How to Secure Your eCommerce Site This Holiday Shopping Season

Woman at a laptop computer removing credit card from wallet

You might still be working on your summer tan, but the holiday season is right around the corner. In 2020, nearly 60% of shoppers had started making holiday purchases by early November, and this year’s consumers will likely start even sooner.

The holiday season is full of potential for eCommerce businesses. Last year, online shopping revenue exceeded $188.2 billion and it’s only expected to grow in 2021. But it’s not all sugar cookies and hot cocoa. For retailers set to experience an influx of holiday shoppers, the threat of cyberattacks looms greater than ever before.

Top 3 Cyberthreats to eCommerce

The types of potential cyberthreats abound, but there are three in particular to be on the lookout for:

1. Digital Skimming Attacks and Magecart

In digital skimming and Magecart attacks, cybercriminals steal your buyers’ personally identifiable information (PII). By taking advantage of security weaknesses in the third-party JavaScript running on your site, hackers inject malicious code that skims credit card information and other sensitive data.

Furthermore, a third-party script might call on another script which refers to yet another. An Nth-party script in the chain could have a vulnerability that puts your whole site at risk. Some of the world’s best-known brands have been victims of Magecart attacks, including British Airways, Warner Music Group, and Tupperware, resulting in hundreds of millions of dollars in regulatory fines alone.

2. Carding Attacks and Credit Card Fraud

In carding attacks, hackers make purchases on eCommerce sites using stolen credit and debit card details. They typically unleash bots to buy small-value items with the stolen card numbers. If the transaction goes through, they then use the information to directly retrieve funds or purchase gift cards which can be converted into high-value goods.

Gift card fraud, a subset of carding, is especially common during the holiday season. Gift cards are easier targets because they don’t have the same level of protection as credit cards, nor are they associated with cardholder names, bank account numbers, or billing addresses.

3. Denial of Inventory and Scalping

In denial of inventory attacks, bad actors use bots to repeatedly add an item to a shopping cart over the course of a few days until the item’s inventory is depleted. By keeping the item out of stock, they frustrate your customers, tax your infrastructure and reduce conversions and revenue.

Scalping takes it a step further, deploying bots to buy sought-after products—such as limited editions of sneakers, concert tickets, designer clothing or hot toys—and then selling them at inflated prices on third-party sites or the black market. According to the Automated Fraud Benchmark Report, scalping attacks made up more than 20% of total shopping cart requests for products on eight separate days between March 2020 and January 2021 with a peak of 46.9%.

As mobile spending continues to grow, cybercriminals target shoppers using both these devices and home computers. Consumer spending in mobile apps hit a record $64.9 billion worldwide during the first half of 2021 and is expected to account for 54% of total online sales by the end of the year.

Understand Your Gaps

The first step to understand your gaps is to evaluate your existing security systems against the top threats that you expect to face this holiday season. Every system has strengths and weaknesses, and it’s important to know what yours are.

For example, a web application firewall or static content security policy may be sufficient to monitor first-party code and prevent certain pre-set scripts from running on your site. However, they lack the ability to see and detect changes in dynamic third-party code, rendering them ineffective against client-side Magecart and digital skimming attacks.

Similarly, review your current bot management system. Are you currently using rate-limiting, IP reputation, network-based or signature-based security? While these techniques can block known bad bots, they lack the machine-learning capabilities and behavioral analysis to identify new and unknown bots as well as highly sophisticated bot attacks from distributed IP addresses or those that use low and slow techniques to avoid detection.

On high-volume shopping holidays such as Black Friday and Cyber Monday, hackers will be pulling out all the stops—so make sure your app security system is ready to combat the attacks.

Focus on Your Customer Journey

For eCommerce brands preparing for holiday shopping, centering your business strategy on the customer is the way to go—and your security strategy is no different.

Your customers will face different threats at different stages of their journey, from inventory hoarding on product pages to carding at checkout. Make a plan to safeguard their data from home page to checkout, without interrupting the path to purchase.

Legacy tools like CAPTCHAs and multifactor authentication add friction and drive cart abandonment, harming your conversion rates and negatively impacting your holiday sales. On the other hand, systems that leverage a combination of behavioral analytics and machine learning accurately detect bots and stop automated fraud without sacrificing customer experience.

Proactively Develop your Holiday Shopping Security Strategy

While there’s no need to pull out your ugly holiday sweater just yet, the summer is the time to start protecting your digital storefront for the busy season ahead. Tools like PerimeterX Bot Defender and Code Defender protect eCommerce websites, mobile applications and APIs from automated attacks and client-side data breaches, safeguarding your online revenue and reducing the risk of fraud during the holiday shopping season.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.