Inspiration

Hacking in ecommerce: How to protect your ecommerce site against hacking and fraud

By Heine Aaen Hansen
On 19 June 2017

Online fraud is a problem. 

Not only to online businesses that lose revenue due to mean-scheming hackers and fraudsters every single day (an estimated 6.7 billion US dollars in 2016), but also to consumers globally that risk losing their payment card details, social security numbers, and other sensitive data.

Today, security must be a top priority to ecommerce sites.

As a webshop owner, you might be familiar with the PCI DSS (Payment Card Industry Data Security Standard) and the importance of your business staying compliant.

Even though the PCI DSS is great for securing the protection of card data, there is still a lot more you can do to protect your ecommerce site from hackers and fraudsters

We’ve assembled a list of things you can (and should) do to protect your online business and keep your customers safe.

1. Maintain your PCI compliance

This goes without saying. PCI DSS exists for a reason: To protect businesses and consumers against fraud. Always make sure you are PCI compliant – if you have any doubts regarding PCI DSS, please don’t hesitate to contact us here.

2. Don’t collect or store sensitive data

Just to be clear: Payment card numbers, expiry dates etc. is confidential information, and you are not allowed to collect or store this information. That’s what you pay your payment provider to do.

Storing or collecting payment card details is against the PCI standard. You don’t want to break their rules or infringe on their standard as they might charge you heavy fees for doing so. I’m talking business ruining fees. Don’t go there.

Moreover, if you have nothing to steal, you’re less attractive to hackers. Storing sensitive data on your customers might just be a temptation that fraudsters can’t resist. So do yourself and your customers a favor and don’t run that risk.

3. Make sure your ecommerce platform is updated

PrestaShop, Magento, WordPress - whatever platform you choose, make sure to keep it updated. Within a day after new versions are released, you should patch your system. Outdated software is one of the main points of attack for hackers and the like. Make sure you don’t make it easy for them.

4. Demand strong passwords

If it’s possible for your users to create an account on your site (and you should, as there’s a number of advantages to this if you do it right), you should set up requirements for their passwords.

Remember, passwords should:

  • contain at least 8 characters
  • consist of letters and number
  • consist of upper and lower case letters
  • contain symbols

One trick to ensure all of this, is to use passphrases rather than passwords. It’s harder to crack a phrase such as ‘The cat sat on the fl00r, smiling!’ than a single word.

Also, we have to touch upon the common advice to change your passphrases often. Now, science is not with you on this one. In fact, evidence suggests that changing passwords frequently does not improve security

Instead of changing passwords often, demand strong passphrases to start with.

5. Set up an alert system for suspicious behavior

This can be achieved in a million different ways. How you do it, is up to you. 

Most ePSP’s will have anti-fraud monitoring services, and even though the service comes at a price, ask yourself this: Is security really where you should economize? 

Alternatively, you can manually scan all your orders looking for suspicious behavior. And if you’re just starting up your business, this might be your choice. 

If so, look for these indicators:

  • Does the delivery address match the IP address?
  • Does the delivery address match the billing address?
  • Are there multiple orders from the same IP?
  • Is the payment card issued in the same country as the delivery address?
  • Does the phone number match the delivery address?
  • Does the phone number match the delivery address?
  • Are there multiple orders from the same IP with different delivery addresses?
  • Is the order amount unusually high?

A good rule of thumb is this: If there is ANYTHING unusual about the order – anything at all – your spider sense should be tingling.

If you find a suspicious-looking order, call the customer and confirm the identity of the customer and that the purchase was made with his/her own payment card. Don’t let the customer call you (as this can be spoofed, showing you a different number than the one they’re calling from). If you’re still not sure about the order, ask the customer to make a bank transfer.

After seeing the above list, you might feel that doing this manually is something you wouldn’t mind spending your time on. Or you might want to automate these checks so you can spend your time on something more fun or important for your business.

Again, it’s up to you. Maybe you prefer the manual check, maybe you’d rather save time by letting a tool do this for you. Your choice.

A reminder, though: Even if you use an automatic service, please don’t forget your common sense when capturing your money. If something sounds too good to be true, it usually is.

