E-commerce security during COVID-19


With the emergence of the current pandemic ravaging the world, the various sectors of economies all over the globe have not been the same. Countries all over the world are struggling to institute measures to mitigate the impact of the pandemic. Consequently, the entire world has gone online and so has the fraudsters!

As you know, the current pandemic has dramatically accelerated a trend that was already on the rise – a rapid move towards electronic payments and e-commerce in Africa!

With curfews, lockdown, and social distancing, many people are now making their purchases online using their computers, tablets, and mobile devices, thus leading to an explosion in e-commerce. With Retailers scrambling to respond to a surge in e-commerce orders the risk of a data breach is increasing at an exponential rate!

As small and medium-sized businesses figure out ways to compensate for their lack of foot traffic during COVID-19 quarantine, many are pivoting to online stores and delivery services in order to continue providing goods and services to their customers.

Understanding e-commerce implementations

Some common e-commerce implementations include:

  1. Merchant-managed e-commerce implementations – Commercial shopping catalogue and payment application platform are fully managed by the merchant
  2. Shared-management e-commerce implementations – with redirection to a third-party hosted payment page either by URL redirect, an Inline Frame (or “iFrame”) that allows a payment form hosted by a third party to be embedded within the merchant’s web page(s), or implementation of Merchant gateway with third-party embedded application programming interfaces (APIs)
  3. Wholly outsourced e-commerce implementations – The below is an example of Fully Outsourced Redirect Payment Flow

Typically, in Africa, most merchants use the ‘Shared-management’ and ‘Wholly outsourced e-commerce implementations’ which involves the use of a Payment Service Provider (PSP).  A PSP offers a service that directly facilitates e-commerce transactions online via its relationship with acquiring member banks of payment card brands.

But what kind of threats are lurking online related to the COVID-19 crisis?

During this time of uncertainty and increased online activity, cyber criminals are actively working to exploit the current COVID-19 story with attacks aimed at taking advantage of the situation.

According to the U.S. Secret Service, one of the most common online attacks during this time is phishing/social engineering attacks. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations with important information about Coronavirus.

Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as credit card number, social security number, account number or password.

These attacks have been around for a while and are at the heart of many of today’s most serious cyber-attacks and can put your business and your customers at risk.  It is important to have your guard up when opening emails and engaging in social media.  As more and more people work remotely due to the COVID-19 situation, everyone needs to be aware of how to best protect against phishing and social engineering attacks.

The current threat landscape – understanding the risk 

Cybercriminals are moving quickly to take advantage of rapid changes to payment card data environments. But first off, let’s look at the current Threat Landscape:

  • Cybercrime in the US has increased by 300 percent – According to the FBI on April 20, 2020, instances of cybercrime appear to have jumped by as much as 300 percent since the beginning of the coronavirus pandemic. The bureau’s Internet Crime Complain Center (IC3) is now receiving between 3K to 4K cybersecurity complaints per day, up from the average 1K per day before.
  • Monthly spam email detections have increased sharply – Monthly spam email detections (containing Covid, covid-19, coronavirus, or ncov) has increased from about 5,000 in January and February to nearly one million in March!
  • Malicious URLs increased by 200 percent – Instances that malicious COVID-19 related URLs were accessed have increased by 200 percent.

Whereas the above facts and figures relate to the situation in the United States, however organisations in Africa should take cognizance of the fact that the pandemic’s effects have reached the Cybercriminal Underground who now sells Covid-themed phishing, malware, and exploits for whoever is interested in perpetuating criminal cyber activities.

Dark web forums harbour a dynamic environment for criminals looking to buy or sell compromised data, zero-day exploits, and system accesses. In our latest dark web findings, we have observed notable changes in criminal forum activities and trends.

Activities spotted including the sale of stolen Facebook login credentials, sale of Malicious links via compromised accounts, sale of Phishing and scams using Netflix as lure and availability of new methods to deliver attacks on enterprises for example ‘Shipment Notification’ emails and ‘Coronavirus Ministry of Health Updates’ emails.

As you can see, the COVID-19 pandemic is quickly changing how e-commerce merchants accept payments.  Merchants that previously only had brick-and-mortar locations are moving to accept e-commerce and over-the-phone transactions.

But what can merchants do to protect their e-commerce transactions?

First off, PCI Security Standards Council shares key considerations to help merchants and e-commerce organisations to keep their customers’ payment data secure in this rapidly changing environment.

Secondly, merchants should consider complementing their PCI DSS compliance program with additional security controls to reduce e-commerce risk, even if such controls are not stated as required, for example Hardening of servers, vulnerability management, and monitoring of server activity are effective controls for these implementations.

  • Reduce where payment card data can be found – The best way to protect against data breaches is not store card data at all. Many small merchants are offering curbside pickup now and are accepting telephone payments in lieu of former face-to-face transactions. Avoid writing payment card details down and instead enter them directly into your secure terminal.
  • Choose Trusted (PSP) Partners – It’s critical you know who your service providers (PSP) are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP).
  • Ensure you implement a robust e-commerce payment architecture – For example iFrames provide a degree of security by relying on a technique known as the same-origin policy, which is enforced by all modern web browsers. However, these types of e-commerce solutions are susceptible to compromise by a determined attacker, and merchants should ensure that they are appropriately addressing this risk.

Phishing/Social Engineering attacks have been around for years. There are many ways to defend against this type of attack including:

  • Reduce unwanted email traffic – Install and maintain basic security protections, including firewalls, anti-malware software and email filters to prevent known malicious IP addresses or domains for example.
  • Train employees and users on email and browser security best practices
  • Update your system regularly – Regularly check that web browsers and security software have the latest security patches and updates.
  • Use basic security tools that block malicious intruders and alert you to suspicious activity, including firewalls, anti-virus, malware and spyware detection software.
  • Separate personal-use devices from work devices – Keep computers used for social media sites, email and general internet browsing separate from computers used for processing financial transactions.
  • Practice good password hygiene – Change the passwords regularly and follow best practices with regards to password policy.
  • Use two-factor authentication – Many of these attacks rely on getting a password one way or another. Requiring another form of ID, such as security tokens, will make it harder for hackers to falsify an account.

Best practices for securing e-commerce

In conclusion, it is advisable to implement the following security best practices

  • Use TLS 1.1 or higher when transmitting cardholder data internally
  • Due to the dynamic nature of e-commerce environments and frequent changes to websites and web applications, consider implementing a web application firewall (WAF)
  • It is also recommended that firewall rules be configured to ensure unwanted traffic does not access (both ingress and egress) the network
  • Consider using third-party payment applications that are PA-DSS validated
  • Regularly review any links (such as URLs, iFrames, APIs etc.), from the merchant’s website to the payment gateway to confirm the links have not been altered to redirect to unauthorized locations
  • Implement Security Training for all Staff
  • Engage the services of security experts such as Delta3 International

For additional knowledge – attend upcoming e-commerce webinar

>>>The author is the Managing Partner, Delta3 International. He is an Enterprise Architect and Information Security Consultant. Del Aden is an industry-recognized security expert with over 20 years of hands-on experience in consulting, training, public speaking, and expert witness testimony. As the Managing Partner for Delta3 International, Del now focuses on helping customers prevent security breaches, detect network intrusions, and respond to advanced threats. An astitute speaker and trainer, Del is on the cutting edge of cybersecurity research and development. For comments, contact author: [email protected]  Mobile: +233 202621350 (GH) or +44 7973 623 624 (UK). Website: www.delta3.co    Contact us: [email protected]

Leave a Reply