By Jack M. Germain
Nov 22, 2021 5:00 AM PT
Online shoppers and e-commerce website operators face greater chances of becoming victims of cyber hacks as 2021 draws to a close. A list of technical and logistical problems stretching across multiple industries gives both shoppers and retailers reason to double efforts to avoid being hacked this year.
Two factors top the list: runaway inflation and increased cyberattacks. Both are stretching spending capacity and digital safety to their limits during the holiday shopping season.
Adding to these two major developments are a bagful of events converging to make this shopping season even more stressful than normal. Supply chains are more clogged than ever and shipping delays are a worldwide dilemma.
A continuing shortage of desired products is likely, which makes it predictable that there will be an explosion of rogue websites offering suspiciously low prices or claiming the availability of products not available elsewhere, observed Colin Clark, vice president at Payment Software Company (PSC), part of NCC Group NCC Group.
“If it is too good to be true, it probably is. Worker shortage means system maintenance is even more likely to be overlooked. Make this priority number one so you can enjoy many more holiday seasons in business,” he cautioned.
Clark manages operations in Europe, the Middle East, and Asia for PSC; with over 30 years of experience in payments from a merchant perspective before joining the assessor community. NCC Group works with leading organizations to protect their businesses, brand value, and reputation against the cyberthreat landscape.
He urges both consumers and companies purchasing products online to avoid two main threats they are most likely to encounter this season: poorly configured e-commerce platforms and third-party threats.
“Many merchants implemented e-commerce platforms during the pandemic. Some of those may not have been maintained correctly or security tested. This likely means a significant number of vulnerabilities are actively being exploited in the wild,” he told the E-Commerce Times.
Third-party threats involve software components or third-party content. Any external material loaded onto or accessing the e-commerce platform should be viewed with suspicion and tested, added Clark.
Cost and Supply Worries
U.S. consumer prices are rising at the fastest pace in 31 years. The labor market is tightening, fueling supply chain fires.
Inflation remains a top challenge for retailers this year. When coupled with labor and supply chain challenges and an increasingly competitive landscape, retailers are facing a real risk to their margin and share if they do not find the right balance, according to Matt Pavich, senior director of retail innovation at Revionics.
Inflation is inherently a pricing challenge. It requires a pricing response that is sophisticated, analytically informed, and customer focused. That approach ensures retail margins are protected while offering the best prices to consumers on the most important products.
“With the right strategies, analytics, and pricing platforms in place, the best retailers will be able to weather the inflationary storm and actually grow share and profits in an extremely challenging time,” Pavich told the E-Commerce Times.
Consumers increasingly face empty shelves with a limited selection of the most in-demand items with higher-than-expected price tags. Freight ships are stuck at sea, factories are closing, shipping delays are likely here for the long haul, and the pandemic continues to haunt and severely disrupt the global supply chain.
“Given the current state of uncertainty in global supply chains, it is more important than ever for marketers to build agility into their marketing plans and campaigns,” said Peter Mahoney, CEO and Co-Founder of Plannuh, an AI-driven marketing, budgeting, and planning platform.
“Marketing leaders should be ready to scale their demand generation up or down based on the relationship between supply and demand. They also need real-time visibility and control of their spending to accelerate into opportunities, or rapidly scale back if supply is not available, Mahoney said.”
Tried and True Trickery
Hackers are working overtime to make sure they have a good time at others’ expense. They succeed using mostly old tactics without having to acquire new high-tech hacking ploys.
The cyberthreats in use this holiday season do not differ significantly from last season, according to Clark. But the fact that some of these e-commerce sites have been running for 18 months now means the risk from missing patches has grown significantly.
“The number of attacks through third-party software and products is also not new but is increasing,” he said.
The attacks primarily target retailers. The effort required to get one card holder’s information is not much lower than that required to exploit a retailer, he observed. Meanwhile, penetrating the retailer’s platform successfully means getting all their customers’ data.
Attack strategies such as phishing, leveraging re-used passwords, and exploiting unpatched systems and SQL injection vulnerabilities are not new. They are tried and tested.
As long as they work, they will continue to dominate the environment. What has changed is the increase in attacks on third-party vendors to bypass security controls, noted Clark.
“Automatic trust of a third-party content bypasses any good security protocols you have built into your own systems, as you are relying on the unknown to protect you,” he said.
While no major credit card breaches occurred recently, there are undoubtedly a significant number of small merchants being breached. It is become death by a thousand cuts, and that is why the industry is seeking to educate smaller retailers on security practices.
Industry surveys in recent months confirmed the key cybersecurity issues impacting e-commerce are privacy, data leakage, and object property exposure with an internal or external-facing application programming interface (API).
A recent report from Cloudentity based on research by Pulse Q&A, revealed that 97 percent of enterprises have experienced delays in releases of new applications and service enhancements due to identity and authorization issues with APIs and services.
Some of Cloudentity’s findings parallel what we have also disclosed in the Salt Security State of API Security report. Many organizations have had to slow or halt production releases because of API security concerns, which is often a non-starter for DevOps practices and digital transformation initiatives, according to Michael Isbitski, technical evangelist at Salt Security.
“Organizational IT and security teams are between a rock and a hard place when it comes to releasing new application functionality and doing it securely. The traditional approaches to API security, which often focus narrowly on access control or threat protection filters provided by gateways and web application firewalls, are insufficient to meet the needs of modern architectures and application delivery,” he told the E-Commerce Times.
Security best practices have always promoted authentication and authorization for any system or application. Unfortunately, implementing authentication and authorization that is both strong and effective is very difficult to get right in the world of APIs. This reality is a side effect of the expansive ecosystems or digital supply chains that are created to connect disparate partners, suppliers, applications, and data repositories.
An organization may only own certain elements of access control, and a complete end-to-end API sequence or application flow traverses many networks and systems. As a result, even simple security fundamentals like knowing your complete API inventory and data exposure points can be illusive for organizations, explained Isbitski.
He sees API attacks and abuses across all types of architectures and technology stacks, whether legacy monoliths or modern, cloud-native designs. Attackers often attack APIs through client front ends and the APIs that organizations must expose to provide functionality and data.
“How a given back-end is architected, including whether it is a monolith or sets of microservices, is often irrelevant depending on the end goals of the attacker,” he warned
Safeguarding Tips for Consumers and Retailers
Consumers need to ensure the merchant is legitimate, suggested PSC’s Clark. For example, do not click on links in emails; “www [dot] walmort [dot] com” looks a lot like the real thing, but it is not.
If you want to buy something online, type the URL in yourself. Use a different password for every site, no matter how annoying it is.
If your banking password is the same as the one you use for your local running club, then even the best security at your bank is only as good as the smallest mistake on your running club’s website. Bad guys will steal data from low-risk sites, then use those credentials everywhere else to see where they can get lucky, said Clark.
“For their part, merchants need to patch their systems, validate third-party content allowed, and, most importantly, ensure they manage their site securely to keep bad actors out,” he offered.
Two-factor authentication, logging, alerting and 24/7 monitoring for alerts are all critical. Watch out for phishing emails, and do not assume every message is genuine. If you receive a message that could have a serious impact on you or the company, pick up the phone to verify it, he concluded.