Justin Sullivan/Getty Images
show image

Bob Rudis

Chief data scientist at Rapid7

Five retail security best practices for Cyber Monday

For many brands, Cyber Monday represents a huge revenue opportunity. Consultancy firm PwC calls it “one of the most significant shopping events of the year”, saying that consumers who are interested in taking advantage of the latest deals this year are willing to pay on average £21 more than last year.

But while the opportunity for brands is huge, so too is the opportunity for hackers to take advantage of improperly secured online payment systems and websites (and unsuspecting customers). It’s therefore hugely important for online merchants to make sure their cybersecurity is in order. Make a list (and check twice) to ensure shopping experiences are as safe and secure as they can be this season.

Often some of the things retailers need to do to get their security in to shape are relatively small and simple. Here are five things you can do to make sure you’re in a strong position:

1. Get your certificates in order

SSL/TLS certificates are proof to your customers that your website is secure. They serve two purposes: first to encrypt information customers send you over the internet (to protect its contents if the data falls into the hands of an attacker) and to provide identity assurance, both of which help online consumers to positively identify and trust websites that are safe to transact with.

Online retailers can measure the strength of their own site’s SSL/TLS configurations using a free online checker. If you happen to receive anything less than an “A” grade, you can head on over to Mozilla’s excellent SSL Configuration Generator, which will help you craft a “bulletproof” certificate configuration for your site.

2. Sort out your website headers

Next up on the shopping site safety list is the task of ensuring your website has solid security headers. You can’t actually physically see these on your website, but they are components that ensure customers always use encrypted connections and criminals aren’t manipulating your site in malicious ways.

At Rapid7, we wrote a blog post earlier this year that introduces this topic. OWASP maintains a list of the recommended security headers as well, and we evaluated the presence of these headers for many websites. The results weren’t good… My advice is to head to securityheaders.com to test your own site and obtain additional guidance on how to configure site headers.

3. Don’t attract Magecart

Magecart is a group of hackers that puncture a hole in your payment system, so that when your customers put in their credit card details, the information leaks out into the hacking group’s awaiting bucket. Sometimes this happens to you via one of your third-party suppliers’ systems, which are out of your control, but because you share data with them, you’re responsible for their security as well (and your customers will see it that way too). Making smart use of the Content-Security-Policy header from the previous section can go a long way toward helping prevent these Magecart-esque attacks via third-party providers.

You can also use special attributes in key areas of your site’s HTML to help ensure you’re loading the resources you think you’re loading. Magecart attacks can also happen directly to your site if you’re not keeping up to date with patches and secure application coding techniques. Attackers love seizing upon the opportunity to mass-infect vulnerable and unpatched sites, and you definitely do not want to be caught up in the wake of one of their campaigns.

4. Stack up your flood defences

Attackers have the ability to flood websites with fake traffic, so genuine customers can’t access the website. This kind of attack is known as “denial-of-service” or “DoS” attacks — and they’re the online equivalent of filling up your physical store with fake customers so your real customers can’t fit through the door.

Defending yourself from DoS attacks requires some up-front planning (i.e. a DoS response plan) and continued investment (i.e. anti-DDoS technologies or services) to ensure your customers can complete their purchases without issue.

5. Protect your consumers’ login

If your customers only need a username and password to log in to your systems, you’re in trouble these days. There have been so many data breaches from big companies over the past few years that have leaked customer passwords and usernames onto the dark web for criminals to purchase. And because many people re-use passwords across multiple accounts, chances are a significant number of login credentials to your website are already in the hands of cybercriminals.

At a minimum, your shopping sites should have a strong base password policy for all accounts and should employ some basic risk-based authentication. Consumers are also growing aware to the fact that passwords alone are a weak method of identification — and are looking for merchants that offer multi-factor authentication, which adds security steps to the login process. Using this additional layer of security helps communicate that you understand the safety concerns of your shoppers and take your site’s security seriously.

Enjoy the sales!

The key is to fix the roof while the sun is shining and not feel like you need to go it alone when it comes to figuring out how to secure your shopping experiences. There are a wealth of resources available to make it as straightforward as possible to keep you and your customers safer online for and beyond Cyber Monday.

Bob Rudis is chief data scientist at Rapid7