Top 50 eCommerce Tips - Part 5, Security
Website security is not something explored enough by eCommerce owners unless they have had a breach and experienced the devastating impact it had on their online business.
It’s one of those subjects that’s hard to know if its a lot of scaremongering or if it should be taken seriously. If you believe everything you read online, you might be put in a state of fear where you buy into every service that offers to keep you secure.
But amidst all this noise, what should you give your attention to?
I’ve been in a position for the last 10 years where I’ve had first-hand exposure to the threats that are out there from faceless intruders.
We’ve probably all heard of DDOS (Distributed Denial Of Service) attacks – where sites are brought down by computers acting as legitimate users. They literally send millions of fake users to your sites so that the server reaches its maximum capacity, then when legitimate users come along, they can’t get in.
DDOS attacks are not particularly sophisticated, but they will bring your site to its knees if not managed correctly. If we go back 15-20 years, to counteract a DDOS attack would have required very expensive, specialist equipment – but thankfully these days, given how common they are, there are some very cost-effective software services that can be subscribed to that will intelligently block most attackers.
In the cases I’ve dealt with, the most common question has been: why do attackers pick certain sites to target?
Often more than most there is no personal reason; some try to conclude it’s someone who they have fallen out with or a competitor that has employed some malicious hackers. The truth is not so colourful.
A DDOS attack can come from an opportunist that scans the web looking for transactional sites that they deem to be successful enough for them to make some money out of. A persistent attacker will keep trying to bring a site down and then email the site owner for a fee to stop the attack. The reason can be as simple as that.
Another reason might be that the attacker is trying to post content on your site to promote another website. Often the content they post makes no sense grammatically which points to the fact it has been generated by automated scripts (which can be referred to as bots). These can be set up by bogus SEO companies that are trying to link build, for example.
Either way, the reasons do vary. What’s important is how to recognise something is happening to your site and what you can do to stop it in its tracks.
I’ve listed below some common things to look out for in your site. As Magento specialists, my pointers will be very much geared around this platform, however, this does cross over into other platforms.
Why are there thousands of strange email addresses in your newsletter subscribers list?
We would always recommend you have your developers clear out any obscure email addresses from your email database list. This will then keep your list clean for marketing and prevent any of these bogus emails making their way into your email marketing accounts such as Dotmailer or MailChimp.
In addition, if you leave them in your database, hackers can start using your server to send out unauthorised emails to your entire email list. This would make your server the source of facilitating spam.
Once the database has been cleaned then you need to prevent this from happening in the future. We find Google Invisible ReCapture the most unobtrusive and effective way to put an end to this issue. Normally applying this to account creation or newsletter subscribers is enough.
What you want to make sure you don’t do though is put it on every form on your site as this will frustrate your legitimate users.
If your site has been flagged by Google as a phishing website
The phishing examples we have seen direct customers away from your site and onto another. This has been done by a hacker inserting some code into your site to create this redirection.
The first job is to find that code, which can be like trying to find a needle in a haystack. We would suggest that you immediately subscribe to a service such as Foregenix to scan your site and find this code. Our developers normally work alongside these security specialists to remove the code from the site which could be in certain files or the database.
Removal of the code is the priority but if there is still a way into your site – which can be from a vulnerability in the server, the code of a plugin or from weak admin credentials – then your problem is going to come back pretty quickly. Sometimes hackers leave backdoors open for themselves to re-access the site once you have removed the code causing the issue. With the help of your developers and Foregenix, the backdoor can be closed.
Visa has contacted you telling you they need to commission a security expert to perform a PFI on your site
Ok, rather than talk about what action needs to be taken once you get contacted from Visa or MasterCard, let’s talk about what you can do to avoid ever arriving at this point. It is my intention to make this article about prevention rather than talking about what you could do in hindsight.
As an eCommerce owner, this is the main one you want to avoid. More often than not, this is caused by a hacker inserting some code into your checkout. It can be as simple as one line of code and can be viewed (in Magento) in System > Configuration > GENERAL > Design > Miscellaneous Scripts.
Now if you look in this text field, remember to scroll all the way down within the text area. The reason is the hacker places lots of line breaks before so that you don’t see it when the page initially loads in the admin. If you see any code in this section you don’t recognise, delete it immediately. Also check all your store views too.
So you might be thinking what’s all the fuss about with one line of code? What this one line of code will do is intercept any credit card information that is entered on the checkout by a user. This is done if the site owner uses an ON PAGE payment method seen with plugins such as Sagepay. In fact, the Sagepay plugin is the one we have seen this problem occur most frequently.
This is because the way the plugin is coded, it is very easy for credit card hijacking scripts to intercept and take the data entered by the user. Plugins such as Braintree also have on page payment – however, the difference is that they are programmed a lot more securely using frames.
Any user that makes a purchase on your site where credit card hijacking scripts are present will find their card details being used elsewhere fraudulently on other sites. At this point, they will contact their bank and will be asked what previous sites they used. Your site will be flagged as the site they used before their details were used fraudulently.
