness. In addition to antivirus, we should use other security tools, such as a firewall, anti-spyware or anti-malware, to help us prevent, detect and remove malware that may infect our computer or network.

Tip 5: Train your employees

Employees are an essential part of cybersecurity in an e-commerce. The cybersecurity offered to them should be based on the following points:

• The regulations and security policy of the business. We have to create concrete ones so that all workers are aware of them and know what their obligations are. Do not hesitate to hold meetings with each department, if there are any modifications. Clearly informing workers is synonymous with stopping cybercriminals.
• A regulated access control. A policy of strong passwords for access to the operating system and applications should be implemented. In Pasiona we advise, to increase your security, to change them at least once a month and not to repeat previous passwords.
• The management of the antivirus programs used. Everyone needs to know how they are set up, how to act in the event of an alert and what kind of resources are available to them.
• Manual or automatic updates must be certified by each employee.
• The information transmission channels must be encrypted and concrete measures must be taken to prevent data leakage.
• The management of removable media, such as USB flash drives or hard drives. It is imperative to stress the importance of controlling each device and preventing access to the ports of each device.
• The safe use of email, social networks and mobile devices. Everyone should know how to protect their digital identity, how to recognise and avoid phishing, spam and malware, how to set up privacy and security settings for their accounts, and how to use common sense and caution when surfing the Internet.
• Password and access management. Everyone should know how to create and remember strong passwords, how to use a password manager, how to enable two-step verification, how to log out when finished using a service or application, and how to report any attempted or suspected unauthorised access.
• Identification and reporting of incidents. Everyone needs to know how to recognise the signs of a possible attack or security problem, how to act on an alert or suspicion, how to report the incident to the manager or security team, and how to assist in resolving it.
• The application of established security standards and protocols. Everyone should be aware of and comply with the rules and protocols that have been defined to ensure the security of e-commerce, such as acceptable use policies, prevention and protection measures, action and recovery procedures, responsibilities and sanctions, etc.

Tip 6: Hire a cybersecurity service

As we have seen, cybersecurity in e-commerce is not an add-on, but a necessity. Therefore, it is highly recommended to hire a professional service like the one we offer you at Pasiona. Outsourcing such a relevant aspect of electronic commerce allows you to gain peace of mind. Our specialists in the field will monitor each process and take the appropriate measures to avoid problems. This complies with current legislation and, at the same time, protects your interests. It is about making the right decision to secure the future of a business proposition.