Are you currently experiencing an attack?

Are you currently experiencing an attack?

5 Tips to Ensure a Safe Holiday Shopping Season

In 2020, almost 60% of shoppers began holiday purchases by early November, and this year’s consumers will likely start sooner. This year, eCommerce sales are estimated to reach a staggering $908.73 billion, as the pandemic monumentally boosted online interactions. In order to meet the immense consumer demand, many businesses have spent the last year preparing resources for online storefronts.

The pandemic has made this more important than ever. Even as more people are shopping from home, cybersecurity incidents have risen. According to MarketWatch, last year the total loss resulting from COVID-19-related eCommerce fraud amounted to more than $59 million in the United States alone. 

Here are five actions online retailers can take, to ensure a successful and safe holiday shopping season.

1. Fortify your site(s) against Account Takeover (ATO) attacks

An account takeover attack occurs when a malicious third party attempts to obtain account credentials of legitimate users. 

Ecommerce retailers with inadequate ATO prevention can suffer in numerous ways, including loss of revenue from products shipped to thieves, payment chargebacks from customers whose accounts were compromised, loss of reputation/customer goodwill, and potential punitive fines from privacy regulators. 

ATO is difficult to defend against, because hackers can wage these attacks in a variety of ways. The threat vectors include:

  • Brute force attacks on your site: One of the most common ATO techniques is credential stuffing, where bots “stuff” credential sets (that were stolen from other systems) into login forms. Another brute-force tactic is credential discovery, where attackers attempt to discover credential sets by trying large numbers of possible combinations. 
  • Attacks on your team members: Hackers use social engineering techniques to trick insiders into granting access to accounts, or performing other activities which enable the ATO to occur. An old, but still frequently used, tactic is to send emails with malicious payloads to employees. When someone opens the attachment, or clicks on a link to a malicious website, hackers can gain a foothold into your system. In the worst case, a system breach is made possible. This not only enables a massive ATO event (since threat actors can gain access to credential data troves such as emails, account security questions and answers, usernames, passwords, etc.), but even worse incidents such as ransomware become possible.
  • Attacks on your customers: Hackers use phishing campaigns to trick recipients into visiting false login pages. Whatever credentials are entered will be captured by the attacker, and then used to hijack the accounts.

So what can eCommerce sites do?

There are a number of security measures that can help protect against account takeovers.

Rate Limiting is one of the most important security tools for defeating ATO attacks, especially those using brute-force tactics. (In fact, it will block any malicious activity that relies upon a larger-than-normal volume of requests.) Some security solutions don’t offer rate limiting, while others offer only rudimentary forms of it. You should ensure that yours offers a full set of rate-limiting capabilities, and that your active security policies include rate limit enforcement.

Bot management is another crucial security tool. Most ATO attacks use bots. Therefore, if your security solution can detect and block them, the attacks will fail.

Regular employee training on social engineering prevention, email hygiene, and other security topics is a must. Although training sessions can seem to be a tedious hindrance to more productive activities, employee mistakes are still one of the most common vectors to system breaches. Don’t underestimate the importance of this.

Preserving customer account integrity is another important tactic. You can’t prevent your customers from being fooled by phishing campaigns, but you can make it more difficult for the attackers to use whatever credentials they manage to steal. For example, encourage your customers to activate 2FA (two factor authentication) for their accounts. Treat login attempts more suspiciously when the customer’s geolocation has suddenly changed. Set up ACLs (Access Control Lists) to block access attempts originating from known-hostile IPs, ASNs, and countries. And so on.

2. Ensure you have a global CDN that is secure

A CDN (Content Delivery Network) is a network of servers spread across a geographical area. As the name implies, a CDN distributes content, and therefore enhances the responsiveness and loading speeds for sites and web applications. For retailers that use them, they not only improve the customer experience, they can also improve search engine rankings.

CDNs play an important role in web security. For example, they can help mitigate the impact of DDoS attacks. This has led some prominent CDN providers to add security features to their services, and they now market these tools as full web security solutions. However, despite these claims, these providers do not provide full protection.

You might expect that since CDN infrastructure is separate from your own, that its security is not your concern. Nevertheless, there’s a lot you can do to secure your CDN against abuse, and it’s important to do so. 

For example, one prominent CDN attack is called CPDoS (cache-poisoned denial of service). An attacker will wait until a CDN cache expires, so that the next request for that URL will not be served by the CDN; it will be passed to the web application server instead. The attacker then sends a request that will cause the server to generate an error, which the CDN then caches. Subsequently, for the full length of the expiration period, your CDN will be serving error messages to your customers instead of the actual content. Since CDN-served resources (images, graphics, videos, icons, buttons and other UI controls, etc.) can make up the majority of a web application’s content, a poisoned cache can ruin the experience of your customers.

Attacks like these can be defeated by a good web CDN security solution. The best solutions offer full support for the major CDN providers, and include specific features for using them securely. Before the holiday shopping season arrives, you should ensure that your CDN is well-protected.

3. Harden your Mobile App

According to Statista, global mobile eCommerce sales will hit $3.56 trillion by the end of 2021. 

Many online retailers have found that offering a dedicated mobile app to their customers will significantly increase their sales, compared to using a website alone.

Unfortunately, mobile apps can create security challenges. By default, a mobile application will communicate with your servers in the same way as a web browser. However, many web security technologies are based on browser verification, and by definition, a mobile app does not use a browser. Thus, mobile traffic on its own can be less secure than browser-based traffic.

