{"id":2013,"date":"2024-06-15T12:58:53","date_gmt":"2024-06-15T10:58:53","guid":{"rendered":"https:\/\/leonardonetwork.eu\/?p=2013"},"modified":"2024-06-15T12:58:54","modified_gmt":"2024-06-15T10:58:54","slug":"cosa-ci-ha-insegnato-il-2023-sulla-sicurezza-nel-commercio-elettronico","status":"publish","type":"post","link":"https:\/\/leonardonetwork.eu\/en\/what-2023-taught-us-about-e-commerce-security\/","title":{"rendered":"What 2023 taught us about e-commerce security"},"content":{"rendered":"

There's an old adage in business: "What got us here won't get us further." To stay competitive, companies must constantly adapt and evolve. The same goes for cybersecurity. Cyber threats are growing in complexity and scale, as attackers seek new ways to compromise valuable data.<\/p>\n\n\n\n

Cybercriminals are increasingly targeting the retail sector<\/h2>\n\n\n\n

According to an in-depth analysis by the magazine Tech Radar<\/a>The retail sector is now a prime target for cybercriminals. An analysis of this year's retail attacks highlighted a number of key threats, including data theft, compromised accounts, reputational damage, and downtime.<\/p>\n\n\n\n

Threats like digital skimming and malicious bots are common, while others, like account takeover attacks (ATOs) and business logic abuse, are growing in frequency. What lessons can we learn from 2023? And how can retailers respond to an evolving threat landscape?<\/p>\n\n\n\n

Account Takeover<\/h2>\n\n\n\n

One of the biggest threats to all retail businesses this year has been account takeover attacks (ATOs), in which cybercriminals use automated bots to attempt to compromise online accounts by testing stolen passwords and usernames. A successful ATO attack can have serious financial implications for customers, while for businesses it can lead to reputational risks and revenue losses.<\/p>\n\n\n\n

ATO attacks are a year-round threat, accounting for nearly 1 in 6 of all login attempts. Malicious activity is particularly rampant during the holiday season. This year, the volume of malicious login attempts increased by a staggering 85% during Black Friday, even surpassing last year's increase of 66%. And it's not just Black Friday that's a problem: the number of ATO attacks increased by 82% between October 2023 and November 2023. These figures underscore the importance of e-commerce platforms and businesses to have defenses in place to identify and mitigate malicious automated traffic that could be involved in ATO attacks.<\/p>\n\n\n\n

Business Logic Abuse<\/h2>\n\n\n\n

Business logic refers to the rules or algorithms that determine how an application or program operates and interacts with a database. It can be thought of as an application's or API's decision-making process\u2014the "if" and "then" scenarios designed to maximize ROI. For example, a retailer might decide that if a customer orders more than \u00a3200 worth of merchandise, they'll receive a \u00a320% discount. This conditional logic allows for automated and more efficient business decisions.<\/p>\n\n\n\n

In the last 12 months of 2023, attacks targeting the business logic of retail sites nearly doubled, rising from 26% to 43%. Business logic attacks can be used to steal money or sensitive data, commit fraud, or simply cause chaos by crashing a business-critical application. They are increasingly popular among hackers because they don't exploit a technical flaw, but abuse an existing application or system functionality. As a result, they often go undetected by traditional security tools.<\/p>\n\n\n\n

For example, if a retailer allows a customer to send digital gift cards to another customer, hackers could use flawed logic within the system to "gift" themselves thousands of euros in gift cards from another account. Such an attack could have serious consequences for both the consumer and the company.<\/p>\n\n\n\n

Lessons Learned<\/h2>\n\n\n\n

Addressing these two issues\u2014not to mention the many other threats retailers face\u2014requires the involvement of both parties. For consumers, practicing good password hygiene (such as not reusing passwords across different sites) is essential to reduce the risk of falling victim to an ATO attack. Meanwhile, businesses need a coordinated and comprehensive defense strategy, with a suite of capabilities that can cover all access points, including websites, mobile apps, and APIs. This means going beyond a simple bot management solution to include tools such as attack analysis, client-side protection, and application runtime protection (RASP).<\/p>\n\n\n\n

Furthermore, security responsibility must be more widespread within the organization. Combating business logic abuse requires developers and product owners to map and incorporate security measures from the outset and at every stage of the process to minimize potential risks. This should be accompanied by regular audits and code reviews to identify any issues that may have gone undetected initially. Identifying business logic vulnerabilities is not a one-time process\u2014software updates occur continuously, and each has the potential to introduce a new weakness in the application logic.<\/p>\n\n\n\n

What does the current landscape hold for us?<\/h2>\n\n\n\n

Due to the constantly changing threat landscape, cybersecurity requires continuous adaptation. New threats can emerge overnight and become critical issues for businesses. In 2023, ATO attacks and business logic abuse were two of the main threats to retailers. With the growing adoption of generative AI, the technology could help cybercriminals modify their attacks. As a result, 2024 could see a surprising increase in the volume of attacks, especially around business logic, as attackers train AI systems to identify and exploit such vulnerabilities.<\/p>","protected":false},"excerpt":{"rendered":"

There's an old adage in business: "What got us here won't get us further." To stay competitive, companies must constantly adapt and evolve. The same goes for cybersecurity. Cyber threats are growing in complexity and scale, as attackers seek new ways to compromise valuable data. <\/p>","protected":false},"author":1,"featured_media":2050,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[38],"tags":[39,41],"class_list":["post-2013","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-cybersecurity","tag-ecommerce"],"acf":[],"_links":{"self":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts\/2013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/comments?post=2013"}],"version-history":[{"count":0,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts\/2013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/media\/2050"}],"wp:attachment":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/media?parent=2013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/categories?post=2013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/tags?post=2013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}