Ecommerce Website Security: 13 Tested Tools to Protect Your Site From Scammers
I’ve witnessed companies lose hundreds of thousands of dollars after failing to implement website security features to safeguard their website from hackers and fraudsters.
The internet is a dangerous place to conduct business – especially without appropriate fraud protection protocols. Over the next four years, online retailer fraud is projected to reach $5.8 billion.
For every fraudulent order that is successfully placed using your eCommerce site, an online retailer needs to generate eight legitimate sales to recover financially from the chargeback and lost inventory. Thankfully, it’s possible to build a wall around your eCommerce site, featuring a big gate to allow legit sales through.
Let’s take a closer look at the tools and strategies you can take advantage of to secure your eCommerce site, without losing legitimate sales.
Understanding the Warning Signs of Fraudulent Transactions
Fraudulent transactions can lead to chargebacks and loss of merchandise. There are a few warning signs that eCommerce stores should look for during the review of new, or unusual customer requests.
- More than one payment method being utilized from a single IP address. This could be an individual using stolen credit card information to submit orders and receive goods that they can sell.
- Foreign billing or shipping addresses are a red flag. Most software can only verify addresses properly within the US and UK.
- Large volume orders for a single item from a new customer – this could be a fraudster acquiring a product to resell with someone else’s credit card.
- A series of orders, shipped to the same address but placed using different payment methods.
Manual review of orders is always best, even if you only check the ones that meet the above criteria. Some review and spot-checking is always better than blind hope.
A fraud management expert can help you implement these tips. But, with a little know-how, you can complete all of these fraud management tips for yourself! If you do go the do-it-yourself route, it never hurts to have a website security audit completed by a reputable cybersecurity firm.
1. SQL Injection – Preventing Your Website’s Forms from Becoming Vulnerabilities
Did you know that it’s possible to submit a fraudulent SQL command to your site by inserting the command into a form on your website? This could be the form that your customers use to sign-up for your e-newsletter, or set up an initial consult.
To prevent this type of fraud, you need to scan your site daily for SQL injection vulnerabilities. Internet security companies, like Norton, have products to help with this. But, you can also find free site scanners:
2. Cross-Site Scripting (XSS) – Turning a Bad Request into a Bad Day
How does your website, and the webserver that hosts it, handle GET requests, or the posting of executable code in the comments section of your blog posts? Ideally, these fraudulent server requests, loaded with malicious code meant to compromise your website security, should be blocked from executing.
Best practices for protecting your website from XSS:
- Ensure that all site and server modules are up-to-date. Reputable third-party developers provide ongoing updates based on common security threats. But, these do your site no good if they aren’t installed.
- Use a site scanner, like the ones listed above, to identify potential website security vulnerabilities.
3. Brute Force Attacks – Keeping the Attackers Guessing
83% of domestic e-commerce attacks in the US were completed using a botnet. (PYMNTS)
One of the ways botnets are utilized is in a brute force attack – simply guessing the details required to access the admin section of your e-commerce site. All that’s required is a program to execute the attempts to connect with different passwords, and enough uninterrupted time to establish a connection.
Steps you can take to stop a brute force attack in its tracks:
- Use complex, lengthy passwords featuring symbols, capitalization and numbers.
- Require two-factor authentication before users can log in.
- Use a captcha or similar tool to challenge visitors to your login page.
- Change passwords every 3 months. Immediately change passwords after termination or conclusion of work by an outside contractor.
4. DoS & DDoS Attacks to Make Your Site Inaccessible For A While
Both malicious actions have got the same goal — to push down your eCommerce site and make some profit from that. But technically they are different.
A DoS (Denial of Service) attack is an attempt to shut down your online store flooding with junk traffic and making it ungettable to normal users.
A DDoS (Distributed DoS Attack) attack is performed from multiple devices or a botnet. A botnet is a ‘gang’ of computers infected with some malware.
Here are a couple of security measures every small business owner should take to protect their website security from DoS and DDoS attacks:
- the DoS attacks can be suppressed with the help of special web server configuration;
- use NGINX rate limiting to protect your website from malicious requests.
Note: Installing a website security addon won’t help.
5. Tighten Your Website’s Relative Security and Slash Ecommerce Fraud
Relative Security is the measure of how juicy a target your e-commerce website is, relative to the rest of the web. Political sites, financial firms and large companies have a high relative security risk.
Based on your site’s relative security, you may need to spend extra time and resources on the eCommerce fraud prevention tips I’ll cover below.
Steps for Performing a Relative Security Assessment
- Create an Enemy Profile by answering the following questions:
- Do individuals or organizations exist that would like to hurt me or my company?
