One of the most common attacks in this sector is a database breach. Often, such attacks result in a loss of customer data, including names, physical addresses, phone numbers, e-mail addresses and payment information. Since trust is especially important in e-commerce, the loss of customer data can be very damaging to an online company’s reputation and business performance. This is true even if the attacker is an unsophisticated “script kiddie” who is just showing off for friends or messing around for fun. Also, the impact of a breach can go far beyond reputation damage, depending on where in the world it occurred. A number of US states have already instituted breach notification laws, and the EU is expected to follow shortly. Such laws require organizations to come forward and publically admit they were breached. The EU directive also includes heavy fines.
Online payment systems are another vulnerable area that is often attacked. The ability to accept payment is critically important for online businesses, since it is one of the last steps in a customer’s purchase journey. As such, the financial impact of a payment system attack can be enormous, depending on its duration. After all, if customers can’t pay, they can’t buy.
Most e-commerce sites outsource payment processing to a variety of third-party providers that promise high availability of their payment services. However, these providers are increasingly being targeted with denial-of-service attacks, particularly by hacktivists that want to disrupt an organization in a highly visible way.
Payment-related attacks are also appealing to criminals looking for financial gain. Saving a customer’s credit card data in an internal database might seem like a good way to make the shopping process more convenient, but it creates an attractive target for cyber- criminals. Payment processing vendors are even more attractive to attack, since the potential for a big score is much greater. In the brick-and-mortar world, cyber-criminals have developed a variety of techniques for skimming credit cards at Point of Sale (POS) terminals and ATMs. Also, they have developed a wide range of attack vectors targeted directly at online payment vendors. Some of the most sophisticated attacks use a combination of online and traditional physical techniques to increase their effectiveness.
Attacks on a payment vendor can be just as damaging to a company’s reputation as attacks that target the business directly, since most customers don’t see a distinction between an organization and its service providers.