It only takes a number of cases to report fraud to their banks for your site to be highlighted for Visa or Mastercard to enforce you the site owner to have an investigation carried out. The cost of this will run into the tens of thousands, not to mention the time it will take up.
The safest things you can do are:
- If you’re using Sagepay, change your settings to off page! I cannot stress enough how important this is. Or, even better, move to Braintree.
- Check the admin of your site and make sure it is clean. Checking once a week isn’t a bad idea.
- Contact Foregenix about their web scanner. We think their scanner is the most sensitive for Magento. Having the scanner in place will mean you will be alerted if there is any malicious code inserted into your site. The sooner you can get it out the better. Often we find that this code is left in there for months without the site owner even knowing.
- If you really wanted to go to town with security, then you could look at a software firewall to block attacks. It’s a bit like having a bouncer at the front of a nightclub – it will not let the troublemakers in the first place by filtering them out at the door. Be aware that if you use third-party order systems, it can cause issues due to the firewall blocking a legitimate constant connection to your site.
If your site keeps going down or is running really slowly
There are many factors that can cause your site to run slow, but let’s assume it’s because you have troublemaker ‘bots’ constantly accessing your site.
In the example I gave earlier with a DDOS attack, this is pretty much the same principle, just on a smaller scale. Your server provider can check access logs to see what IPs are constantly accessing your site and block them, but the IPs will keep changing and it will be a never-ending job.
The best thing to do in this case is to adopt a software firewall. We find Sucuri the most cost-effective solution for this. However, I would say if you have a third party system you connect to, you would be better speaking to Foregenix about their firewall. It’s more expensive but you will find their technical support really good to work with for resolving any issues you might have (please note, Foregenix will only work with sites that have www at the front of their domain name – their firewall is not compatible with non-www domains).
Benjamin Hosack, co-founder of Foregenix, commented ‘Over the last decade we’ve seen criminals shift their focus to targeting eCommerce stores more than any other type of business and there are two simple reasons for this:
- The crime can be scaled quickly and easily against a platform or large numbers of websites with similar issues. Our experience is that criminals don’t tend to go after specific brands – rather they go after websites that are easy to compromise. And it is very simple to identify the vulnerable sites – we monitor around 9 million sites globally and can easily identify sites that are simple to hack. If we can do it, so can the technically capable criminals.
- eCommerce websites are generally not as well protected as they should be, so the targets are often easy to hack – many take just minutes to break into.
The good news is that by taking a few straightforward steps, protecting your online business is fairly simple and will stand you in good stead against these criminals. Additionally, utilising a specialist solution to protect your website is highly recommended – after all, you are up against professionals intent on robbing your business and if you or your team aren’t technically skilled enough to defend your website, it becomes an unfair contest that these criminals will win every time.’
Foregenix are cybersecurity specialists and would love to help protect your eCommerce website – you can find out more information on their website here.
Over the last decade, we’ve seen criminals shift their focus to targeting eCommerce stores more than any other type of business. The good news is that by taking a few straightforward steps, protecting your online business is fairly simple and will stand you in good stead against these criminals.
Why you should secure your website with SSL
Until fairly recently, most site owners haven’t had to worry about special measures in order to secure their web pages unless they were conducting eCommerce transactions, or collecting any information that’s sensitive, but now all that is changing.
Google officially recommends securing websites with HTTPS, which means that not only will this be important for an organisation that want their websites to perform well in search, but more visitors will come to expect it.
Back in 2014, Google introduced the idea of HTTPS everywhere and also indicated that sites using SSL would receive a small search benefit from https:// as a ranking signal. You would think that public declarations would have been enough to get everyone using HTTPS as a new standard, but that never happened on a wide scale outside of eCommerce sites that were already using HTTPS anyhow.
But in 2016, Google really changed the game when they decided to update their Chrome browser to explicitly identify sites that don’t use HTTPS as “unsecure”.
You may have noticed that most common desktop browsers will now show lock icons in order to indicate when a site is secure via HTTPS. Chrome decided to take this one step further now labelling sites as unsecure.
So, is your site secure?
Actually confirming your site is secured with HTTPS is a two-step process: (a) making sure that you have an SSL certificate properly installed on your server, and also (b) confirming that your pages are being forced to HTTPS versions of the URLs.
Thankfully, it’s pretty easy to determine whether or not your site has SSL properly installed. Simply type in “https://” in your address bar, followed then by your domain name (e.g. https://your-domain.com). If you see an icon of a lock in your address bar, it means that you have SSL installed on your server; however, if you see an error message it means that you don’t currently have SSL installed, or that it’s not been configured correctly.
If you’re somewhat unsure or wish to run a more thorough test, you can also use SSL server tests to get information about your SSL configuration.
Conclusion
So hopefully you’ve found this article useful! If anything, it should have given you the information you need to take preventative action on your site. I could go on all day about other methods in which sites are attacked, but I feel if you start with the above, you’re going to be in a good place.
You will also find that if you make it hard for hackers/bots to interact with your site, your site performance will go up. This is because they won’t keep knocking at your door if you constantly refuse to let them in, meaning your server resources will not be wasted on anything other than legitimate customers.