e-Commerce Overview
E-commerce is defined by the buying and selling of various products and service over the internet. There are numerous types of e-commerce such as business-to-business (B2B), business-to-consumer (B2C), consumer-to-consumer (C2C) and consumer-to-business (C2B). An example of B2B is a software as a service (SaaS) companies such as Citrix Systems which sells cloud computing software to companies for remote workers. An example of B2C is Amazon which sells a variety of physical products to consumers all over the world. An example of C2C is an influencer who utilizes personal branding to monetize their following. An example of C2B is a freelance designer who develops products for a corporation (Indeed, 2023).
E-commerce is rapidly growing industry and has become an integral aspect of modern society. New technologies and services such as Shopify, Fulfillment by Amazon, WooCommerce and other creator platforms are allowing individuals and small businesses to gain a competitive advantage in the global market. E-commerce has already revolutionized the way consumers and businesses make buying decisions and this trend is likely to continue as technology becomes more integrated within society.
There are many great aspects of e-commerce which have improved our way of life but these benefits have come with a cost. Utilizing e-commerce inherently involves multiple risks, threats and vulnerabilities which can have devastating consequences depending on the severity of the circumstance. Some of the risks and vulnerabilities associated with using e-commerce include risk to privacy, identity theft, financial theft, fraud, cyber intrusions, industrial espionage, data breaches and many more. Some of the threats to utilizing e-commerce include insider threats (both malicious and accidental), hacktivists, cyber criminals and advanced persistent threat groups (CrowdStrike, 2023).
Impact and Significance of e-Commerce Risks
There are many risks to consumers, online sellers and business that support the e-commerce industry. These risks can be broken into three categories which are financial risks, risk of reputation damage and risk to privacy. Any one of these could be enough to permanently damage a business or unravel an individual’s personal and financial life.
Financial Risks of e-Commerce
There are numerous financial risks associated with utilizing e-commerce for both consumers and businesses. This also includes businesses that provide a supporting role in online selling such as those who provide logistics, payment processing and other services the lifetime of the fulfillment process. In 2023 the cost of cybercrime is expected to reach more than $8 trillion world wide. In 2022 the total loss for consumers from financial fraud was $8.8B (Forbes, 2023).
Reputation Risks of a Security Breach
Information travels extremely fast in our technologically interconnected society. This can be both good and bad depending on the circumstance. For companies that have experienced a cyber attack or data breach this news can have devastating consequences for their brand authority and reputation. Consumers want to know that their finances and personal data are safe and a cyber incident results in a loss of trust in a company. Studies have shown that more than 80% of consumers are willing to shop elsewhere if they learn a company has experienced a cyber attack or data breach (Imprivata, 2020).
Privacy Risks of e-Commerce
Consumers who use e-commerce are at risk of losing their right of privacy through data collection practices of businesses they transact with. This includes personally identifiable information (PII) such as contact details, address, biographical data and other sensitive information. Additionally, this includes financial data, private health information and metadata. All of these pieces of data are being used for advertising purposes such as retargeting software, data science & analytics, business intelligence and other reporting.
The collection and retention of personal data by just about every company that conducts e-commerce presents a large risk to individuals’ privacy if compromised. Insider threats and external intrusions can yield large data sets of consumer information which can be sold on dark web marketplaces. This data can be purchased by criminals who aim to commit further crimes such as identity theft, fraud and financial crimes (FBI, 2016).
Threats to e-Commerce
As illustrated above there are three important risks associated with utilizing e-commerce. This section will discuss various threats and security trends common in the e-commerce industry. By using e-commerce businesses and consumers are more vulnerable to being targeted by a variety of cyber threat actors. This could include an opportunistic insider threat selling consumer or proprietary data, a hacktivist defacing a website, a competitor stealing sensitive information or a cyber criminal using ransomware to extract financial profit from their victim. Any one of these threat actors can cause irreparable damage to both a business or an individual through a variety of tactics.
