The Covid-19 pandemic has changed our lives in more ways than we could probably imagine before. It brought in some entirely new things, such as wearing masks, social distance, and overall lockdowns. Still, it also speeds up some things that were probably more or less in the making, such as work from home and e-commerce.
While more people had been using all types of e-commerce even before the pandemic, buying everything from clothing to gadgets, but having to be at home most of the time, and having many shops closed meant that the adjustments had to be made. Many companies added or improved online shopping options on their websites, delivery methods, and more, which, as mentioned already, would have probably happened anyway, but over a longer time instead of just a few months or so.
While there are many positive sides to the e-commerce improvements, practically everyone uses e-commerce websites and apps provides lots of opportunities for cybercriminals and hackers, making those sites and apps desirable targets. Things that are most useful for these criminals are related to money and personal data, and those two things are precisely what needs to be provided to be able to buy or sell online.
Credit cards, email addresses, passwords that might be shared with other accounts, personal info needed to prove your identity and ownership of the money you are using, the list goes on and on. Suppose all of the data is not sufficiently protected. In that case, it becomes like a candy store for malicious actors, full of those sweet cookies (internet pun intended, although that type of cookies is not involved here) to enjoy.
Talking about data, website, and app protection, many retailers might not be aware of all the details of the programs and apps they are using, and they might not be mindful if they are up to date and secure. For example, research has found over 3300 publicly exposed web applications across running by major retailers in the United States. Compared to that, retailers from the EU had a better score, with around 2800 publicly exposed applications.
The EU retailers had a smaller number of publicly disclosed applications and a smaller number of those that were considered suspect, 4%, compared to 8% in the US. However, 27% of the apps had outdated components with known security risks, while the US ones had fewer old components, 22%. The numbers do not vary wildly, suggesting that all over the world, retailers are experiencing similar security issues and might be missing the same potential threats.
The research also showed that the area with the highest risk exposure was security mechanisms, which is slightly ironic, considering that they are the ones that are supposed to protect the applications. For retailers using HTTP websites, the danger came from websites with a high attack surface score, especially if the websites were not encrypted and the access was not restricted. The next on the list is dynamic content, primarily due to the JavaScript and Activex controls commonly used in many e-commerce applications with a wide range of uses.
E-commerce apps are at risk
The researchers hope to identify critical risks and make it easier for e-commerce retailers to protect themselves from malicious attacks. Due to the dynamic nature of the technology used for online retail activities, security must constantly evolve. Of course, another reason is that cybercriminals are also continually changing, finding new and creative ways to perform their activities in all spheres of life, from stealing something simple such as someone’s Netflix account so they can sell it on the dark web to keeping it hostage entire countries with ransomware. Ecommerce is one of their main playgrounds, especially since the jump in the activity that happened in online retail due to Covid-19 restrictions.
It is essential to thoroughly understand the technology used in e-commerce apps and sites, their attack surfaces, whether they align with the company’s goals, and what kind of risk they possess or might possess in the future. Security must always be a priority, as it is always better to prevent an issue, even if it seems small, than to have to fix it, as it might prove catastrophic in the longer run.
Read our previous article about What did the pandemic teach us about cybersecurity?
Visit our website to learn more about our cybersecurity solutions; Watchdog.dev