- Could an individual make money by attacking my website?
- Do my enemies have the technical skills necessary for the hacking of a website?
- Consider how your company is perceived in the world.
- Does my company have a solid reputation?
- Are there steps we could take as an organization to minimize conflict and improve our image?
- How is my company representing itself online? Is the substance or tone of our content unnecessarily aggressive or aggravating?
To improve your site’s relative security, and reduce its online fraud risk, identify opportunities to disengage from politically divisive topics, and avoid advertising your financial success unnecessarily.
If the outside world perceives you or your organization as a financially lucrative target, or a political adversary, these are red flags that the security of your website, product pages, and checkout needs to be taken extremely seriously.
6. Improve Your Online Store Security with PCI Compliance
Payment Card Industry (PCI) Standards are the baseline standards that the credit card companies have set up in order to provide a secure internet for customers and merchants; reducing online fraud in their industry.
Important PCI Security Council resources include
7. Remove Customer Financial Data from Your Site by Utilizing a 3rd Party Payment Processing System
The best way to protect your customer’s financial data from an attack on your eCommerce site is by removing credit card and other financial information from your site. A third-party payment gateway can securely handle customer financial data on your behalf.
You need to select a qualified payment processor – one that’s compatible with your eCommerce platform, and offers industry-leading fraud prevention. Identity theft detection is also a great feature to look for. Some merchant payment processors provide identity theft protection as part of their service agreement.
10 Payment Processors that Securely Handle Customer Financial Data on Your Site’s Behalf
The X-Payments is one of the e-commerce platforms I recommend because of its built-in fraud prevention features. There are a variety of payment processing integrations that provide PCI compliance to help prevent credit card fraud, and end-to-end compatibility with X-Cart (and many other website builders).
The list below is ranked in order of popularity:
- X-Payments Connector
- Authorize.Net SIM
- Sage Pay (Form)
- Amazon Pay
- Fastlane Checkout
- Create an account
- Select a payment processor based on the fees they charge and their availability in your region.
- Provide the details for your business’ checking account – this is where funds will be deposited or transferred, at your direction.
- Follow the instructions they provide for integrating their platform with your website – usually a very straight-forward process that involves the automated installation of a module.
- Sit back and enjoy the peace of mind that comes from knowing your customer’s financial data isn’t stored on your eCommerce site – removing a great deal of liability from your company.
8. Eradicate Default Passwords from Your Online Store
You wouldn’t keep the old locks on your front door after you purchase a new home, would you? After you’ve installed your eCommerce shopping cart, or installed a new module, it’s time to reset the default passwords that were created during installation.
This tip massively reduces your fraud risk. Once you’re comfortable with the terminology used to describe different users and their roles within your site:
- Check the “Users Management” tab. Ensure there aren’t any extra admins listed for your site.
- Replace the passwords for each admin user with a secure password – I recommend a long, strong password generated by PasswordGenerator.net
- For easy password management, I use Keeper to help me remember my secure, complex passwords. The ability to copy and paste passwords into forms is a HUGE help.
- Check every online tool and piece of hardware you use to ensure there is no default admin/password configurations leftover.
A long, complex password makes your site more secure by requiring a lot more work from hackers and fraudsters before they can break in.
Two-factor authentication is an excellent solution for making it even more difficult for thieves to break in. With two-factor authentication, users will be required to enter their password and then enter a one-time code sent to their smartphone or email address before gaining access to your admin console.
If figuring out a long password is time-consuming, hacking multiple platforms to retrieve an access code is even more difficult.
9. Monitor Your Ecommerce Site for Core File Changes Using Monitoring Software
Who’s got two thumbs and better things to do than sit around and provide real-time fraud detection? This guy! And, unless you’ve suffered an unfortunate accident, I’m guessing you’d like an automated fraud detection solution too.
Thankfully, there are programs that will monitor your site for changes made to the core files of your eCommerce platform and prevent file upload attacks in a timely manner. The minute a core file is changed, an alert is sent out to admins. If the change was fraudulent, some software will even let you roll-back the change with the click of a button.
Changes to your site that are made during hours you are sleeping, or from unrecognized IP addresses should be an immediate red flag.
OSSEC is a free user-friendly tool I use to monitor changes in real-time to my sites. If a hacker gets through my defenses and manages to make changes, I’m immediately alerted. If the change is fraudulent, I can restore the compromised from a safe backup – safeguarding future customers from being compromised.
Then, it’s time to dig into the logs. Once I know who altered the file, I can block their access.
