Cybercrime — Protecting your
e-commerce and customers
Basic security measures to prevent website
intrusion and theft
In its report “The Future of Cybercrime & Security” released in August, Juniper Research
estimates that data breaches will cost businesses $929 million this year.And losses will keep on escalating. “With an increasing number of businesses going
online and particularly connecting their data with the cloud, Juniper Research
expects that the total cost of data breaches worldwide will be just under $2.5
trillion by 2022,” writes James Moar who authored the report. (1)North America will be the most affected with projected losses of $784 million this
year, $1 trillion next year and $2.176 trillion in 2022. This includes both direct and
indirect cost of breaches such as hardware replacement, additional staff required,
unexpected churn and companies’ devaluation due to their reputations being affected.So as the busiest period of the year is about to start in e-commerce, this may be
a good time to review one’s strategy and raise protection levels for business and
customer data because cyber thieves big and small will not fail to take advantage
of any weakness.
1. THE HUMAN SIDE
➜ Customer service
The off-line form of robbery known as social engineering does not require technical knowledge
on the part of criminals: What they do is exploiting the courtesy of customer service
people to rob companies.
“As technology evolves to support new ways of doing business, it also creates new opportunities
for fraud, like botnet attacks and static biometric fakery,” said Rafael Lourenco,
executive vice president of ClearSale. (2) “In the push to fight back against these new types
of fraud, it’s easy to overlook an old-fashioned vector like telephone conversations.”
Such thefts are known as voice phishing.
“[C]ustomer service reps are trained to keep customers happy, and if they have some
leeway they may share information that risks security—either to calm an angry caller
or because a friendly caller has built a rapport with them,” Mr. Lourenco said. So thieves
will count on this to extricate information from them, maybe claiming to have forgotten a
password for an account, asking to “confirm” a credit card security code and so on.
But if a 15 year-old boy named Kane Gamble was able to access the highly-sensitive data
of former CIA chief John Brennan in United States—he went as far as having his PIN number
changed—one cannot really blame customer-service people, Mr. Lourenco said. But
this makes it imperative to develop a strategy for customer-service people so they know
how to deal with callers requesting information that could prove sensitive, he added. For
example, if someone asks to change his/her pin number, the customer-service person may
courteously suggest that the caller do it directly online, which would eliminate the risk of
doing so for an imposter.
➜ Emails
According to Social-Engineer, an email targeting a company’s executives is referred to as
“spear phish” and the accounting department a “business email compromise” scam. “No
matter what you call a fraudulent email, it all should be handled the same way,” Social Engineer
writes in a blog. (3) “Critically think about every email or text you get that requests you
to perform some action. Click a link, open an attachment, reply with additional information.
” One should not delete or reply to a suspicious email since responding in any way could
provide thieves with information: It should be reported and checked to make sure one’s
on-and-offline data has not been compromised, Social Engineer said.
2. THE TECHNICAL SIDE
➜ Google’s line of defense
Since July, all websites using HTTP—that is HyperText Transfer Protocol—are marked “Not
secure” on Google. As Patrick Nohe, editor in chief of “Hashed Out,” explains, “[HTTP] fatal
flaw is in its lack of security….When an internet user’s web browser arrives at an HTTP
website, all of their communication with that site is sent in plaintext that can easily be
intercepted and stolen. This is hardly ideal in a number of contexts, from online banking
to healthcare to social media.
“When you install an SSL/TLS [cryptographic protocol] certificate and migrate your website
to HTTPS, it facilitates encrypted connections, which keep the data being transmitted
from being eavesdropped on or even manipulated,” Mr. Nohe writes. (4) Then, there are
options as to how to accomplish this that will meet various budgets and needs, he added.
This ranges from free domain-validated certificates to those with extended validation that
feature companies’ names in the address bar.
Hyper Text Transfer Protocol Secure, that is HTTPS, adds security for those accessing a site
and complicates hackers’ lives.
➜ One more layer of online security
“While HTTPS is a vast improvement over its predecessor, it’s not entirely without its
flaws and that is where HSTS comes in,” said John Lincoln, CEO of Ignite Visibility and a
digital-marketing teacher at the University of California, San Diego. (5)
“One of the flaws associated with HTTPS is that it isn’t entirely hack-proof,” he said. “It leaves
your site open to SSL [secure sockets layer] stripping. This occurs when a hacker changes
the connection from an encrypted connection to an older version.…When the server initially
calls the HTTP version, hackers can slip in and intercept the request over the insecure HTTP,
which will block the site from using HTTPS.
“HSTS forces a site to load over HTTPS, disregarding any calls to try an HTTP connection
first,” Mr. Lincoln said. “That way, the browser will load the secure version immediately
and eliminates the opportunity for hackers to hijack the connection.”
