E-commerce, a choice target
E-commerce websites are a very attractive target for hackers. On the one hand, they can earn money by intercepting payments (payment page replacement, credit card fraud…). On the other hand, these websites are a wealth of monetizable information. Client data (especially banking information), but also information about the company’s employees, its catalogues, production secrets… Indeed, in some cases, having access to a website’s server can lead to the company’s internal network. Hackers can also put these websites down, to jeopardize their brand image.
To do that, there are multiple vectors: phishing, DDoS, social engineering, ransomware… or the simple exploit of a website’s vulnerability.
Of course, most websites (apart from e-commerce) are likely to be attacked for the same reasons: everything can be sold on the dark web. However, the figures are revealing: in 2014, e-commerce applications suffered the most from attacks. They particularly are the target of 40% of SQL injections, and of 64% of malevolent http traffic campaigns 1. They also are one of the prime victims of the following attacks: RAM scraping (recovery of data stored in RAM, an attack that caused major data leaks in 2014), credit card forgery, crimeware, DDoS, Point of Sales intrusion (PoS) 2…
These are reveral types of attacks which lead to data leaks, among other things. During the first semester of 2015, e-commerce was the third activity with the most security incidents, after wealth and finance. It is only in the fourth position regarding the number of data stolen, but this number rose by 98% compared to the first semester of 2013 3…
We hear about it everywhere, but it is true: the global number of attacks increases, so is the number of attacks targeting e-commerce. It is not a media coverage effect! However, more than half of all e-commerce websites do not efficiently protect their users’ data 4. It thus becomes more and more important for e-commerce websites to protect themselves. Today NBS System, as the leader of Magento managed hosting in France, gives you its securization advice on Magento.
Here is a list of items wich you should take care of, to ensure the security of your Magento website.
The “client’s items”
- Create and use a strong password policy, and change your passwords every 3 months
- Force the use of case sensitive passwords
- Set a limit to the maximal number of failed connection attemps
- Deactivate the password recuperation through mail
- Use audited Magento extensions. Many of the existing plugins are not approved by Magento because they are not secure.
- Have a security review of your website made
- Do not display the version of the softwares and solutions you use on your website, and keep them up to date! Migrate to the versions 5.5, 5.6 and 5.7 of PHP: the previous versions no longer get security patches.
- Keep yourself up to date with the vulnerabilities of the Magento ecosystem, and of all the solutions you use
- Use HTTPS on your backoffice and on every conversion tunnel, using SSL certificates
- Keep, in your databse, only the information that is absolutely necessary to the website’s exploitation
- Use 3D secure, the selective mode enables to have very little client loss, and helps a lot
- Choose a PCI DSS certified hosting provider
- Check your website on www.magereport.com
The “hosting provider’s points”
These items are to be set up with your hosting provider.
- Make a daily backup
- Use a WAF (Web Application Firewall) such as NAXSI for instance
- Set a limit for the flow / request per IP on your reverse proxies
- Filtrate outgoing traffic
- Change the default URL of your back office
- Filtrate the back office (via IP or .htaccess): it allowsto avoid the exploitation of potential vulnerabilities in the back office
- Deactivate the file indexation
- Do not put an index on your pre-production environment
- Get the right permissions: file=644, directory=755
- Do not let your logs easily accessible (in particular the ones of your payment portal!)
- Connect yourself in SSH / SFTP using keys instead of passwords
- Keep only the necessary ports open (usually HTTP/HTTPS) and filtrate the others by IP
- Adjust your PHP.ini settings: if some modules request modifications, make sure they are not a risk. Use Suhosin when possible and think about using the forbidden functions feature (even though it does not prevent an exploit, it can complexify the post-exploitation task for the hacker, and it can make some automated attacks fail)
The security watch, a necessity
Concurrently with a secure configuration, keeping informed with the latest news of the solutions and softwares used on your environments is also vital. In 2015, Magento divulged many vulnerabilities found on the platform: Shoplift, the vulnerability found on the plugin Magmi, SUPEEs 6285 and 5994, many XSS vulnerabilities… In the past few months, a ransomware specifically targeting Magento has even been in circulation: Kimcilware. It scrambles the files of the server, for them no longer to be usable by the website or its administrators, who have to pay a ransom to be able to use them again. Following these news allows you to quickly apply the patches, to limit the risks of exploitation of the vulnerabilities.
But you must not, either, forget to keep an eye out for other, larger vulnerabilities, such as the ones we heard so much about in the past year: Heartbleed, Logjam, Shellshock, Venom, Ghost…
Hackers are always looking for new attacks and exploits: all websites must thus be on constant alert, not to get overwhelmed. Security is a permanent topic!
1. Web Application Attack Report #5, octobre 2014, Imperva,
2. 2015 Data Breach Investigations report, Verizon
3. 2015 First Half Review, Findings from the Breach level index, Gemalto
4. 3ème baromètre de Sécurité Dashlane, janvier 2016
Infos from a presentation by Philippe Humeau