As lockdown measures have become commonplace throughout much of the world in its bid to tackle COVID-19, ecommerce has blossomed. Indeed, recent data from eShopWorld suggests a 63% rise in ecommerce sales year-on-year over the Christmas period, following a 113% increase in global online sales during October.
New research from cybersecurity firm Outpost24 highlights the particular risks associated with the kind of web applications we increasingly use for our ecommerce activities. The report outlines that 43% of all data breaches during 2019 were experienced by web applications, which has brought the issue to the top of the agenda for retailers the world over.
“Web application security is a well-known issue faced by organizations worldwide due to the sheer volume of applications they own (the majority they don’t even know exist),” the authors say. “How these applications have been built and its makeup can often add an additional threat element to this puzzle. That’s why it is important to understand the key attack vectors hackers use to spot entry points during reconnaissance and work back from there to level the playing field between defenders (your security team) and attackers.”
The authors argue that the key to successful cybersecurity for retailers is to keep their web application attack surface as small as possible.
Interestingly, while the attack surface for retailers in both Europe and America were high, US retailers were more at risk, with an aggregated risk score of 35 out of 42, versus just 31 for their EU counterparts.
At-risk
For instance, in the US, the researchers found 3,357 publicly exposed web applications across 401 domains run by the leading retailers in the country. 8% of them were considered to be suspect, with 22% found to be running old components with known security vulnerabilities. EU retailers performed better, with just 2,799 publicly exposed applications and 4% suspect domains, albeit with 27% of the apps using old out-dated components.
The analysis found that US retailers were generally using more modern app technologies than their European counterparts.
However, they were also far more likely to be using shadow IT services, which gives hackers a way in.
The findings emerged from an assessment of app security according to seven key attack vectors: cookies, active content, input vectors, authentication, degree of distribution, page creation method, and security mechanism. A risk score was attributed to each of these out of 100.
“Hackers are masters of reconnaissance and will go to great lengths to identify a target by looking at how many pages there are per application, if there is outdated software in the architecture and what CMS and associated vulnerabilities it’s built on,” the researchers explain. “All these combined elements pose a threat if managed incorrectly and it only takes a small misstep to give them a foothold into your system and create a catastrophic data breach.”
Vulnerabilities
The research revealed that the area with the highest risk exposure was security mechanisms, with active content closely behind. For instance, among retailers using HTTP websites, this results in a high attack surface score, especially if attackers were not restricted in trying to access unsecured parts of the site without encryption.
“For retailers using a HTTP website, without encryption, and not restricting access to those adversaries trying to get into unsecured parts of a site, including unsecured redirection, this will increase the attack surface by potentially exposing to bad actors as the data is sent unencrypted, in plain text, for anyone to read, which can lead to credential stuffing,” the researchers explain.
Active content was also hugely problematic, especially due to the JavaScript and ActiveX controls that are widely used in ecommerce applications with wide and varied product ranges where active content is used to display dynamic product information.
“In the US we found on the whole more modern technologies are being used compared to the EU, and hence include more active components and scripts,” the researchers explain. “This leaves more doors open for a hacker to insert malicious scripts, and if this goes unnoticed can lead to Magecart attacks and credit card skimming.”
Secure commerce
By identifying some of the key risk areas, the researchers hope to help security professionals to focus their efforts most effectively. They argue that the dynamic nature of retail technology means that security must be a constantly evolving science.
This process should involve a thorough understanding of the technology deployed, the attack surface for each of these applications, the alignment of these applications with the goals of the business, and the assessment of risk for each of them.
With ecommerce likely to continue flourishing after the pandemic has passed, it’s vital that retailers work to ensure that their technologies and platforms are secure from the increasingly aggressive and creative threats posed by today’s cybercriminals.