10. Regular Site Backups ARE MANDATORY
How often are you backing up your website? If your answer is less than every 24 hours, you’re asking for trouble.
If someone manages to hack into your site, you need to be able to restore it quickly to prevent extended interruptions to your customers. Rebuilding lost resources takes hours, and possibly days. Restoring from a backup takes a few mouse clicks.
11. Securing Your Web Browser and Operating System
With the increased number of data shared and stored online, using a secure web browser is vitally important for your eCommerce business.
As of 2019, the most secure browsers are The New Firefox, Iridium, GNU Icecat, Tor, Ungoogled Chromium, and other high-quality browsers. (Source)
According to Blokt, Google Chrome, Internet Explorer, and Safari, are the ones you should avoid.
They offer the most secure search engines that will retain your privacy.
Among the operating systems, OpenBSD is highly secure. Use it if you do not need to run graphical apps. iOS and Linux are probably the most popular operating systems.
All that will protect your eCommerce site from various risks, including viruses and personal data theft, and keep your sensitive information in a safe place.
12. Use a Website Application Firewall (WAF) to Take Your Website Security to the Next Level
This awesome tool protects your website from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests. Thus, good visitors are welcomed, and the bad ones are kept away from you.
Sucuri, Cloudflare, Akamai, Incapsula, and SiteLock are among the top web application firewall vendors.
Web Application Firewall prevents future hacks, block brute-force, and reduce the risk of DDoS attacks.
13. When Transmitting to and From Your Site, Encrypted Data is Secure Data
If someone stole your letter from the mailman, would they be able to read it? If you sent your letter using a code that only you and the intended recipient know, it’s virtually impossible for the thief to gather any usable information. Your personal information is safe, even though it was intercepted.
To secure the information sent between your website and your customer’s computer, you need to use encryption on your site. This is done with a Secure Socket Layer (SSL) certificate that is unique to your site. To create one, you’ll need to:
- Purchase an SSL Certificate from a reputable vendor. This does not create the certificate – you’ll need to complete the following steps before you have a usable certificate. Payment simply gets the ball rolling.
- Submit a certificate request form. This involves verifying your identity, billing address, phone number, and legal ownership of your website.
- If you intend to install the certificate on a server that you own, you’ll need to generate a certificate signing-request (CSR). For shared web hosting or managed solutions, this step will need to be completed by the owner of your server – something they are already very familiar with and can quickly complete on your behalf.
- If you own your server, you’ll need to download the files for your SSL Certificate and install them onto your server. Most managed hosting or shared server providers will complete this step on your behalf.
At this stage, you’ve encrypted the communication between your site and the outside world. This is a HUGE step towards a safer customer experience – and the added trust badge will help contribute to customer loyalty and trust.
Don’t believe me? Don’t take my word for it. Here are the numbers, courtesy of DigiCert – showcasing the power of completing the process of securing an extended verification (EV) SSL.
Also, keep it in mind, secure website design is essential to rank higher in search engines.
71% of Merchant Losses Attributed to Friendly Fraud
Friendly fraud is a type of credit card fraud where a legitimate customer interacts with your eCommerce site, makes a purchase, and then changes their mind later. Instead of adhering to your return policy, they submit a chargeback through their credit card provider.
This type of fraud makes up 71 percent of merchant losses (LexisNexis).
Steps That Should Help Understand and Combat Friendly Fraud
- Ask the credit card companies you accept to provide you with a detailed list of their chargeback codes – these are the codes you’ll see when a chargeback is initiated against your merchant account.
- If a chargeback is related to a product issue (i.e., the customer claims the item wasn’t as described), it’s time to dig into how your company fulfills orders. Something likely went wrong, and it will continue costing you money until it’s resolved.
- Ensure that your charges are being notated properly on your customer’s credit card statements. A descriptive title, along with your customer service phone number, is a great way to cut down on forgetful customers charging back transactions that they don’t recognize on their statement.
- Use tracking numbers when shipping orders, and provide customers with this number. Proof of delivery is important when fighting an unjustified chargeback.
- Ban the billing address of customers that submit unreasonable or fraudulent chargebacks. This should be handled on a case-by-case basis; remember, customers make innocent mistakes. But high-risk customers need to be blocked from submitting orders on your site.
Have you been the victim of an attack? How do you handle your website security woes?
I look forward to learning about your personal experiences in the comment section below.
Get the Best Expert-Backed Tips on Selling Online Straight into Your InboxOnly one email a week, we promise
Darren has an MBA in Internet Marketing and 10+ years of experience marketing retail, manufacturing, and Internet marketing corporations, 7-figure brands and startups online.