E-Commerce Cybersecurity

Cyber security is critical to e-commerce and required for privacy regulation and the Payment Card Industry - Data Security Standard (PCI-DSS). Attackers constantly probe websites to detect vulnerabilities. Be prepared to deter their every move.E-Commerce Security Components

Fraud Prevention

Insufficient preparation can lead to fraud attacks coming in fast and furious. The best practice is to establish a risk management procedure, train staff on how it works, and keep seeking out enhancements.

Stolen Credit Cards

Stolen credit card numbers are big business. Attackers in countries with virtual legal immunity go through card lists in bulk. The best defenses include:

Money Laundering

Money laundering rinses money through online purchases. Steps to avoid money laundering are:

Chargebacks

A chargeback is when the client bank forces a reverse payment. They come with a fine and cause the termination of banking services if they represent 1% of transactions. Steps to reduce chargebacks include:

Shipping Fraud

Shipping fraud is when the customer claims they did not receive the product or claims there was damage when there was not. There are several ways to protect yourself:

Return Fraud

A fraudulent return is getting products back that do not fit within the terms and conditions. Preventative measures include:

Web Browser Security

The server has to enable many security settings in the web browser explicitly. By default, most are off. The following chart shows how many websites allow these settings. Further down are descriptions for each one.HTTP Security Headers

Cross-Site Scripting (XSS)

XSS is when the browser shares data between multiple websites. This security setting is built into the browser by default, and the best practice is to leave it on. An alternate name for XSS is Cross-Origin Resource Sharing (CORS).

Content Security Policy (CSP)

The CSP defines what file types the browser can download and from which sites. The best practice is only allow required content from a single domain. Getting content from others sites brings them into PCI scope, but setting the CSP is not a PCI requirement. It is a superset of the protections offered by XSS.

Inline Frames (iframe)

An inline frame is a web page inside a webpage. The most common use is a hosted payment page. The browser separates them with an application firewall. That makes integration awkward. So hosted payment pages can present challenges with workflow design, data analytics, response times, and graphical presentation.

HTTP Strict Transport Security (HSTS)

HSTS forces connections from HTTP to HTTPS. It protects clients from DNS spoofing. Spoofing is when DNS routes requests to a compromised website.

HSTS comes in two flavors. One gets activated after the first connection to the website and remains in place based on the web server settings. The user can clear this type of HSTS, but not with the standard history removal. An enhanced option protects the first connection to the website by embedding HSTS into the web browser after the administrator registers the website. The Payment Card Industry does not explicitly require HSTS.

Certificate Authority Authorization (CAA)

The web browser attempts to verify the certificate authority for each HTTPS connection. They check by comparing the DNS CAA record with the certificate. If the record exists, it must match. If there is no record, the browser accepts any certificate authority. Only 3% of websites use the setting, and the Payment Card Industry does not require it. However, it is easy and low-risk protection.Percent of Domains with DNS CAA Record

DNS SEC

DNS SEC protects against alteration of the DNS data package. However, it does not validate the responding server. The standard existed for a long time, but DNS service providers started enabling the capability recently. The following chart shows very few websites use DNS SEC.Percent of Domains with DNS SEC record

HTTPS Network Connection

An HTTPS connection encrypts data transmission between the web browser and server. It masks passwords and credit card numbers within the data package. However, it does not hide communication endpoints or the amount of data sent. That protection comes from using the onion domain on the dark web. The dark web is slow, requires non-standard browsers, and masks the server from the client. So e-commerce vendors typically stay on regular websites and use HTTPS.

The Payment Card Industry requires HTTPS connections. There are numerous internet initiatives to support it. Those include browser warnings when entering form data, free SSL certificate services, and hardware acceleration for encryption processing. Compliant e-commerce sites serve all content from HTTPS. They typically still have an HTTP service, but it only redirects to HTTPS. The following chart shows the percentage of websites serving content using HTTPS only, HTTP only, and those doing both.Percent of Domains Using HTTP and HTTPS

TLS Protocol

HTTPS encrypts network traffic using the Transport Security Layer (TLS) protocol. It's the same protocol to encrypt email, server login, and everything else sent over the internet.

