What 2023 taught us about eCommerce security

There’s an old adage about growing a business: what got us here, won’t get us there. To stay competitive, companies are constantly having to adapt and evolve. The same is true when it comes to cybersecurity. Cyber threats are increasing in complexity and scale as attackers look for new ways to compromise valuable data.

This is especially true when it comes to retail. It’s one of the favored targets for cybercriminals given the valuable financial and customer data retailers hold. An analysis of attacks on retail businesses this year highlighted a series of key dangers including data theft, compromised user accounts, reputational damage, and downtime.

There are common threats like digital skimming and bad bots, while others, like account takeover (ATO) attacks and business logic abuse, are growing in frequency. What lessons should we take from 2023? And how can retailers respond to the evolving threat landscape?

Account takeover

One of the biggest threats for all retail businesses this year has been account takeover (ATO) attacks, whereby cybercriminals used automated bots to try to compromise online accounts by testing stolen passwords and usernames. For customers, a successful ATO attack can have devastating financial implications, and for businesses, it can result in reputational risk and lost revenue.

ATO attacks are a danger throughout the year, accounting for nearly 1 in 6 of all login attempts. Malicious activity is particularly rampant during the holiday season. This year, the volume of malicious login attempts spiked by an incredible 85% on Black Friday, even more than last year’s 66% increase. And it’s not just Black Friday itself that’s a problem – the number of ATO attacks rose by 82% between October 2023 and November 2023 alone. These figures underline how important it is for eCommerce businesses to have defenses in place to identify and mitigate malicious automated traffic that could be involved in ATO attacks.

Business logic abuse

Business logic refers to the rules or algorithms that dictate how an application or program operates and interacts with a database. It can best be thought of as the decision-making process for an application or API – the ‘if’ and ‘then’ scenarios that are designed to maximize ROI. For instance, a retailer might decide that ‘if’ a customer orders more than £200 worth of goods, ‘then’ they get a 20% discount. Such conditional logic enables business decisions to be automated and made more efficient.

In the past 12 months, attacks targeting the business logic of retail sites nearly doubled, jumping from 26% to 43%.Business logic attacks can be used to steal money or sensitive data, commit fraud, or simply to cause chaos by crashing a business-critical application. They’re increasingly popular with hackers because they don’t exploit a technical flaw, but instead abuse an existing functionality of the application or system. As a result, attacks are often not identified by traditional security tools.

For example, if a retailer allows one customer to send digital gift cards to another customer, hackers could use faulty logic within the system to ‘gift’ themselves thousands of pounds of vouchers from someone else’s account. Such an attack could have serious consequences for both the consumer and business alike.

Lessons learned

Tackling these two issues – not to mention the host of other threats retailers face – requires involvement from both sides. For consumers, it’s essential to practice good password hygiene (such as not reusing passwords across websites) to reduce the chances of falling victim to an ATO attack. Meanwhile, businesses need a coordinated and comprehensive defense strategy in place, with a suite of capabilities that can cover all access points, including websites, mobile apps, and APIs. This means going beyond a simple bot management solution to tools like attack analytics, client-side protection, and Runtime Application Self-Protection (RASP).

Moreover, responsibility for security needs to be more widespread across the organisation. Combatting business logic abuse requires developers and product owners to map out and incorporate security measures from the very start and at every step throughout the process to minimise potential risks. This should be accompanied by regular auditing and code reviews to identify any issues that may not have been spotted initially. Identifying business logic vulnerabilities isn’t a ‘one and done’ process – software updates are happening all the time and each one has the potential to introduce a new weakness in the logic of the application.

What will 2024 bring?

Because of the constantly shifting threat landscape, cybersecurity requires constant adaptation. New threats can emerge overnight and become business critical issues. In 2023, ATO attacks and business logic abuse were two of the leading threats facing retailers. With adoption of generative AI booming, the technology could aid cybercriminals in modifying their attacks. As a result, 2024 could well see a staggering spike in attack volumes, especially around business logic as attackers train AI systems to seek out and exploit such vulnerabilities.

We’ve featured the best malware removal.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro