Secure e-commerce. What threats are there for online stores and how to protect yourself from them?

O

nline stores filled with consumer data are undoubtedly a tasty morsel for hackers. On the occasion of Safer Internet Day, which is celebrated on February 8, we asked Tomek - Strix e-commerce systems security specialist - about what threatens the industry from online criminals and how to take care of store security.

What are the most common attacks on e-commerce?

We can divide e-commerce attacks into two groups. The first one includes attacks against systems. In the second group we will find attacks against users, i.e. customers of online stores. E-commerce is not a particular category that is more vulnerable to attacks. But it is important to remember that one of the main motivations of cybercriminals is money, which makes e-commerce vulnerable to e.g. financial fraud, i.e. using stolen data to make in-store purchases. However, if we look at the statistics - according to OWASP ranking in 2021, the most popular category of attacks was the so-called broken access control, which is a situation when a user gets permission to use resources to which he should not have access.

What is this type of attack in practice?

Let's assume that as a customer of a store we have a gift card. After logging into our account we should see only our card and its current status. Breach of broken access control type causes that user A can view the content and data of user B's card. Not only does it lead to data leakage, but also the attacker gains the possibility to use the card and make purchases with it. Such an attack can be massive and cause large losses to the business.

What other attacks on systems can we distinguish?

An example of such attack is e.g. DDoS, or distributed denial-of-service attack. This attack consists in the fact, that to the given system will flow simultaneously a large number of requests from many IP addresses. In such a situation, the system either loads slowly or we lose all access to it, so the customers cannot buy in our store. Recently, attacks using malware, e.g. from the ransomware category, are also popular. Such software infects a particular system and encrypts files on it, blocking work. To get out of this situation, in case of bad preparation, sometimes you even have to pay a ransom.

A large group of attacks are attacks related to the use of so-called vulnerabilities.

These are attacks that exploit previously published vulnerabilities of a given system. The common cause in such cases is unfortunately human error or lack of awareness about threats, because malware is distributed via emails, where attackers place a link that redirects the victim further. Once clicked and infected, the malware can be spread to other computers on a given network. Often such an attack is precisely targeted, so the message does not go to the first better employee, but for example to the system administrator. Then, the effectiveness of such attack is much higher and it brings more serious consequences.

And what do attacks directly on shoppers consist in?

The most common malicious activity is phishing. It is a situation when store users receive emails or text messages with a message about the need to pay an additional fee for an order. In such messages, there are links that redirect customers to a system that deceptively resembles a payment gateway in the store. The main goal of the attackers is to obtain bank details. A moment of inattention leads to the account owner losing a certain amount of money, and sometimes their entire life savings.

How can store owners take care of the security of their systems?

The basic thing is to keep the system and all the applications that are part of it updated, and to use antivirus and firewall software that sifts out attack attempts. The second important thing is to educate employees about security. I mean all employees, including developers. Developers should consider security issues while coding and perform code scans for vulnerabilities. The third issue is regular testing. As long as we do not know that our e-commerce system is vulnerable, we think that we are not in danger. However, only regular tests allow to determine the level of security of the e-commerce system.

At Strix you are responsible for conducting tests for our customers. What is your job in terms of e-commerce security?

Security in IT can be divided into two fronts - blue and red. As you can guess, red stands for attack and blue for protection and monitoring. In my work I think like a hacker, I try to break business logic, gaps in functionality, but let's make it clear - I work for the benefit of the projects I deal with. On a daily basis I look for system vulnerabilities, that is weaknesses that could be used against a given company. I prepare scenarios and recommendations on how to solve such vulnerabilities. On a daily basis I also follow the guidelines of OWASP organization which creates standards for web application security.

And what are your daily ways to stay safe while shopping online?

The first thing I always check is the encryption of the site. I look to see if a padlock is visible next to the website address. Right now it's not hard to have SSL, but if a site doesn't have encrypted protocols, I definitely won't buy anything there. I also won't buy where there are some payment systems I don't know about. Apart from that, I do what every shopper should do - I read reviews of other users who have previously gone through the path of purchase in a given place and check whether they encountered any threats.

Similar posts

see all
News
22.7.2025

Strix co-founds the Agentic Commerce Alliance: shaping the future of AI-driven commerce

Strix is a founding member of the Agentic Commerce Alliance - a new initiative launched with Shopware and other digital commerce leaders to ensure merchants stay empowered in an AI-driven world. The Alliance promotes open standards, brand identity, and ethical use of AI to create a more human, diverse, and innovation-led future for ecommerce.
Tech
8.7.2025

GEO: The Evolution of SEO in the Age of AI

Search engines still matter, but they’re no longer the only way customers discover brands. With the rise of AI tools like ChatGPT and Google Gemini, answers are generated, not searched. That’s where GEO (Generative Engine Optimization) comes in. In this article, we’ll show how GEO complements SEO, and how Strix helps brands stay visible in AI-powered conversations, even when users don’t search, but ask.
Tech
17.6.2025

The future of shopping with AI

AI agents are advancing from chatbots to autonomous shoppers capable of making purchases for us. While this could simplify shopping, key challenges remain. Toon van Doorn, Technical Consultant at Strix, examines six of these challenges and how Shopware’s AI functionalities can help overcome them.
Tech
28.5.2025

Optimizing Largest Contentful Paint: Lazy vs. Eager Loading

Web performance optimization has come a long way, particularly in how we handle image loading. One of the key metrics in modern web performance is Largest Contentful Paint (LCP), which measures the time it takes for the largest visible element (often an image or a block of text) to load and render. Optimizing LCP is crucial for delivering a fast and smooth user experience.
News
22.4.2025

Strix DE & Mailchimp: a powerful partnership for growth

We’re thrilled to announce our exciting new partnership with Mailchimp, the leading platform for user-friendly marketing automation!