In addition, HSTS will make web pages load even faster, which may help improve one’s
ranking in internet searches as Google now factors in speed in ranking, he added.
3. WEBSITE MAINTENANCE
In its report “The Secret Life of Website,” the business-website security firm SiteLock
mentions that a survey of more than 10 million websites and contact with 250 e-commerce
owners during the first 3 months of 2018 showed that small e-commerce are very
much targeted by cyberthieves and are attacked as much as 50 times per day. Moreover,
“49% of infected sites had at least one Filehacker designed to modify files and upload
malware,” the report notes. (6)
When contacted, 59 percent of the small-business owners said that they were responsible
for the upkeep of their website, and only 42 percent of them said they updated their applications
monthly or more frequently. And then, 9 percent of the respondents admitted
they were unsure how to update these applications.
“Considering websites experience an average of 50 cyberattacks per day, many of them
targeting unpatched vulnerabilities, a lot of websites are at a higher than average risk of
attack or malicious activity,” the SiteLock report noted.
Updating one’s applications on a regular basis, plus conducting routine maintenance of
all a site’s programs and features—which might require an IT person—may go a long way
to preventing and/or curbing cyberthieves’ assaults.
In addition, since cyberthieves now operate in social-media messenger systems, some basic
measures should be taken such as not reusing passwords and not sharing content from
unfamiliar sources, the SiteLock report added.
4. ACCESS TO CYBERSECURITY TOOLS AND GOVERNMENT INPUT
According to the Juniper Research report, small businesses’ spending on cybersecurity
will only amount to 13 percent this year even though 99 percent of all companies are
small businesses. Many of them use consumer-level products, spending less than $500 per
year on cybersecurity, which leaves them exposed to malware that require more advanced
programs and which could cost them millions of dollars in lost revenues, James Moar said.
“These technologies need to be made available to all businesses, regardless of size,”
he said. (7)
In the meantime, assaults on e-commerce sites have recently intensified according to the
National Institute of Standards and Technology (NIST) in United States. “As retailers in the
United States have adopted chip-and -signature and chip and PIN (personal identification
number) point-of-sale…security measures, there have been increases in fraudulent
online card-not-present (CNP) electronic commerce (e-commerce) transactions,” said a
NIST release in August. (8) The risk of increased fraudulent online shopping became more
widely known following the adoption of chip-and-PIN technology that improved security
at the point-of-sale in Europe, the release noted.
In an effort to stop this, the NIST’s National Cybersecurity Center of Excellence has released
in August the “NIST Cybersecurity Practice Guide,” which suggests cybersecurity-practice
models complete with materials lists and configuration files. (8) Meant for people in the
“information security community,” they have until October 22 to comment on it.
This guide was released as the NIST Small Business Cybersecurity Act was adopted in United
States. It dictates that the needs of small businesses must be taken into account when
setting up standards.
In the meantime, Canada is about to open its Canadian Centre for Cyber Security while
a National Cybercrime Coordination Unit has been set up within the Royal Canadian
Mounted Police.
TO CONCLUDE: THE IMPORTANCE OF BEING PREPARED
According to the 2017 Internet Organised Crime Threat Assessment report released by
Europol’s European Cybercrime Centre, cybercrime is becoming more aggressive and
confrontational. “This can be seen across the various forms of cybercrime, including
high-tech crimes, data breaches and sexual extortion.
“But it is not just financial data, but data more generally, that is a key target for cybercriminals.
The number and frequency of data breaches are on the rise, and this in turn is leading
to more cases of fraud and extortion,” the report states. (9)
Although companies using e-commerce platforms such as Shopify benefit from fraud
protection mechanisms, they may remain vulnerable on other fronts. It is imperative that
e-commerce businesses take preventive measures and develop strategies that would include
making one’s staff aware of cybercrime techniques, and diligently monitoring and updating
programs and features at one’s site.
In the meantime, the best with your e-commerce security!
1 https://www.juniperresearch.com/document-library/white-papers/cybercrime-the-internet-
of-threats-2018
2 https://www.digitalcommerce360.com/2018/06/28/is-customer-service-the-weaklink-
in-your-fraud-protection-chain/
3 https://www.social-engineer.com/what-do-you-know-about-tweedle-beetles/
4 https://www.thesslstore.com/blog/google-chrome-68-https-mandatory/
5 https://searchengineland.com/why-websites-should-be-using-hsts-to-improve-security-
and-seo-304380
6 https://www.sitelock.com/blog/2018/06/website-security-insider-q1-2018/?-
year=2018&monthnum=06
7 https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-
security/threat-analysis-impact-assessment-leading-vendors
8 https://csrc.nist.gov/publications/detail/sp/1800-17/draft
9 https://www.europol.europa.eu/crime-areas-and-trends/crime-areas/cybercrime