Email Phishing
One of the most notorious techniques used by cyber criminals to target e-commerce businesses and their customers is email phishing. A well crafted phishing message can fool even the brightest cybersecurity professionals when their guard is down. All it takes is for one unsuspecting employee to click a malicious link to compromise the entire organization. This results in what is commonly referred to as business email compromise (BEC) where an attacker uses email phishing to gain unauthorized access to the organization’s network. This can then be used for installing ransomware, other malware and for a variety of other scams that threaten financial status and privacy of the consumers (ProofPoint, 2023).
Social Engineering
Social engineering is a method of using a variety of tactics such as deception, elicitation and forgery to convince an unwitting individual to reveal sensitive information or to provide unauthorized access to an information system. Phishing is a form of social engineering but this technique can be much more complicated than just using malicious emails. Social engineering can leverage a variety of techniques which include calling, texting and physically visiting the target location. The sky is the limit when it comes to the creativity employed by the attacker when using social engineering. These techniques can result in unsuspecting employees providing access to financial data, consumer data and proprietary data. Social engineering is commonly used as a delivery mechanism for a follow on attack or in a larger campaign such as those which involve industrial espionage (IBM, n.d.).
Financial Theft & Fraud
The risk of financial fraud and theft in e-commerce is very high. Opportunistic criminals as well as organized syndicates routinely target online businesses and consumers with a variety of scams, identity theft and other forms of economic crime. Common tactics involve stealing credit card information, invoice fraud, stolen identity and forgery. These tactics can be used to steal millions of dollars from unsuspecting businesses and devastate the financial lives of individuals.
Denial of Service
E-commerce businesses are especially vulnerable to technical threats that attack confidentiality, integrity and availability. This is because e-commerce businesses are reliant on multiple layers of technology in order to successfully operate each day. This includes web hosting, content management systems, payment processors, online banking, automation software and many others. Each of these elements must function effectively in order to create a seamless customer experience from start to finish.
An attacker could easily disrupt the operations of an e-commerce business through simply attacking a single element of the e-commerce infrastructure. For example flooding a website with a large amount of randomized traffic the attacker can make the e-commerce site inoperable. Until this traffic is blocked or the attacker stops users will not be able to make purchases, check their order status or contact the company. Many e-commerce businesses deal in the sale of tangible goods with relatively low profit margins. If the operations of a business are disrupted for long enough the business could become financially insolvent (CISA, 2021).
Industrial Espionage
Industrial espionage is when competitors engage in the theft of trade secrets and proprietary information from another organization for the purpose of financial gain. With the widespread adoption of technology these activities have become far easier than ever before. e-Commerce businesses that store valuable information such as customer databases, proprietary information & software and other digital or information assets are at risk of industrial espionage.
Companies that focus on SaaS and other technical services may become targets for industrial espionage. These types of businesses leverage the competitive advantage of their proprietary software and data to provide a valuable service to the marketplace. Other companies may seek to acquire this information through illicit means for a variety of purposes. This may be to reverse engineer the product, to use it for other applications such has military or to release it publicly to sabotage their competition. For a company that gains most of its profit from a single product or service this could completely eliminate their competitive advantage (Ekron, 2023).
Mitigating Risk in e-Commerce
Although there are many risks to using e-commerce for both businesses and consumers it is unrealistic to avoid transacting online because of the existing threats. There are many pros to using e-commerce for individuals and businesses which benefit society as a whole. However, these benefits can only be experienced if the threats and risks to using e-commerce are reduced to a manageable level. This can be accomplished through a variety of security controls and protection mechanisms designed to prevent attackers from engaging in malicious activity.
Encryption
Encryption is a method of altering plain text data into what is known as cipher text which is an unrecognizable format that is useless in the hands of an attacker. Encryption is commonly used in website security through transport layer security (TLS) which is commonly referred to as secure sockets layer (SSL). Websites that use HTTPS, usually characterized by a lock icon in the URL tab are protected with encryption. Although this is not a foolproof security control it is good for companies to implement this on their forward facing websites where products are sold. Encryption can also be used elsewhere such as when protecting customer data sets, financial information, communications, trade secrets and proprietary information. Utilizing encryption has become the standard for online activity when using most website managers, e-commerce platforms such as Shopify or Big Commerce and with a variety of other services.
