Risks of Third-Party Services for E-Commerce Sites
Significant exposure to third-party risk could cost e-commerce websites millions of dollars in damages and lost revenue. This conclusion can be made according to a new study by a maker of security products to protect web and mobile apps Jscrambler based on an analysis of two billion user sessions on e-commerce websites.
Third-party services running on the sites attempted to leak 144,000 customer data records, which could have led to US$1.6 million in damages.
Jscrambler researchers also discovered 1.4 million customer hijacking attempts, mostly originating from browser extensions, which could have resulted in $2.9 million in lost revenue.
Besides, 5% of all customer e-commerce sessions are being actively disturbed by attackers on websites where 81% of the code originated with third parties.
Trying to keep up with the market pace, companies can’t afford to develop every single component of their e-commerce websites internally and their best option is to use plug-and-play, third-party services to handle everything from analytics to customer service.
These third-party services provide attackers with an attractive way to breach these websites and get a hold of sensitive user data, researchers say.
Reducing third-party risk is very challenging for organizations.
Even if the code written is built to be secure, plugins or other software dependencies can inadvertently or maliciously introduce vulnerabilities or data leaks that can expose users to risk, according to ecommercetimes.com.
Reasons
- There are often instances of software upgrades that require dependency upgrades. Ensuring that those downstream changes don’t introduce risk can be challenging. This is especially difficult to verify over time.
- Client-side issues can be even harder to detect and mitigate. For example, there have been several occurrences where third-party browser plugins or extensions that originally started off with some useful purposes were later sold by the original developer to another organization who then introduced spyware to eavesdrop on users or redirects to send users to different e-commerce sites than they intended.
As most browser plugins auto-update, many users are unaware that the malware has been installed on their system.
- Those applications and libraries don’t operate in a vacuum. They can be used in unexpected combinations, which create their own vulnerabilities or be compromised without anyone realizing it.
When there is code from multiple vendors in play, and being updated or altered at unpredictable times, it’s difficult for the e-commerce site’s developers to stay ahead of the potential security risks.
As they are widely distributed, third-party applications and libraries can be an inviting target for attackers and it’s more efficient to compromise a widely used framework than it is to break into hundreds of separate websites.
- Website size can influence how susceptible it is to third-party risk, too. Small sites that are based on open-source software such as WooCommerce / WordPress, CS-Cart, or PrestaShop face different problems than the large commercial sites.
Vulnerabilities in open source software and plugins are frequently reported, but the small shop owners typically have no central point of information for vulnerability and remediation information.
Larger e-commerce platforms, such as Shopify, Wix and GoDaddy, have larger security teams that handle a lot of the patching issues but they also tend to use a lot of custom code and typically do not issue advisories for vulnerabilities in their platforms, since the customer cannot remediate. This may mean their website operators hear about it months after it happens, potentially long after their own customers have been impacted.
- The e-commerce space is particularly prone to hyper-competitiveness and this competitive pressure can also play a role in increasing risk. That sort of environment rewards hasty execution, and haste is the natural enemy of security.
Third-party risk is something all websites face, but it can be a greater threat to e-commerce sites.
Actual personal identifiable information and payment data are part of interacting with an e-commerce website, vulnerabilities which are common but often fairly benign such as reflected cross-site scripting can have an outsized impact on an e-commerce site.
Surprise
Jscrambler’s report also found on the websites monitored for the study a variety of third-party scripts running that were completely unknown to security teams. Other teams inside the company may be adding scripts without any awareness of security teams or third-party scripts can start adding fourth parties to the website.
Moreover, a significant portion of the thousands of attempted data leaks originated from scripts that were known to the security teams and assumed to be trustworthy.
These findings really illustrate how dynamic all these services are and how quickly a benign third-party service can become infected and leak sensitive data with no awareness from the victim websites.
It’s no surprise to see security standards such as PCI DSS now requiring e-commerce websites to keep an updated inventory of all of their website’s scripts and monitor in real-time for the addition of any malicious code such as e-commerce skimming code.
Latest News