The best web security solutions address this by offering specific features to harden mobile traffic. Usually the solution providers offer an SDK, so that developers can publish their apps with these features included.

A mobile app that has been built with a security SDK can include a number of custom authentication and authorization features, while communicating with the origin server through a hardened, non-repeating, non-reproducible, HMAC-signed connection. It can also send anonymized user data upstream, including UI events (taps, clicks, pinches, etc.), device metrics, and more, which make it possible for the security solution to use behavioral analysis to identify legitimate users. 

All of this makes it easy for the API endpoint to distinguish between genuine mobile users and attackers who are trying to imitate them. The security solution can allow the former while blocking the latter. 

Many security solutions do not offer a mobile SDK, while others offer SDKs that are not fully-featured. To fully secure your mobile app, look for a solution that can do everything described above.

4. Ensure your bot management solution can combat the broad range of automated attacks

A bot is a software application that automates activities that a human might otherwise do. Usually, bots will operate faster and/or at a larger scale than would be practical otherwise. 

Hostile bots represent a large, and growing, threat to eCommerce. Last year, Security Boulevard recorded a 788% increase in bad bot traffic to retail websites. This makes robust bot management a must-have.

How can bots harm you?

Threat actors use bots for many different types of web attacks. Here are just a few of them.

Scraping: In online retail, pricing data can be very sensitive, and competitors can gain an unfair advantage by deploying scraper bots to steal it. If your competition gains real-time access to your pricing information or product availability, they will be able to change their pricing to lure customers to their site and away from yours.

Inventory hoarding: This is a more sophisticated form of attack that can prevent your customers from doing business with you. Automated bots place and hold large quantities of stock in their shopping carts, leaving items unavailable to legitimate customers. The inability to buy the items often results in real customers being frustrated with brands/retailers. Any retailer offering real-time stock availability is an attractive target for this type of abuse; inventory hoarding not only damages reputation and customer lifetime value, but also heavily decreases conversion rates.

Vulnerability Scans: These are automated explorations of your website/architecture, designed to find security weaknesses. Threat actors use bots to automatically scan large numbers of systems for known vulnerabilities. When an exploitable system is found, hackers follow up with direct attacks. 

These three threats are only some of the problems that bots create for eCommerce sites and applications. Of all verticals, online retail tends to face the broadest range of bot-based threats. E-commerce sites and applications present a vast array of malicious opportunities for hostile actors. Therefore, having a comprehensive bot detection and management solution to identify and block these bots is crucial, especially during the holiday season.

5. Get strong defenses against DDoS

A DDoS (Distributed Denial of Service) attack seeks to exhaust resources in the victim’s infrastructure, to hinder the operation of its services and applications. The attacker might use DDoS as part of an extortion attempt, or in some cases, DDoS actors are hired by businesses to attack their competitors.

Since DDoS attacks are generally intended to cause the highest possible damage to a company, they are often launched when customer traffic is at its highest. If your site is attacked during the holiday shopping season, you can lose a massive amount of revenue. The more successful you are, the more you can lose: for example, if an online retailer makes $10 million annually, then an outage would cost them an average of $1,142 per hour. (And it’s not unusual for DDoS assaults to last for many days, continuously.)

Many online retailers rely on their cloud providers to defend them against DDoS attacks. Indeed, the big cloud platforms (e.g., AWS and GCP) include DDoS protection tools, fully integrated into their platforms—and some of them are even free. Nevertheless, the cloud platform tools are quite basic. They mitigate attacks on layers 3 and 4 (network and transport), but they’re inadequate for comprehensive protection against more advanced attacks on layer 7 (the application layer). For that matter, even many dedicated DDoS security solutions do not fully protect layer 7, or have the ability to counter sophisticated threats such as yo-yo DDoS attacks.

Among hostile actors, DDoS extortion is very popular during holiday season, because DDoS creates immediate and direct financial damage to the victims. As an online retailer, you should evaluate (and if necessary, strengthen) your security measures now, before the “DDoS season” begins.

*BONUS TIP – Use single-tenant web security *

As online retailers consider their web security, there’s an issue that is rarely mentioned: the structure of their chosen security solution.

Almost all web security services are multi-tenant. These services process customer traffic on shared resources outside of the customers’ environments, which creates several problems: worse performance due to routing latency, potential compromises of privacy, and perhaps worst of all, exposure to DDoS attacks aimed at other tenants.

The last thing an eCommerce store owner wants—especially during the holidays—is for its web security solution to slow down performance. But that’s exactly what can happen in a multi-tenant web security model.

All these problems can be avoided by using a single-tenant web security solution; one that filters traffic within the customer’s environment. Here, all processing takes place within the privacy of the customer’s perimeter. There’s no external routing to introduce latency, there’s no potential accidental exposure of sensitive data, and the customer remains immune to, and unaffected by, DDoS attacks aimed at other organizations. 


For online retailers, few things are worse than having a security incident or a prolonged outage during peak holiday season. And holiday season is the most likely time for damaging events to occur; during this period, your infrastructure is stressed with high levels of traffic, your staff is busy and can miss the warning signs of an attack, and this all occurs at the same time that attackers are the most likely to strike. 

It’s never been more important to have robust security in-place, capable of protecting against the complexity and frequency of modern attacks. And the best time to evaluate your defenses, and boost them if necessary, is now, before the holiday season begins. Once an attack occurs, it will be too late.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.