US domestic online holiday spending during Cyber 5 (the five days spanning Thanksgiving to Cyber Monday) jumped by 4.1% to $221.1 billion in 2023, and e-commerce sales for the same period are projected to reach $271.58 billion in 2024. That’s a lot of sales, but it’s only the start of the holiday season! It heralds a shopping frenzy that stretches all the way to year’s end, but it comes as a mixed blessing for many online retail businesses. They may welcome the jump in sales, but there’s also the spike in cyber-attacks to deal with too.
Things can get so busy that employees (and especially seasonal employees) are more likely to drop their guard, click on a phishing email, and unknowingly introduce a malware payload to the company’s systems. Another concern is that with so many more eager shoppers clicking to buy goods, more attackers are likely to try their luck at breaching website defenses to steal their payment details. They can then use them or sell them on the dark web.
With the Holiday Season only weeks away, it’s time to take urgent stock of your cybersecurity protections. Will your website have these five critical security measures in place in time for the incoming shopping tsunami?
Client-side security protections
Client-side means in the user’s browser. The average e-commerce website loads 389 resources, more than sites in any other sector, and 36 of them will be JavaScript elements. Magecart attacks rely on compromised first or third-party JavaScript to hijack the forms users fill out on login and checkout pages, so your JavaScript security needs to be up to scratch, especially during this holiday season.
The risk is so great that PCI DSS 4.0 now includes two requirements that cover client-side attacks on businesses handling online payments.
Section 6.4.3 requires you to keep an up-to-date inventory of all scripts to ensure that they are authorized and justified and that their integrity is guaranteed. This reduces the possibility of malicious scripts finding their way onto payment pages.
Section 11.6.1 requires you to track code changes and to introduce a change and tamper detection mechanism for payment pages. It’s a direct response to the serious and persistent problem of web skimming attacks.
As to how you can address client site security and deal with these requirements, our continuous monitoring solution covers both. It creates and updates an inventory of all scripts and apps and then monitors them for changes, so it’s ideal for catching anything malicious that’s crept in.
Website security protections
You can shore up the defenses of the website itself by implementing robust SSL/TLS encryption (HTTPS). By encrypting the data transmitted between the user’s browser and the web server, the bad guys can’t intercept sensitive information, as happens in man-in-the-middle attacks. On top of that, SSL/TLS certificates verify the identity of the website, which builds trust with users.
Use a minimum of TLS 1.2 protocol, but preferably go for TLS 1.3. Obtain an Extended Validation (EV) SSL certificate for added trust and implement HSTS (HTTP Strict Transport Security) to force HTTPS connections, then regularly audit and update your SSL/TLS configuration.
You should also use a web application firewall (WAF) to protect against common web attacks like SQL injection, cross-site scripting (XSS), and DDoS attacks. Configure the WAF to block malicious traffic and suspicious IP addresses, and regularly update its rules to protect against emerging threats. On the subject of updating, regularly patch all your systems and software, in line with a rigorous patching schedule. This should cover everything, including the operating system, web server, database, and content management system. Use automated tools to scan for vulnerabilities, apply patches, and keep all third-party plugins and libraries up to date.
You should implement strong password policies that include enforcing complex passwords, multi-factor authentication for admin and user accounts, and lockout policies that kick in after multiple failed login attempts.
It also helps to carry out regular security audits, penetration testing, and periodic vulnerability scans to identify and fix potential weaknesses.
Secure your database using parameterized queries to prevent SQL injection attacks, encrypt sensitive data at rest, and implement proper access controls and user privileges.
Implement a Content Security Policy (CSP) to prevent XSS and data injection attacks and use X-Frame-Options to prevent clickjacking (an attack where invisible or disguised webpage elements are added to the page, and the user is tricked into clicking on them.)
Put a Security Information and Event Management (SIEM) system in place to monitor and log security events and set up alerts for suspicious activities. Regularly reviewing the security logs will help you track down and investigate anything suspicious.
