We spend a lot of time on this blog talking about how your business can reap the rewards of eCommerce, and how you can get your revenue and profit figures moving upwards. And rightly so, as with the right strategies in place, the sky is the limit. But that doesn’t mean we’re blind to the less rosy sides of this industry.
Make the wrong decisions (or lack thereof) and the harsh reality is - you can lose money. A lot of money.
Believe it or not, Amazon is a case in point. The internet retailer may be one of the world’s biggest companies but that doesn’t mean it's immune from the problems that can plague smaller firms. In 2018, an outage on Prime Day cost Amazon almost US$100 million in lost sales, a hefty chunk of change for anybody.
What happened to Amazon can happen to anyone selling products online, whether you spend hundreds of millions on security as Messrs Bezos et al do, or whether you’re running something of a leaner operation. Rather than closing our eyes to the dangers that lay out there for eCommerce businesses, we thought it was high time we explored three security risks you may face - and help you solve them.
When the Open Web Application Security Project (OWASP) speaks, the security community listens. So when the organisation released its most recent ‘Top 10 Web Application Security Risks’ list last year, it was significant that broken access control had moved to the top of the list.
As the most common security weakness online, lots of eCommerce sites are therefore vulnerable to broken access control. It’s a very damaging yet very simple security flaw, summed up well in its name. In short, broken access control means a situation where a bad actor has access to functions outside the permissions they’re meant to have. Think of someone having admin privileges to your webstore when they should just be a user. They could delete listings, change prices and wreak all sorts of havoc.
One real-world example of a broken access control issue was found by researcher Laxman Muthiyah with the world’s biggest social media platform, Facebook. Back in 2015, Muthiyah discovered a vulnerable API endpoint on Facebook that would allow someone to become the administrator of any Facebook page they wanted to. The grave implications of such a flaw are obvious - think of how many millions of businesses rely on their Facebook page, never mind the vast sums of money spent by those pages on Facebook advertising each and every day.
What a broken access control might look like in the physical world.
Coming in at number two on the OWASP list is cryptographic failure, and ‘failure’ might be underselling it. This particular security flaw involves exposing sensitive data so that anyone can view it. While just being able to view data is not as bad as the ability to alter it as in broken access control flaws, it doesn’t take a world-class imagination to picture how damaging a cryptographic failure could be.
Cryptographic failure used to be known as sensitive data exposure, which is perhaps a more instructive name for the uninitiated than anything with ‘crypto’ in it, but that’s beside the point. In a nutshell, cryptographic failure happens when an entity fails to handle information the way they should. This could be as simple (yet devastating) as client information being accessible as a plain text file on a website.
For an example of a cryptographic failure in the wild, we can go back to good old reliably unreliable Facebook. In 2019, the cybersecurity firm UpGuard found that Facebook user data relating to millions of people was being stored unsecured on Amazon’s cloud servers. This particular cryptographic failure reportedly impacted more than half a billion people, which is enough to keep anyone up at night. As you can see, cryptographic failure often occurs with no malicious intent, but that doesn’t mean the damage can’t be severe.
While the previous entry on this list can occur without malicious intent, the same can’t be said of an SQL injection.
That’s because, as the “injection” part of the name suggests, this attack has to be deliberately launched. Structured Query Language, or SQL, is commonly used for handling structured data and relational database management systems. In other words, it’s a key component of a huge number of websites. So it makes for a promising attack vector for bad actors.
An SQL injection is when an attacker can interfere with the queries an application makes with its database. This is typically done by injecting a website with malicious SQL queries, for example via an HTTP request where the developer intended something as simple as a username to be entered. If the backend code isn’t up to snuff, it could be vulnerable to such an attack. One SQL injection attack way back in 2009 cost American retailers some US$300 million in losses after an attacker was able to compromise 100 million credit cards.
An SQL query.
We’re not all about doom and gloom and just outlining ways you can lose money with your eCommerce store. Now that we have outline the three abovementioned risks to an online store, it’s time to look at how to protect yourself from the dangers that lie in wait.
The answer is simple. So simple, in fact, that it can be expressed with a single word - testing.
An oversimplification it may be and yes, one word lacks the specifics of how to tackle each type of attack. But the overall point stands - if you invest resources into automation testing on your site, you won’t regret it.
Automated testing, which means exactly what it says on the tin, is a way to efficiently and cost-effectively run vast amounts of tests on your website. There are specific testing protocols you can run for all the risks mentioned in this post, it’s just up to you to identify which are most important for you, and to allocate time and money into running the tests.
We don’t ever want to see an eCommerce website lose money, so we’re big advocates of testing at SmartOSC. That’s why we've put together a testing automation checklist to prepare you for the high season. Download it here.