We are fast approaching the season that has been dubbed “the most wonderful time of the year” in rhyme and song. While family, friends, and feasts play a major role in helping this season be wonderful, it is undeniable that giving and receiving are also significant supporting characters. As millions of us are getting ready to stay home, sit by the fire, and fire up our apps and browsers to shop for Cyber Monday deals, the Rapid7 Labs team thought it might be helpful to make a list of some steps online merchants can take (and check twice) to make sure the shopping experience is as safe and secure as possible for both themselves and their customers.

To make this list as practical as possible, we’ll use examples from two case studies along the way:

1. Stay certifiably secure

Whether it be an app or a website, SSL/TLS certificates are the first safety component shoppers will encounter, and the strength of the server certificate configuration sets the stage for more secure outcomes.

overall-rating-a-rapid7-blog-3

Our “high-profile” list consists of merchants featured by Visa that are in the “Pay with Visa Checkout” merchant program. In theory, these sites should have exemplary online safety configurations.

Online retailers can measure the strength of their own site’s SSL/TLS configurations using a free online checker. Rapid7 Labs used the same grading criteria against our high-profile merchant list and found that most of these sites do a decent job configuring their SSL/TLS certificates, with only a small number of them getting below an “A” grade.

pay-with-visa-checkout-program-rapid7

If you use the aforementioned SSL/TLS checker and receive anything but an “A,” you can head on over to Mozilla’s excellent SSL Configuration Generator, which will help you craft a “bulletproof” certificate configuration for your site.

2. Stay ahead with solid website headers

Next up on the shopping site safety list is the task of ensuring your website has solid security headers. These are unseen (by humans) components of your website that can ensure customers are always using encrypted connections and your site isn’t being manipulated in malicious ways.

Rapid7’s own Robert Lerner penned a great blog post earlier this year that introduces this topic quite well. OWASP maintains a list of the recommended security headers as well, and we evaluated the presence of these headers in our high-profile site list.

Unfortunately, the results aren’t as great as in the previous SSL/TLS certificate section:

pay-with-visa-secure-headers-rapid7-blog

The view is even a bit more bleak when we look at the use of secure headers across all secure website endpoints in the Retail component (over 300 organizations) of the combined Rapid7 Industry Cyber-Exposure Reports:

rapid7-retail-icer-blog

Merchants can head on over to securityheaders.com to test their own site and obtain additional guidance on how to configure site headers.

3. Avoid a visit from the Magecart

Some holiday traditions celebrate the visit from wizened “Magi,” but there’s one emerging digital tradition you should do your best to avoid: the visit of the Magecart. As brick-and-mortar retail rapidly speeds toward better payment card terminal security, attackers are increasing their efforts to inject card-skimming code into websites.

Making smart use of the Content-Security-Policy header from the previous section can go a long way toward helping prevent Magecart-esque attacks via third-party providers (i.e., any content delivery network you use, third-party analytics you allow on your site, etc.). You can also use special attributes in key areas of your site’s HTML to help ensure you’re loading the resources you think you’re loading.

Magecart-esque attacks can also happen directly to your site if you’re not keeping up-to-date with patches and secure application coding techniques. Tools such as InsightVM and InsightAppSec can help you find and remediate grinchy problems that may allow attackers to abscond with your visitor’s precious digits.

If you’re using popular third-party shopping platforms such as Magento, it’s vital that you track all security alerts and apply patches as soon as possible after they come out. Attackers seize upon the opportunity to mass-infect vulnerable sites that use popular common platforms, and you definitely do not want to be caught up in the wake of one of their campaigns.

4. Build up your bot defenses

Attackers can use bots to scrape product and pricing details from your sites or launch denial-of-service (DoS) attacks to disrupt your business processes, among other dastardly deeds. There are some steps you can take to protect yourself from both of these scenarios.

For scraper bots, you can invest in in-stream or in-session technologies to detect and prevent this type of attack (everything from rate-limiting connections to use of CAPTCHAs to advanced anomaly detection). This GitHub post provides a comprehensive set of resources and techniques you can use to stop the scrapers.

DoS attacks are another matter altogether. Defending yourself from DoS attacks requires some up-front planning (i.e., a DoS response plan) and continued investment (i.e., anti-DDoS technologies or services) to ensure your customers can complete their purchases without issue.

5. Protect consumer logins

If you haven’t heard the news, passwords are dead. While a simple username and password combination may introduce the least friction into consumer shopping experiences, those experiences are fraught with peril in this modern age due to easy access to attacker databases filled with billions of login credentials from scores of data breaches, and even easier access to the means to try out all those usernames and passwords on any site an attacker comes across.

At a minimum, your shopping sites should have a sane-but-strong base password policy for all accounts and should employ some basic risk-based authentication strategies at a minimum.

Consumers are also getting pretty clever and are looking for merchants that support multi-factor/two-factor authentication. Using this additional layer of security helps communicate that you understand the safety concerns of your shoppers and take your site’s security seriously.

6. Stay safe together

Finally, you really shouldn’t go it alone when it comes to figuring out how secure your shopping experiences. The motto of the Retail & Hospitality ISAC is “Protect As One.” They offer intelligence on attacker campaigns and have a wealth of resources available to make it as straightforward as possible to keep yourself and your customers safer online for and beyond Cyber Monday.