Combining these approaches should give your website a wealth of protection that makes it much harder to crack and keeps the holidays happier.
Secure payment processing
Use PCI DSS-certified third-party payment services like PayPal, Apple Pay, and Google Pay. They allow the use of tokenization for payment card data, which means replacing sensitive details with unique identification symbols (tokens). Storing these tokens instead of actual card numbers in your system means they are better protected in the event of a data breach.
These services often provide an additional layer of security and fraud protection too, and in any case, offering multiple secure options like these can enhance customer trust, which helps to increase conversion rates.
Another thing to do is implement 3D Secure (3DS) protocols. Use 3DS 2.0 or later for strong customer authentication, which adds an extra verification step for online card transactions. It helps prevent fraud and shifts liability from the merchant to the card issuer.
Use Address Verification Service (AVS) and Card Verification Value (CVV). This is when the customer enters the three numbers on the back of a payment card to verify the purchase. It proves they actually have the card. AVS checks if the billing address matches the one on file with the card issuer.
It goes without saying that you should use HTTPS throughout the entire checkout process and implement form validation to prevent malicious input, along with CAPTCHAs or other methods to prevent automated attacks
You can also add real-time fraud detection that leverages machine learning algorithms to detect unusual purchasing patterns. Setting up velocity checks to flag multiple transactions in a short time and monitoring for suspicious activities like mismatched shipping and billing addresses, can also help to keep thieves at bay.
Use encryption for any payment data in transit or at rest. Keep payment data segregated on separate, highly secure servers and limit access to essential personnel only.
Customer data protection
Encrypt sensitive customer information using strong encryption algorithms (e.g., AES-256) for data at rest and use end-to-end encryption for data in transit. Encrypt databases, backups, and any files containing customer information. Use secure key management practices to protect encryption keys, and implement strong access controls and authentication, including the principle of least privilege. Use role-based access control (RBAC) for employee accounts, mandate strong, unique passwords for all accounts, enforce multi-factor authentication (MFA) for all user accounts, especially admin ones, and use single sign-on (SSO) solutions for better control and access monitoring.
You should also secure data storage and transmission using secure protocols (HTTPS, SFTP, etc.) Use proper network segmentation to isolate sensitive data, regularly back up data and store backups securely, and train employees on data protection. Hold regular training sessions on data protection best practices and make security awareness a central feature of the organization’s culture.
Measures to deal with increased traffic
With more traffic likely to be coming your way, it’s important to stress test your website to make sure it can cope with the additional loads. But wait! (You might be thinking.) How is that a security issue? Excellent question. For a start, Denial of Service (DoS) attacks become easier if your systems are already strained, and overloaded systems may fail in unexpected ways, potentially exposing security vulnerabilities. For example, error messages during crashes might reveal sensitive information about your infrastructure.
There’s also the fact that under heavy load, some systems might disable or bypass certain security checks to maintain performance, and security monitoring systems may struggle to differentiate between high legitimate traffic and attack traffic.
So, with that in mind, it will help to simulate peak traffic conditions with tools like Apache JMeter, Gatling, or LoadRunner and deal with any bottlenecks and performance issues they uncover.
You can also use a content delivery network (CDN) like Cloudflare, Akamai, or Amazon CloudFront to distribute your static content across multiple servers, which can reduce server load and improve page load times for users. Then there’s cloud-based hosting which can automatically scale resources in line with demand. Popular ones include AWS Elastic Beanstalk, Google Cloud Platform, and Microsoft Azure.
It will also help to optimize website performance if you minimize HTTP requests by combining files and using CSS sprites, compress and minify CSS, JavaScript, and HTML files, optimize images for web use (compress, resize, use appropriate formats), implement browser caching for static resources, and use asynchronous loading for non-critical resources. With all this in place, your website will be better set up to cope.
Conclusion
Hopefully, you now have plenty of ideas for tackling the holiday season online shopping frenzy. If you haven’t signed up for Reflectiz already, now is the ideal time to put this important piece of the security puzzle in place.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!