E-Commerce is short for Electronic Commerce and refers to the buying and selling of products and services over the Internet or other networks. An increasing number of businesses have created e-commerce websites due to the rising popularity of using the Internet to make online purchases.
But also increasing is the risks of running a e-commerce website for a business; new ways to infiltrate and steal customer information from e-commerce websites are contently being discovered.
Security Threats to E-Commerce
- Web site vandalism or defacement
- Denial of service attacks
- Theft of customer information
- Theft of intellectual property
- Sabotage of data or networks
- Financial fraud, Consumer Fraud
- Forgery, illegal interception
- Commercial/Corporate Espionage
The first step toward reducing the risk of e-commerce security threats is to identify the vulnerable areas where security threats can happen. The main vulnerable areas for a website are: Hardware Security, Software Security, and Environment Security.
Hardware Security
Hardware security includes any devices used in running the e-commerce website like network devices and servers. Protecting the network with a properly configured firewall device that is only allowing ports needed for accessing the e-commerce website is an essential part of network security. Servers used in hosting the website such as the web server and database server should be isolated from other networks using a network DMZ to reduce possible intrusion from compromised computers on other networks behind the firewall.
Software Security
Software security includes any software used in running the e-commerce website such as the operating system, web server software (IIS, Apache) and database software. The operating system should be configured for security through the process of operating system hardening. Software should be contently be kept updated as patches are routinely released to fix holes in security. The website itself should be hardened against common attacks like cookie poisoning, hidden-field manipulation, parameter tampering, buffer overflow, and cross-site scripting. Website pages, where sensitive information like credit card numbers are being entered, should be encrypted and secured with an SSL certificate.
Enviroment Security
Environment security is the area around the hardware running the e-commerce website and includes human resources.
Secure physical access to network and server devices by using fences, locks, or other methods. Network, server, and software access credentials should be highly complex and well guarded (no post-it notes).
Once a staff member has left the company or moved to a different position, remove all access privileges for that person that is no longer needed. Staff members should also be trained against social engineering where sensitive information could be given to attackers posing as a trustworthy person over the phone or email.
3rd Party Hosting
If your e-commerce website is hosted by a 3rd party, contact them and discuss all of the security areas to see if they are in place.
Security is Ever Ongoing
The security threats to E-Commerce websites are constantly changing as new threats are discovered every day. To stay secure takes an ongoing dedication to monitor and make adjustments to security for all of the main vulnerable areas. It's better to be over prepared against possible security threats, then under prepared and losing your customer's trust in your company when an attack occurs.