Search Go hack yourself with Detectify

A web security blog from Detectify

7 most common e-commerce security mistakes

November 17, 2016

The first step of running an online store is simple: do not. In the majority of cases, hosting the platform is an unnecessary headache and opting for an e-commerce-as-a-service solution can be a much better alternative. However, if you have taken the plunge and are hosting your e-commerce site yourself using one of the more popular CMS solutions, keeping your online store secure is a top priority. Being aware of the most common security mistakes in e-commerce can help you identify and prevent security issues.

7 most common e-commerce mistakes

Price manipulation

When adding a product to the shopping cart, two values were sent to the server as a POST-request: the article ID and its price. An attacker could simply intercept this request and change the price.This vulnerability peaked a few years ago and while this specific method rarely works today, variations of it are still in use.

One of many is to instead change the currency, which can sometimes be exploited when using external payment processors with faulty configurations. Changing the currency from USD to WON (Korean) would make the order a thousandth of the price.

This exploit can also be part of the aftermath after being hacked. If an attacker were to come across login credentials for an admin they could log in and change the price of a product before ordering it, or perhaps add a discount code giving them 100% off. If you have many employees with access to such actions it is extremely important to design a system that allows you to minimise damage in case an attacker gets admin access.

Transferring funds between gift cards

Race conditions are often overlooked, and one place where that can be exploited is when funds are transferred between two gift cards.

A real life example of this vulnerability involved three Starbucks gift cards. This may sound like a very advanced and elaborate attack, but it is really easy to exploit, which is why we will probably see more of this type of exploits in the future.

Gift cards with incrementing IDs

It might sound strange, but when generating gift cards it is surprisingly common to just increment the card ID. If the attacker gets hold of a gift card with the ID 12345, they could try 12346 and use someone else’s money. This sounds like a really simple and obvious mistake, but unfortunately, it’s not unheard of.

Coupon codes

It doesn’t end with gift cards – sometimes, attackers can also guess coupon codes.

Imagine that you have generated two different coupon codes, one that gives customers 10% off and is intended to be spread online, and one that gives 50% off and can be sent to close friends. In this example, the coupon code for the first coupon is superCheap_10, while the one for the second coupon is superCheap_50. The problem here should be clear and is similar to incrementing gift card IDs. It might seem ridiculous and incredibly obvious, but it is surprisingly common.

Figuring out the stock

An attacker might be able to figure out your stock by adding a product to their shopping cart until the website says the product is unavailable. Information about how much of a specific product you have in stock could be used by a competitor to extrapolate future campaigns ahead of time and foil your plans. For example, the competitor could buy the same product, put together a better campaign and push it to the public before you.

DDoSing competitors

Something that is popular from time to time, but we have not seen much of recently is DDoSing a competitor. If the competitor’s site is down, they cannot sell anything, so customers start looking for alternatives and turn to the attacker’s online store instead. To make matters worse, considerable downtime also damages your reputation, so even when your site is back online again, the consequences of the DDoS attack remain.

Thanks to services like CloudFlare this is a problem that can be overcome and we would certainly recommend looking into DDoS protection solutions. DNS changes can take a while, so this is a preventative measure that needs to be taken before an attack takes place.

Stolen credit cards

While attackers seldom use stolen credit cards with the intention to damage a business’ reputation, the issue is still one that retailers are familiar with and hope to prevent.

The attacker gets hold of a bunch of credit cards knowing they are stolen and will soon be reported as such. They use the cards to buy products online and once the bank finds out what has happened, a chargeback will be issued. A chargeback means a lot of extra work for the business owner as well as a fee that can often be quite high. If the order has already been shipped, the shop owner also needs to deal with the headache of trying to retrieve the products.

At the checkout, it is vital to make sure the customer is actually using their own credit card, but at the same time the process should be as smooth as possible to avoid scaring away any legitimate buyers. Finding the right balance between security and a user-friendly process is a challenge, but awareness of security issues in e-commerce is the first step towards running a safer online.

How Detectify can help

Detectify scans your website for over 700 vulnerabilities, including security issues that frequently occur in popular e-commerce solutions. Continuous security monitoring can help you keep an eye on your e-commerce store and avoid the most common mistakes. Sign up for a free trial and check your store’s security »

Read more about e-commerce security:
How to choose the right e-commerce platform
Are you ready for Black Friday? Why retailers should care about web security