Search Go hack yourself with Detectify

An EASM blog from Detectify

E-commerce security: the majority of online stores don't force HTTPS

November 22, 2016

Online retail has been around since the early days of the internet and has grown dramatically over the last two decades. Two of today’s biggest players in the field, Amazon and eBay, launched in 1995 and today, shopping online is an everyday task. In Sweden, where Detectify is based, about 85% of the population have bought something online within the last year. To find out whether retailers are aware of e-commerce security risks, we have looked into the HTTPS configurations of 915 Swedish online stores. The results show that it is high time for online stores to catch up with security best practices.

e-commerce security - Detectify

With great e-commerce comes great responsibility

Even though the online store itself does not handle credit card credentials, consumers expect it to be trustworthy. Most regular users don’t know that credentials are sent to a payment processor through an iframe or an external page. This is something retailers often forget, but it certainly shows that there is great responsibility in e-commerce. A security breach can have a devastating impact on business and it can take a long time and plenty of effort to win back consumers’ trust.

Over 60% of e-commerce sites lack HTTPS per default

It would be possible to measure security in a variety of ways, but just to get a quick overview we decided to scan 915 online stores active in Sweden to see whether they force HTTPS or not. We did this using publicly listed information and a python script that tries to connect to all targets over HTTP and follows the redirects.

If the redirects lead to an HTTP site, any attacker with access to the network can intercept the credit card details, potentially leading to grave consequences. An everyday user cannot be expected to manually switch to HTTPS, so all requests must be automatically redirected to a HTTPS site in order for HTTPS to serve its purpose.

HTTPS research graph

Only 37 % of the sites we analysed force HTTPS

With the results in hand this is indeed a bit worrying, and the question is whether the site owners understand the magnitude of the risks involved. HTTPS is one of the easiest security measures to implement, and when it is not in place, it can be assumed that the majority of other preventive steps have been ignored as well. In total, only 37% of all scanned sites used HTTPS per default.

Consumer culture seems to have changed faster than businesses’ security awareness. News about hacker attacks and privacy issues have rendered people more aware of security issues, but e-commerce is still somewhat slow-moving. Business owners will eventually need to catch up on security and realise that they are not only running a website, but handling sensitive data and risk losing their customers’ trust.

Security as a competitive advantage

It is not longer possible to compete on price because a consumer can easily find the cheapest option using services like Pricerunner. Instead, what matters is the overall reputation of a brand, based on a number of factors including security.

An e-commerce site that has been hacked will have a hard time bouncing back as consumers will no longer trust it with their credit card details. The good news is that prioritising security is a wise strategic decision that does not only make the internet a more secure place, but is also good for business.

Leaks and automation

Make no mistake, online stores do get hacked. We have written before about big companies and services falling victim to hackers and e-commerce is no exception. Leaked credit cards details are so common nowadays that they can be sold for just a few dollars online, on marketplaces available to anyone with a few hours to spare. Many stolen credit card credentials come from smaller leaks, but larger leaks involving millions of credit card details are not unheard of.

One of the more interesting attacks that has recently grown in popularity is hacking smaller online stores and including a piece of JavaScript that will intercept the credit card entered by a unsuspecting user. Such an attack can often be automated, and as no server code needs to be modified, it can take a while before someone discovers it. Gathering a list of thousands of e-commerce sites, as we did in the beginning of this article, and running a automated script against each one of them is easier than manually focusing on a specific target.

Research has shown that thousand of sites are affected by this and the hidden statistic is probably far larger than one would want to imagine.

Author: Linus Särud, Security Researcher

Twitter: @_zulln