Are you concerned about e-commerce security? We explain what e-commerce security is, discuss common threats, and offer solutions.
What Is E-Commerce Security?
E-commerce security is the protection of e-commerce sites from fraudulent activities such as unauthorized access and illicit transactions. Common threats include card-not-present (CNP) fraud, account takeover (ATO) attacks, and more.
As the demand for online and mobile shopping has skyrocketed in recent years, so has the number of attacks on merchant websites. In 2021, an estimated $15.3 billion was lost to card-not-present fraud alone. Not only does this represent direct financial loss for digital channel merchants, but it can also lead to steep fees from fraudulent chargebacks, and do damage to their brand image. Malware attacks that shut down sites for periods of time only add to the problem.
But it’s not all doom and gloom. Below we’ll touch on the most common ecommerce security threats, how they work, and what you can do to prevent them.
E-Commerce Security Threats & Solutions
To better understand ecommerce security, let’s explore how some of the most common e-commerce threats work and the best ways to stop them.
Card Not Present Fraud
Card not present fraud occurs when a person makes an unauthorized purchase using stolen credit card information without physical access to the card. CNP fraud can occur anywhere a merchant cannot inspect the physical card.
Fraudsters typically steal credit card information from phishing scams that trick users into entering their payment information into a cloned version of a trusted site. Once the victim enters their payment details, that information is sent to the fraudsters.
Even when merchants and customers do everything right, they can still fall victim to CNP fraud. Cybercriminals break into legitimate online businesses and steal databases filled with customer payment information. Card details are often sold on dark web marketplaces where other criminals can try and commit fraud with them.
During the first three quarters of 2021, Outseer recovered over 12.9 million unique compromised credit or debit cards from dark web marketplaces and fraud networks. That’s roughly 48,000 compromised cards per day that could otherwise be exploited from criminal gain.
One of the best ways to protect against CNP fraud is to deploy solutions that leverage the EMV® 3-D Secure protocol, which uses shared transaction data and threat intelligence to assign each transaction a risk score. E-commerce sites can choose how they want to handle riskier transactions, with many opting to request additional authentication or blocking blatant fraud altogether.
3DS is one of the most popular forms of e-commerce security thanks to its high accuracy and frictionless flow. By using over 100 data points, 3DS can root out fraudsters without impacting cardholders’ shopping experience.
How to prevent CNP fraud:
- Enforce CVV verification on your website
- Implement solutions that use the 3D-Secure protocol to block fraudulent purchases
- Use an address verification service
Chargeback fraud occurs when a customer makes a purchase with the sole intention of issuing a chargeback and keeping the item. When a chargeback occurs, the customer is refunded their money and the vendor is charged with a chargeback fee. These fees can vary in size and mount up quickly if chargeback fraud is left unchecked.
Sometimes chargeback fraud can happen accidentally, like when a customer forgets their subscription for autopay and seeks a chargeback. This is known as “friendly fraud.” While friendly fraud may seem innocent enough, it still impacts e-commerce site owners the same way. As it stands now, 44% of merchants report experience return abuseof some kind over the past 12 months, and 66% say it has been getting worse.
How to prevent chargeback fraud:
- Implement solutions that use the 3D-Secure protocol to block fraudulent chargebacks
- Send email confirmations when a product has been purchased
- Have a clear and visible return policy
- Use detailed product descriptions and payment descriptors
- Use shipping insurance or shipping confirmations when possible
- Make issuing a refund through your site simple, vs. going through the card company
Account takeover occurs when a legitimate customer account is hijacked by fraudsters who use that account to steal information and make fraudulent transactions. This can be particularly challenging to detect since the login occurs under a trusted account.
Cybercriminals can target large organizations to authorize bank transfers or steal company secrets. For eCommerce sites, attackers steal customer accounts and abuse their saved payment methods or max out their BNPL credit.
Luckily, by comparing known user behavior with new login attempts, artificial intelligence can use risk scoring to block sign-ins that are highly suspicious.
How to prevent ATO attacks:
- Implement frictionless, risk-based authentication to protect accounts automatically, even if the username and password are stolen.
- Use multi-factor authentication when possible.
- Watch out for logins under new devices and locations that don’t match typical user behavior.
Account Enrollment Fraud
Why take over an account when you can use stolen card information to set up an account or rewards program with an online merchant from scratch using a synthetic identity? According to the FBI, synthetic identity fraud is a $6 billion problem that the FBI calls one of the fastest-growing forms of financial crime. Synthetic identities can be tough to root out because they use a mix of fraudulent and randomly generated information. Once a synthetic identity is used, attackers can simply create another account and repeat the process.
In these attacks, fraudsters open an account or activate a mobile app using pilfered card information. Since the new user appears legitimate, there is no discrepancy between shipping addresses or contact information—helping them bypass most traditional fraud detection systems.
How to prevent Account Enrollment Fraud:
- Require multiple forms of identity proof and running it through external databases
- Deploy solutions that leverage machine learning and identity science to correlate and verify physical and digital identities
Attackers can use automated bots to test stolen credit card details, knock sites offline, brute-force admin passwords, and scalp in-demand items to turn a profit on your customers. Bot attacks pose a significant e-commerce security threat because of the scale and speed in which they operate.
The best way to prevent bot attacks is to use machine learning fraud prevention. Machine learning studies the behavior of legitimate customers as well as bots to detect and defend your e-commerce site from attacks accurately.
