E-commerce has changed the way people shop from the comfort of their place, in just a few clicks. Customers expect a more personalized experience which brought e-commerce retailers to develop their own apps and give them a highly convenient experience of shopping on the go.
With the proliferation of mobile apps, cyber threats have also increased, primarily because of the vulnerabilities found in these apps due to the inadequate technical controls and also due to the poor security practices of the mobile app owners.
The GAO stated that “the number of variants of malicious software aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185% in less than a year.”
Cyber crimes have posed a serious concern for e-commerce retailers leading to significant business implications and bad PR. E-commerce retailers should take proactive measures to protect their mobile apps from these malicious hackers and safeguard their customer’s personal information that they leave while shopping on the app.
In this blog, we’ll highlight some e-commerce companies that got hacked in the past and what are the common threats that e-commerce retailers should watch out for.
Here Are Some of The Companies That Got Hacked
eBay – The breach at eBay Inc was poised to be one of the biggest data breaches in history, based on the number of accounts compromised. Around 145 million records were accessed by hackers that contained passwords as well as email addresses, birth dates, mailing addresses and other personal information. The hackers got the login credentials of a small number of employees that allowed them to gain access to eBay’s corporate network.
Target Corporation – More than 70 million credit and debit card accounts of customers were impacted by the breach that happened in the U.S stores of Target Corporation. This breach was as a result of compromised point-of-sale terminals which were hacked to get customer data during the busiest shopping season of the year.
Starbucks – Last year Starbucks app was hacked twice in a gap of few months, where in hackers stole money from several Starbucks customers by gaining access to their credit card information through the app and using the autoload function. Criminals were using Starbucks accounts to access consumers’ linked credit cards. Taking advantage of the Starbucks auto-reload function, they could steal hundreds of dollars in a matter of minutes.
Zappos – The E-commerce company owned by Amazon became a target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. The Hackers could access customers’ names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords.
Top 5 Common Vulnerabilities We Found in E-commerce Apps
1. Unprotected Services
If a service is exported and not protected with strong permissions, then any application can start and bind to the service. This permits leakage of information and allows an application to perform unauthorized tasks.
To guard against such eventualities, an exported service should always be protected with strong permissions.
2. Broken Trust Manager For SSL
Android apps that use SSL/TLS protocols for secure communication should properly verify server certificates. The basic verification includes:
- Verify that the subject (CN) of X.509 certificate and the URL matches
- Verify that the certificate is signed by the trusted CA
- Verify that the signature is correct
- Verify that the certificate is not expired
A developer has the freedom to customize their SSL implementation. Keeping that in mind, the developer should properly use SSL as appropriate to the intent of the app and the environment the apps are used in. If the SSL is not correctly used, a user’s sensitive data may leak via the vulnerable SSL communication channel.
3. Broken hostnameverifier for SSL
The app does not verify if the certificate is issued for the URL the client is connecting to. For example, when a client connects to example.com, it will accept a server certificate issued for some-other-domain.com.
As a fix, using HttpURLConnection is recommended for HTTP client implementation.
4. Insufficient Transport Layer Protection
Insufficient transport layer protection issues happen when the data is sent from the mobile app to the server over unsecure channels. Whether the data is transmitted through the carrier network or through WiFi, it will end up through the Internet either way before it could reach the remote server. There are several ways where unprotected data transmitted over the network could be sniffed; things like routers, proxies, cell towers, are some of the few ways data could be sniffed while in transit.
Sensitive data and app control should not be exposed to scripting attacks.
E-commerce is growing at a fast pace and mobile is a strong support platform to help achieve high growth and reach. Considering the fact that there are a lot of sensitive information and transactions going through e-commerce apps, it is essential that companies take extra care of their application security to avoid disasters that can result in a very bad PR and tremendous loss of business as well.
Mobile apps have opened newer channels of exploitation for hackers today. We recently released an e-commerce report that exposes flaws with basic security testing in 95% of the top mobile apps across the globe.