• United States



7 ways to protect your ecommerce site from fraud, hacking and copycats

Nov 07, 20167 mins

Ecommerce business owners and cybersecurity experts discuss how you can protect your online store, especially during the holiday season.

ecommerce woes2
Credit: Thinkstock

Setting up an ecommerce site is easy these days. Keeping your site safe from hacking, fraud and copycats, not so much. And as small business owners know all too well, one major breach – or too many charge backs or someone stealing your business name or copying your products – could mean the end of your business.

Here are seven ways small ecommerce business owners can protect their online stores from hacking, fraud and/or copycats.

“The most important tip for business owners to protect their site and brand is to ensure [their] name is clear for use as a trademark,” says Sonia Lakhany, trademark attorney, Lakhany Law. “Too many entrepreneurs mistakenly think that because a domain name is available or that they were able to form an LLC or corporation with their local Secretary of State that their business name or brand is available as a trademark.”

But that is not the case. To ensure that no one else can use your company name and logo, you need to trademark them. “This is an entirely separate process that must be done through a trademark attorney [or by going through the United States Patent and Trademark Office],” she says. “Registering the name as a trademark also protects against future copiers, infringers, knockoffs, etc. who [may] try to steal or capitalize upon [your] brand.”

“I suggest all small businesses register a trademark for their business name and any product that could possibly be copied by a competitor or Chinese manufacturer [as soon as they start doing business],” says Jon Jones, founder, Organic Aromas. “We trademarked our business, and last month when a Chinese seller copied not just our products but all of our ad copy and marketing content, we were able to hit him with a cease-and-desist [letter] because our name and our products [were] protected by law.”

2. Use a trusted ecommerce platform

“Building your store on a Software-as-a-Service platform like BigCommerce or Shopify [or Magento] means that you are paying [for] people [to help you] build [and] host your store [as well as] take care of problems like security,” says Kalon Wiggins, CEO, Epic Design Labs. “A good [ecommerce provider] will constantly monitor all stores on their platform for security issues and deploy solutions as problems are found behind the scenes to take care of [any] security [issues] before [they] become a [problem].”

3. Use HTTP with SSL = HTTPS

“Secure Sockets Layer [SSL] is the standard security technology for establishing an encrypted link between a web server and a browser,” says Kai Armstrong, ecommerce product manager, Hostway. “This link ensures that all data passed between the web server and browsers remain private and integral. SSLs are vitally important to ecommerce transactions, helping to ensure sensitive financial and personal information is protected throughout the purchase process, while building trust for your online store and giving shoppers additional peace of mind,” he says.

Moreover, “Open source nonprofit initiatives like Let’s Encrypt offer free certificates,” says Sara Hicks, CEO, Reaction Commerce. So there’s no excuse not to get one. “And don’t let your SSL certificate expire,” she adds.

HTTP over SSL is known as HTTPS and offers more security (encryption).

However, “a surprising number of websites still don’t support HTTPS,” says Marc Laliberte, information security threat analyst, WatchGuard Technologies. “HTTPS protects your customers and your business from sniffing and impersonation attacks.”

For an even higher level of security, he recommends enabling HTTP Strict Transport Security (HSTS). “HSTS tells web browsers to automatically redirect HTTP requests to HTTPS and prevents users from overriding invalid certificate warnings. This reduces the possibility of fraudulent modifications to your user’s web requests and helps to prevent man-in-the-middle attacks.”

4. Make sure your site is PCI DSS compliant

“If you’re processing online payments, you’ll need to make sure your site is PCI DSS compliant,” says Hicks. “Fortunately, many payment integrators, like Stripe or Braintree, encrypt and store credit card info for you, so none of the critical payment data is stored on your side.”

5. Keep your site updated

“Unpatched applications and extensions will make your ecommerce site an easy target,” says Laliberte. “Hackers love low-hanging fruit and often use automated web crawlers to look for sites with unpatched applications. Keeping your website and backend software updated with the latest security patches is the single biggest (and often simplest) step a small business can take towards stopping an attack.”

“A website that isn’t completely up to date with its security patches is vulnerable to attack,” says Armstrong. “For this reason, it’s imperative that ecommerce retailers ensure that all available patches have been applied to their online platforms. Stay on top of release cycles to ensure that those are always up to date,” he says. “Also [use a] firewall in front of the ecommerce store to help protect against vulnerabilities that might be discovered. This is an additional measure of protection that provides some time before patches are applied.”

6. Require strong passwords

“One way hackers can gain entrance into your site is to use a brute force hack, which basically starts putting combinations of letters into your site login, hoping to get lucky and crack your password,” explains Wiggins. “Using randomized and long passwords makes this a lot less likely.” So have employees use strong passwords, a combination of upper- and lowercase letters, numbers and symbols, or use an “online complex password generator to protect yourself.” Also have people change their passwords every 6 months, if not more often.

7. Know the signs of fraud

“[Though] fraud prevention specialists understand that none of [these] elements on their own indicate a fraudulent order, looking at the types of email user names, types of email domain names, customer order history… and understanding geographic fraud trends [can] all help identify a fraudulent order,” says Alyse Serritella, team leader, fraud prevention, Cleverbridge. “Through training, experience and pattern recognition, [you can] see how all these elements interact with each other and identify a pattern that indicates a fraudulent order.”

“Fraudsters tend to target high value items, as they can make the most money on these,” adds James Kingsbury, owner, Vivid 3D. “Also, they tend to have items shipped to an obscure overseas address, often so far out of the way to stop you ever having a chance at getting your stock back.”

“The easiest way to protect yourself against credit card fraud for online orders, and the resulting charge backs, is to ship only to the verified credit card billing address,” says Ron Yates, owner, Titanium Jewelry. “If the buyer wishes to have a different shipping address, the merchant could require that the buyer give the alternate address to the credit card company. Then the merchant can verify this. And have signature required for the delivery, to ensure the package was in fact received by the buyer.”

You can also use an AVS (address verification system), says Kingsbury. “An AVS will confirm the billing address entered by the client, with the address on the credit card company’s data file. This should pre-warn you of any possible fraudulent orders. You can then do some manual due diligence on the order to confirm its authenticity.”

And because “fraud spikes during the holidays,” says Juan Benitez, General Manager, Braintree, “integrate the latest fraud protection tools, like Kount, to identify and prevent fraudulent activity before a transaction or verification ever reaches a customer’s bank.”

What to do if your ecommerce business is hacked

Make sure your site is being regularly backed up – to a safe, offsite server or service. That way in case your site is disabled or hacked, you can more easily restore it.

Invest in small business cyber insurance. “It’s important to minimize your risk of being hacked by patching software regularly, using strong passwords and installing antivirus software, but you can’t prevent every breach,” says Ted Devine, CEO, Insureon. “In the event that a hacker gets into your data, a Cyber Liability policy can be a lifesaver. It covers the cost of notifying affected customers, investigating the breach and buying credit monitoring services for affected customers. That’s important because a lot of states require businesses to provide those services,” he says. “Some policies also offer funds for doing good-faith PR efforts to help restore your reputation.”