6. Use encryption

When you transmit confidential data between your website and the browser, the communication should be encrypted. Not only to protect your business and your customers but to show the customers that your site is safe.

Use TLS (Transport Layer Security) version 1.1 or greater to ensure the best protection of your customers’ data. If you’re not currently using encryption, or if you’re using SSL (Secure Sockets Layer) or early TLS, you should migrate to a modern encryption protocol.

Go do it. Now.

You can find TLS certificates loads of places, and they don’t cost much. 

After all, why would you NOT want to let potential customers order safely from you? 

If you want to get a look at your website from a security perspective, you can try this tool from Qualy’s: https://www.ssllabs.com/ssltest/

7. Layer your security

A firewall is essential to prevent attackers from reaching your network, but don’t stop there. Add extra layers of security on contact forms, login pages, and search queries to prevent SQL injection and cross-site scripting (fancy words for malicious hacking methods).

Need ideas?

How about:

  • limiting the number of login attempts
  • enabling two-factor authentication
  • hiding/renaming the login page
  • asking a security question
  • using a CAPTCHA

Your developer will be able to help you implement the above suggestions – and probably has more gems up the sleeve.

8. Train your employees

It’s human to make mistakes. That’s why you have to do everything in your power to minimize the risk of human errors.

Provide security training for your employees. They should know never to reveal customer information in emails, chats, or texts as these means of communication are not secure.

It might be beneficial to make written security policies and protocols to make sure your employees are updated on general online security and, especially, the laws and regulations around customer data.

9. Monitor and scan your website

You should monitor your website at all times. There are loads of tools that can look out for malware, security vulnerabilities, etc. and notify you so you can take immediate action if it finds anything.

Also, with regular intervals, scan your entire website to identify any unwelcome malware. And if you want to really test your site, consider hiring a consultancy to perform penetration tests of your network.

10. Backup your data regularly

We all know this is important. But do you actually do it? If you’re one of the many business owners either neglecting this or relying on your web host for data backup, I’d suggest you take a good long look in the mirror. What do you do if your server crashes, your hard drive fails, or a virus finds a way into your network – and you lose all your data?

If you’re counting on your web host for data backup, at least make sure that they actually do take backups regularly. Better safe than sorry, right?

11. Stay informed

This one should go without saying, but for the sake of good order let’s spell it out.

Your business is your responsibility.

You are responsible for staying up to date on security issues related to your ecommerce business. No-one else does it for you.

So, how do you stay up to date on these topics?

Well, here’s a few points for a start:

  • Subscribe to (and READ) news from your CMS provider, web host, ecommerce platform, etc.
  • Check for security alerts from card brands.
  • Join various ecommerce-related networks.

Alright. I hope that the above gave you some ideas about what you can do to protect your ecommerce website from hackers and fraud. We all know security is important, but quite often it is forgotten or neglected in the day-to-day business. Don’t be like that. Take care of it.

Got any brilliant suggestions or tips that I missed?

Feel free to drop us a line either on email, or get in touch on Facebook or Twitter.

Heine Aaen Hansen

Marketing and content at Bambora. When not writing, I'm reading. Book aficionado, word nerd, and helpless dad.

Related articles

Cookies

Bambora use cookies to give you the best possible experience when visiting our site.

Cookies are small text files that are stored on the visitors computer and are used to track what the visitor is doing on the website.  

There are two main types of cookies;

  1. A persistent cookie, which is stored on the visitors computer during a selected time.
  2. A session cookie, which is stored temporarily in the computer memory when the visitor is browsing the site. The session cookie disappears when you close your browser.

Bambora use cookies to:

  1. Improve the user experience of the site, by for example by adapting the site to reflect the visitors requirements, choices and interests.
  2. Provide information for web site statistics regarding the use of the site
  3. Follow advertisement in media to adapt our services to help you receive more relevant offers.

Bambora also use cookies from third-party providers. These are used mainly to analyse user behaviour with the purpose to improving user experience, and to offer more relevant advertising.

You can choose if you want to accept cookies.
If you do not want to accept the use of cookies, you can adjust the system settings in your browser. Certain functionality can only be used if your browser allows cookies.

We are open for business!

Welcome to the world of payment solutions. Choose your country and start accepting payments from customers all over the world.