Authentication
Authentication is the practice of verifying the identity of a user or device based on numerous attributes that vary from service to service. Using effective authentication practices for both merchant accounts, employee accounts and customer accounts is an essential practice for verifying authorized users. This ensures that only the people with the correct authorization can access sensitive data, accounts and programs utilized by the organization. When authentication is not used an attacker may be able to bypass rudimentary access control mechanisms such as basic password protection (Kaushal, 2022).
Customers should be encouraged and sometimes even forced to use multi-factor authentication which leverages the use of multiple attributes and characteristics to effectively identity an authorized user. This may be through the use of a one time password (OTP) software, time based one time pin (TOTP) or other methods of authentication. Although this is not hack proof it provides much more security than a simple username and password mechanism.
Transaction Monitoring
e-Commerce businesses should utilize services for financial transaction monitoring to ensure that fraud or theft is quickly identified and stopped. These services can be conducted through an in house accounting team or purchased as an external service. This service will offer tools similar to that of an intrusion detection and prevention system (IDPS) but centered around financial data.
Activity such as large withdrawals, foreign transfers, unknown users and other activity associated with fraud of theft will be isolated for further review by security and accounting professionals. This practice can prevent unauthorized transactions and stop them before they are no longer recoverable. This activity can also be used to help law enforcement and other governing organizations to investigate fraud and catch those responsible.
Security Awareness Training
One of the most useful and under looked practices to enhance the security of an organization is through cybersecurity and information security awareness training. Members of an organization at each level of management regardless of their operations should receive effective security awareness training. This type of training commonly includes basic details on common threat actors, attacks and suspicious activities to look out for. Non-technical employees do not need to be cybersecurity experts but they should be able to spot suspicious activity.
If this is combined with a layered security approach of operational, administrative and technical security controls the organization will have greatly strengthened their ability to defend against internal and external threats. Additional tools such as data loss prevention (DLP), IDPS software, security information and event management (SIEM) and a security focused design of the IT infrastructure will ensure that the organization is well protected against most threats.
Conclusion
e-Commerce has quickly evolved over the last two decades from being perceived as a fleeting trend into a multi-trillion dollar industry that drives a large portion of global economy. With the countless benefits brought to the world through e-commerce there are also a number of serious risks and threats to both businesses and consumers who transact online. The risks and threats associated with e-commerce include financial fraud, theft, reputation damage and privacy concerns. These drawbacks to using e-commerce can overcome with a layered security approach involving techniques such as authentication, encryption, financial monitoring, intrusion detection and prevention software and effective security training.
References
Carpenter, Perry. (2021, April 16). Cybersecurity And Nation-State Threats: What Businesses Need To Know. Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2021/04/16cybersecurity-and-nation-state-threats-what-businesses-need-to-know/?sh=1aa8f37d7c21.
CISA. (2021, February 1). Understanding Denial-of-Service Attacks. https://www.cisa.gov/news-events/news/understanding-denial-service-attacks.
CrowdStrike. (2023, February 28). What Is a Threat Actor. https://www.crowdstrike.com/cybersecurity-101/threat-actor/.
Ekran. (2023, March 24). Industrial & Corporate Espionage: What Is It, Cases & Best Prevention Practices. https://www.ekransystem.com/en/blog/prevent-industrial-espionage.
Federal Bureau of Investigation (FBI). (2016, November 1). A Primer on DarkNet Marketplaces. https://www.fbi.gov/news/stories/a-primer-on-darknet-marketplaces.
International Business Machines Corporation (IBM). (n.d.). What is social engineering. https://www.ibm.com/my-en/topics/social-engineering.
Imprivata. (2020, July 2). How reputational damage from a data breach affects consumer perception. https://www.imprivata.com/blog/reputation-risks-how-cyberattacks-affect-consumer-perception.
Indeed. (2023, March 10). What Is Consumer to Business (C2B): Definition and Examples. Indeed Editorial Team. https://www.indeed.com/career-advice/career-development/consumer-to-business.
Kaushal, Divya. (2022, March 23). The Ultimate Guide to eCommerce Security. Net Solutions. https://www.netsolutions.com/insights/the-ultimate-guide-to-ecommerce-security/#common-ecommerce-security-threats.
ProofPoint. (2023). 2023 State of the Phish: Threat Report. https://www.proofpoint.com/us/resources/threat-reports/state-of-phish.