Sales without bugs: digital security of e-commerce platforms
In this article we will talk about retail security. Basically, it will be about online stores, purchases in which have become commonplace for a long time, but we will also pay a little attention to offline stores.
We conducted a survey of representatives of the retail sector and found out which security threats they consider the most serious and which attacks should be expected the greatest losses.
The results of the survey showed that the most concerned about the leakage of personal data of customers. And for this there is every reason. Russian legislation is changing to toughen responsibility in this area. But far from always the intruders are interested in personal data like the name, home address and password hash of the account. Much more attractive is the data of bank cards that can be used in business without departing from the cash register.
Online stores are not only a source of customer bank card data, but also a place where data purchased on the black market can be used by fraudsters to make purchases. Most likely, this will not lead to financial losses, but it will be difficult to avoid reputational ones. Therefore, some sites refuse to work in countries where cybercrime thrives.
It is also possible leakage of data related to finance and other confidential information about the activities of the store. In this case, the consequences of the leak and the size of the losses depend on who gets access to the data and how it will be used.
There are several types of attacks, especially dangerous for online stores. All respondents fear the possibility of unauthorized access to user and employee accounts. Worse than this - only unauthorized access to the admin panel. Through these accounts, you can access databases, manage prices, promotions, etc. It’s not difficult to imagine the consequences of such a scenario.
The software used in online stores is full of vulnerabilities, like any other, it also raises concerns of retailers. SQL injections into databases, the possibility of XSS and CSRF attacks on websites and other dangerous vulnerabilities can be used to penetrate the corporate network and data theft. It is not without reason that concerns the degree of security used cloud servers. Here are examples of Amazon server vulnerabilities. The use of cloud solutions in itself means complete trust to a third party.
Least of all retailers fear reputational losses from the comic acts of hackers, such as posting funny pictures on the site.
Most retailers are not afraid of DDoS attacks. However, a study conducted by Digital Security showed that not all DDoS protection tools are effective.
Separate danger - this promotion. Since they are “temporary,” they are not given enough attention. The logic of their work is not checked, and you can find a way to manipulate it. Similar situation with bonus cards: using errors in the code, you can increase your bonus balance to infinity.
Now we give examples of cases of exploitation of vulnerabilities in online stores.
For example , on the Magneto online store website, the video preview is downloaded via a POST request with the URL of the image itself. This request can be changed by an attacker to a GET request, where instead of the URL there can be any malicious code that runs on the online store website.
A researcher from Digital Security discovered a vulnerability that allows you to cheat an infinite number of points with which you can pay up to 100% of the purchase price. This is possible due to the incorrect processing of the information received by the server, and no special skills are needed to exploit this vulnerability.
Most recently leaked the source software Aeroflot. Among them you can find pieces of code that are responsible for gift certificates and bonus generation, and, of course, use it to your advantage.
You can manipulate not only virtual money, but also the prices of goods. Buy a smartphone for the price of a pen? This is possible if the price values are stored where they are easy to access and change. For example , you can change the price of a subscription by sending a fake HTTP request.
One of the representatives of the retail told us about how in his chain of stores they carried out an action on which buyers received a discount equal to the temperature outside the window. Everything is good, but Russia is a big country, and when in St. Petersburg there were only +10, in Krasnodar it was +35. This was used by buyers, ordering goods with free shipping from southern cities. In this situation, even the "break" did not have to. The ill-conceived promotion rules are obvious. It was enough to limit the delivery area or even make delivery unavailable when using this promotion.
Everyone knows the action “buy two products and get the third one for free”. It is understood that the cheapest product in the order will be free. However, as a result of certain manipulations, buyers of one online store were able to purchase three pens and three smartphones, paying only for pens and one smartphone.
Another weak point is the company's employees. They may abuse their authority or find a way to access user databases, insider information that is a trade secret, etc. Employees are one of the sources of data entering black markets.
Vendors are the main security threat in offline stores, as they often become objects of social engineering. They forget sheets of account passwords on the monitors in the trading rooms and do not leave the accounts, leaving the screen unlocked.
What to do?
There are many security measures that can help prevent the situations described above, or at least reduce the damage from the actions of intruders. Among them it is worth highlighting:
- testing all components of the online store site;
- conducting regular security audits;
- constant monitoring of site activity;
- the use of technical means such as WAF and protection against DDoS attacks;
- the use of the principle of minimum privileges for users (this includes buyers, employees of the online store, and administrators);
- filtering information entered by users in forms;
- two-factor authentication of customers when entering the personal account;
- training online and offline stores for how to counter social engineering.