Unlike CAPTCHA checks, frictionless fraud detection only stops bots and doesn’t slow down your real customers. This helps e-commerce businesses improve their customer experience, reduce their cart abandonment, and grow their revenue.
How to prevent bot attacks:
- Use frictionless fraud prevention to stop bots, automated attacks, and fraudsters
- Use strong passwords and two-factor authentication to stop brute-force attacks
- Block free or commonly abused proxy and VPN services
- Monitor for spikes in failed credit card or gift card transactions
Buy Now, Pay Later Fraud
Buy now, pay later services offer customers zero-interest credit to buy anything from clothes to computers. BNPL services are popular among e-commerce sites since they increase the average order value and allow customers to spend more without paying the full balance upfront.
Criminals have grown wise to BNPL services and targeted these lines of credit as low-hanging fruit for their fraudulent endeavors. Fraudsters commonly commandeer customer accounts and drain their BNPL credit, or use synthetic IDs to create a bogus account with the e-commerce site.
The best way to protect your BNPL service is by using risk-based authentication throughout the shopping and enrollment process. Today’s most robust platforms protect your customers by protecting against loss by detecting hijacked accounts and preventing synthetic identities from BNPL enrollment.
How to prevent buy now, pay later fraud:
- Use BNPL authentication to prevent account takeovers and synthetic identity attacks
- Ensure your BNPL platform uses machine learning to detect evolving threats
- Only use a trusted BNPL partner
Brand abuse continues to rise each year and is currently the most popular tactic for online fraudsters. Brand abusers steal branded assets and impersonate e-commerce sites through phishing campaigns in order to trick victims into sending their payment details and making fraudulent purchases.
These attacks not only defraud your customers but erode your brand image with each attack. Many customers hold the brand responsible for the attack even though they weren’t involved. Brand abuse can occur through fake websites, rogue mobile apps, and fraudulent social media accounts.
The best way to prevent brand abuse is to source a cyberattack takedown service that continuously monitors the Internet, app stores, and social media to shut down sites, apps, and accounts before they can do serious financial and reputational harm.
How to prevent brand abuse:
- Use a 24/7 takedown service to prevent attacks
- Register or monitor similar domain names to prevent attackers from using them
- Use anti-phishing services internally to protect your staff
- Educate your customers on brand abuse
Malware can knock e-commerce sites offline, flood them with spam, and even redirect customers to malicious checkout pages. Malware typically infects websites that have outdated plugins or vulnerabilities on their hosting web server. Common or default passwords also make it easy for attackers to plant malware on e-commerce sites.
The best thing you can do to prevent malware is to keep your plugins up to date, secure your accounts with two-factor authentication, and hire a webmaster to manage the security of your website.
How to prevent e-commerce malware attacks:
- Implement risk-based authentication to authentication for admin logins
- Minimize the number of plugins used and keep them up to date
- Use SSL and HTTPS to secure communications
- Install a web application firewall
- Hire a system administrator or web developer to keep up on security
E-commerce Security Best Practices
With some of the most common e-commerce threats covered, let’s explore some general best practices you can use to protect your customers, brand, and revenue.
Follow and Monitor Compliance Requirements
e-commerce sites must follow various regulations to keep their site operational and their customers protected. Familiarize yourself with standards such as PCI-DSS, GDPR, and CCPA. These regulations are designed to protect customer data and preserve their privacy. Site owners can use numerous compliance auditing tools to monitor their status and identify areas to be corrected.
Use Machine Learning and Artificial Intelligence to Stay Ahead of Threats
Machine learning and artificial intelligence improve e-commerce security by learning the patterns and behaviors of different threats. By understanding the threat behavior and trends, e-commerce sites can stay protected against attackers—even when they change their tactics.
Your best bets will be products that leverage machine learning combined with data science informed by large-scale shared identity and transaction intelligence to provide seamless fraud prevention across all digital channels.
Conduct an E-Commerce Security Audit
Your e-commerce site can have various points of entry for attackers from vulnerable hosting providers to misconfigured plugins. Consider conducting quarterly site audits with a web vulnerability scanner and having a professional work with you during remediation.
Audits can take some time, depending on your e-commerce site’s size and complexity. Security audits typically highlight vulnerable plugins, misconfigurations, and accounts with weak passwords.
Many auditing tools follow a series of best practices allowing you to rest easy knowing your site is secure. If you’re a larger e-commerce brand, consider using a web access firewall and hiring remediation experts to fix critical vulnerabilities as they’re discovered.
Total E-Commerce Security with Outseer
E-commerce fraud, and its myriad attack vectors, can feel overwhelming. But you don’t have to handle it alone.
Our own solutions empower the digital economy to grow by authenticating billions of transactions annually. Our payment and account monitoring solutions increase revenue and reduce customer friction for card-issuing banks, payment processors, and merchants worldwide.
By leveraging intelligence from 20 billion annual transactions across 6,000 institutions contributing to our global data network, our identity-based science prevents 95% of all fraudulent transactions, with customer intervention rates as low as 5%. That’s the best performance in the industry. And our 24/7 takedown service puts brand impersonation on ice, before it can cause serious damage.
By seeing what others can’t, we stop fraud long before a digital transaction or interaction occurs. To learn how you can protect your customers through the power of frictionless fraud prevention, request a free demo today.