The supported TLS versions are 1.2 and 1.3. They work on any current web browser released in the last 12 years. TLS 1.1, 1.0, and SSL 3.0 still exist on websites, but their support ended. So the Payment Card Industry does not support them. The following two charts show the newest and oldest supported versions.Newest Supported TLS Protocol Oldest Supported TLS Protocol

TLS Configuration

The TLS protocol allows the web browser and server to agree on a cipher suite, a set of security algorithms and settings. The following chart shows the most common degradations. Yellow lines are suboptimal, and red is not allowed.Degraded SSL Configuration

Lacks OCSP

The Online Certificate Status Protocol (OCSP) is a service allowing website administrators to disable keys before they expire. The best practice is to disable keys if there is a chance of theft. Protocol support is part of the key, and it does not require any changes to the website. However, not all the certificate authorities support the standard. The Payment Card Industry lists OCSP as a best practice.

Lacks AEAD

Authenticated Encryption and Associated Data (AEAD) extends encryption to include metadata in the network connection. It is embedded into TLS 1.3 and not available in prior versions. Most browsers support AEAD. The best practice is to use TLS 1.3 when supported by the browser.

Old Cert

The Payment Card Industry requires key rotation at least once a year. An old certificate is a public key that lasts more than one year. The best practice is to reduce the risk of undetected key theft by changing the keys every 90 days.

Key Length

Most public keys use the RSA protocol, but the newer, more secure keys are Elliptic. Longer keys are more secure but slower due to the added computational overhead. An Elliptic key is more efficient, providing significantly more security for a given key length. Most keys are RSA with 2048-bits, which is the minimum acceptable length. But Elliptic keys of 224 bits offer more protection and similar browser compatibility.

SHA1, DES, RC4, and MD5

A frequent misunderstanding about security patches is that they leave unsupported security standards and do not add newer protocols. If your web server runs SHA1, DES, RC4, or MD5, it's time to migrate to a more current operating system.

Network Security

Network design is critical to PCI. Anything inside the same network segment and not separated by a firewall is within PCI's scope, even if it never connects to the e-commerce solution. So the best practice is to minimize PCI scope by creating a network segment just for e-commerce.

Private Networks

A private network exists for any device using private IP addresses, including home networks. They use Network Address Translation (NAT) to give the request a public IP for internet connections.Networking Zones with Private Network

Network Firewall

A network firewall blocks internet access to internal services. Commercial firewalls add on inspection of network traffic, and they purge suspicious packets. The capabilities include: The following chart shows the percentage of domains with the most common firewall vulnerabilities. See below for a description of each one.Infrastructure Security Administrative Ports need multifactor authentication or access restricted to known IP addresses.

Encrypted Services protect data transmitted over the internet. Most email service providers support clear text or unencrypted connections. That makes it easy for a man-in-the-middle attack to capture login credentials. The hosting provider may expose other unencrypted services.

Databases are the most common service exposed to the internet without the necessary security features.

Hosting means the website does not share networking or operating systems with websites that belong to others. Secure hosting prevents unknown 3rd parties from gaining login access to shared services. The above chart refers to the hosted page. The majority of websites are in shared hosting environments.

Web Application Firewalls (WAF)

The WAF works on the HTTP protocol. It inspects all traffic and rejects suspicious HTTP requests. There are many types of suspicious requests. The more common are:

Firewall Layering

Firewall layering goes from 1 to 3. Layer 1 is fast but only protects networking ports. Layer 2 inspects network traffic based on packet inspection, while layer 3 inspects application requests. The following chart shows data flow through the layers. Connections from the internet have to pass through each one. Even internal servers have protection from each other.Private Network Zones

Operating System Security

Operating system security refers to the security practices applied during installation and configuration.

Server Hardening

Server hardening audits and updates hundreds of settings. It is complex. The practical approach is selecting technologies with a guide on how to do it. The CIS Benchmarks are popular and free hardening guides. At a high level, the commands help:

Software Currency

Out-of-date software leaves websites vulnerable to commonly available exploit tools. The chart below shows that 52% of websites using WordPress are outdated. Outdated means the vendor does not provide security patches. These are not compliant with the Payment Card Industry. Even fewer website administrators apply patches when they exist. Similar issues exist with other software, including the programming languages, web servers, and HTTPS settings.Wordpress Version Marketshare

Honey Pot Traps

Honey pot traps lure behavior that should not happen. The solution then blocks anything taking the bait. It is most effective with email SPAM.

Source Code Security

Most websites have insecure source code because they use the website as the source code repository. Secure source code separates them, which makes it practical to purge ransomware and malware.

A programmer can audit secure source code. Many Content Management Systems mix their code with website pages. Auditing is complex because they dump thousands of files into the web server directory.

Physical Security

The e-commerce server must reside in a data center that complies with PCI-DSS. Physical security prevents attackers from installing backdoor software on the server and stealing backups. It limits system access to those who need it and monitors what they do.