Hack Me Maybe? 3 Ways Cybercriminals Get In and How to Keep Them Out

Black Friday and Cyber Monday have come and gone, but the gift-buying season continues. While most online retailers have sales on their mind, the holidays are also a crucial time for online security.

As we’ve discussed before, attacks against eCommerce websites happen year round, but merchants and consumers have significantly more to lose during the holiday season. Hackers are getting better at what they do, but many online retailers don’t take data security as seriously as they should.

As the saying goes, “knowing is half the battle,” and in order to keep your company out of the headlines and protect customer data, it’s key to understand the security threats merchants are up against today. Below, we discuss three common attack methods cyber criminals use against eCommerce merchants and how to better protect your site from them.

Sneaky Script

SQL (Structured Query Language) injections are one of the most common techniques used by hackers to access databases. With the help of malicious code, attackers can trick websites into unintentionally providing sensitive information or error messages. Once access to backend databases has been achieved, hackers can install malware to do more long-term damage—which can sometimes go undetected for months.

According to the 2012 Verizon Data Breach Report, 79% of security breach victims were targets of opportunity, and hackers often test sites for vulnerabilities such as SQL beforehand. Online merchants can stay one step ahead of hackers by disabling direct SQL queries, limiting the information provided in error code responses, and strengthening their database protection with the help of a third-party security vendor who can scan daily for weaknesses.

Authentication and Session Management Mishaps

Passwords and usernames are often an important feature of many eCommerce sites, but if left unprotected, they also pose serious security risks. With the ubiquity of logins today, one hacked database of passwords can lead to more valuable private and financial data elsewhere. Clever criminals can gain access through encryption weaknesses – as email and search company Yahoo knows all too well. Additionally, weak password creation rules and password recovery features can also prove to be tempting targets.

Password protection is crucial to the safety of consumer data, and retailers must encrypt all sensitive information and store only what is absolutely necessary.

On the other hand, one of the common threads among this year’s biggest security breaches was the use of weak or repetitive passwords by users. While it is the responsibility of the retailer to keep customer information safe on the backend, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers. Longer, more complex logins will make it harder for criminals to breach your site from the frontend.

Perilous Payment Gateways

Data is most vulnerable in transit, and hackers take full advantage of insecure payment gateways through injection flaws and wireless sniffing. The code used to embed payment systems into websites, like iFrames or Transparent Redirects, is also susceptible to attack if not formulated correctly.

Merchants who are not in compliance with the PCI Data Security Standards (PCI DSS) are most at risk for these types of attacks. Following the industry guidelines with regard to processing credit card information can not only remove a significant amount of risk, but also provide additional insurance in the event of a breach. Another level of mandatory protection for payments is SSL encryption. SSL ensures that data is encrypted as it travels over the wire and protects the information at every stage of a transaction.


While combating cybercrime may seem like a daunting task, the consequences of not having security are so much worse. The scope of a single breach has expanded well beyond what many organizations expect, and many smaller online merchants lack the capital to recover. In 2011, the average cost of a breach was $5.5 million; today it can range from $750,000 to $31 million.

In addition to the immense cost, security breaches can have unintended consequences such as irreparably damaged reputations and loss of trust among consumers. There are even greater implications for the eCommerce community as a whole and safe online shopping can only be achieved if merchants take the time to educate and protect themselves.

For more information, you can visit The Open Web Application Security Project (OWASP) for a detailed breakdown of the ten most common eCommerce attack vectors.

Visit the McAfee SECURE website to learn more about our security services, and be sure to follow us on Twitter at @McAfeeSECURE for the latest on eCommerce news, resources and events.

Leave a Reply