online shoppers & thieves blog

While Online Shoppers Click, it’s Thieves Who Collect 

E-commerce is booming, and so are the cyber attacks that plague retailers and customers. As digital e-commerce transactions grow, the race is on for fintech solutions that can help to staunch the flow of customer data – and cash – to online attackers.

E-commerce exploded during the pandemic when everyone was driven to shop from home. Even now that the emergency has subsided, online sales continue to rise. Emarketer predicts a growth from $4.2tn in global online sales during 2020 to $7.4tn in 2025. E-commerce sales as a proportion of total retail sales will also grow from 17.9% in 2020 to 23.6% in 2025, it adds.

A rising tide of security threats 

As e-commerce grows, so do the cybersecurity risks that it faces. Imperva’s State of Security within eCommerce 2022 survey found various online threats targeting e-commerce vendors.

One of the most prevalent kinds of attacks on e-commerce sites is account hijacking. Imperva’s survey said that attempts to take over customer accounts accounted for 22.6% of all logins to retail sites – almost double the proportion across all sectors. More online retailers are offering buy-now-pay-later (BNPL) services, presenting another fraud opportunity for account hijackers.

Criminals often automate their attacks on e-commerce websites. They can carry out credential stuffing attacks for account takeovers but also automate purchases to vacuum up sought-after inventory that scalpers can sell later for big profits. According to the Imperva report, malicious bots account for just under a quarter of traffic to retail e-commerce sites.

According to Imperva, client-side attacks were among the most significant risks for e-commerce providers. These attacks, typified by groups like Magecart, insert malicious JavaScript into compromised web pages. Retailers are the third most likely to include JavaScript on their websites, most of which are third-party scripts. These scripts skim credit card details when customers place an order.

Instead of stealing data, Some cyber attacks simply make it difficult for e-commerce sites to operate. Imperva said that e-commerce retailers accounted for around one in 20 of all distributed denial of service (DDoS) attacks, which is a relatively small number compared to financial services 29.5%. Nevertheless, it is still a worry for e-commerce retailers who lose cash for every minute of downtime.

Regulation 

We can add another business risk to these digital ones: regulation. Enforcement of essential cybersecurity and privacy practices in e-commerce falls to a patchwork of federal laws that include some cybersecurity protections. Even though U.S. Congress has yet to take a firm stance on focused laws to enforce e-commerce security, there are rules to break.

E-commerce businesses fall under the Federal Trade Commission Act (FTCA), which prosecutors can use to punish businesses that don’t manage their cybersecurity properly. E-commerce companies mishandling their cybersecurity might also violate the Children’s Online Privacy Protection Act.

There are also state laws that apply to fintechs and, in some cases, to the retailers that use their services. For example, the California Consumer Protection Act (CCPA) and its successor, the California Privacy Rights Act, cover companies of a certain size collecting and using consumer data, including e-commerce vendors. Virginia and Colorado have also implemented their own consumer data protection laws in the absence of an equivalent federal one.

The payments industry also has some regulations of its own. One is the PCI Data Security Standard (PCI DSS) from the PCI Security Standards Council. This specification goes into great detail about the necessary security measures for protecting credit card holders’ data. Failure to comply can result in penalties between $5,000 to $100,000 for each month of non-compliance, depending on the size of the company and the scope of the violation.

The Council published the latest version of the standard, 4.0, in March 2022. It includes more controls to protect online credit card data, including mandating multi-faction authentication (MFA) for accessing cardholder data and using targeted risk analyses to tailor cybersecurity measures for specific businesses. It also addressed the Magecart threat with guidance on managing payment scripts that sites load and run in the consumer’s browser.

An increased focus on cybersecurity fintech 

Fintech is a linchpin for security protection in the e-commerce space. Fintech arose to drive speed and efficiency into financial workflows like loan applications and payments. E-commerce companies use fintech services to help with their own efficiency and cybersecurity issues. Fintech companies can reduce the friction in applying for credit with an e-commerce vendor. They can streamline and speed up payments and use data analysis and records lookup to detect and prevent fraud.

The race is on to find fintech solutions that can help to bolster security for e-commerce companies and other partners. KPMG’s Pulse of Fintech report for the second half of 2022 was preoccupied with fintech investments that covered cybersecurity and regulatory compliance.

With e-commerce set to grab an increasing share of retail revenues, retailers will be judged on their ability to interact with customers online and protect their data adequately. No wonder the focus is turning to fintech that can help to fight fraud and ensure that only legitimate transactions get through.

Streamline your workflow with our new Jira integration! Learn more here.