Close this search box.

GUEST COMMENT Three threats to make retailers fret in 2023

Image: Fotolia

Lynn Marks is a senior product manager at Imperva

Like financial institutions and government organisations, retailers are one of the top targets for hackers year-round. Not only do they have access to user accounts with payment data that can be exploited for fraud, but online retail sites too often leverage insecure Application Programming Interfaces (APIs) and third-party JavaScript connections, providing hackers with an abundance of pathways to cause chaos and compromise sensitive data. There is also the risk of DDoS attacks, whereby popular retailer sites are often seen as easy prey – regardless of whether the aim is ransom, creating a diversion for a bigger attack or just causing mischief. Retailers need to be aware of all the risks.

For retailers, attacks can slow down websites, put strain on network infrastructure, or in severe cases, take sites or apps offline completely. For consumers, such activity can have serious financial consequences, like stolen credit card details or online fraud, or needing to pay inflated prices for must-have items (like new gaming consoles or trainers) because bots purchased all the available stock.

To avoid costly outages or major reputational damage at this crucial time of economic flux, it’s essential that retailers invest in their cybersecurity defenses. But what are the top threats that they need to prepare for? New research suggests there are three key dangers set to dominate the agenda as we look to 2023.

Account takeover attacks

Account Takeover (ATO) attacks are when cybercriminals take control of customers’ online accounts using stolen usernames and passwords. Often, they purchase a list of credentials via the dark web. Then, deploying automated bots to try combinations of usernames and passwords, they verify which credentials are legitimate and can be used for fraud. Unfortunately, retailers and ecommerce companies are much more likely to be targeted, with nearly a quarter (23%) of all logins on retail websites found to be ATO attacks – double the average (11.6%) of other industries. In addition, ATO attacks are increasingly executed by advanced bots, i.e. those better able to evade detection and mimic human behavior – the percentage of these attacks jumped from 23.4% to 31.3% between 2021-2022.

Retailers shouldn’t think ATO attacks are limited to holiday shopping season either. If nothing else, as far as attackers are concerned Christmas starts early: last year, ATO attack volumes jumped by 27% in August, a further 23% in September, and a relatively restrained 6% in November as attackers built up their reserves of stolen accounts. Worse still, ATO attacks are becoming harder to stop, with cybercriminals deploying more techniques to avoid detection. In 2022, the percentage of attacks masking their origin increased nearly tenfold, from 3.5% to 33% in just one year.

Distributed denial of service (DDoS)

Layer 7 – or application layer – DDoS attacks aim to bring down a server by exhausting its processing resources using a high number of requests, thereby crippling infrastructure and causing downtime which can result in losses of hundreds of thousands of pounds per hour. For this reason, DDoS attacks should be at the top of the list of cybersecurity concerns for retailers. Especially as the average retail business can expect up to 13 hours of DDoS-related downtime during Black Friday week alone.

This year, a new trend is emerging, where DDoS attacks reach and maintain extremely high rates for several hours, as opposed to only a few minutes at most. Using sophisticated techniques, hackers flooded one retailer’s site with an astonishing 25.3 billion requests during a 5-hour attack. Furthermore, retailers have to be prepared for repeat attacks, as more than half (55%) of websites hit by an application-layer DDoS and 80% hit by a network-layer DDoS were attacked again, usually within 24 hours. 

API insecurity

The third key danger retailers need to be wary of is much less obvious, but no less dangerous: API abuse. APIs are the invisible connective tissue that enables applications to share data to improve end-user experiences and outcomes, and they are being used more and more as many websites switch to single page application infrastructure.

Nowadays, customers engage with online retailers in dozens of ways. While websites still play a large role, consumers can make purchases through apps and on all sorts of devices, from a ‘smart’ fridge to their digital home assistant. In order to make this possible, retailers use a type of architecture called Headless Commerce. It ensures websites work seamlessly and as intended between all devices and viewing formats – all of which is underpinned by a series of APIs.

As a result, APIs are essential for enabling the modern ecommerce industry. If nothing else, retailer websites rely on APIs to enable the front-end and back-end to communicate with each other. So, it’s little surprise that  more than two-fifths (42%) of online retail traffic, from browsing to transactions, goes through an API. The problem is that many APIs connect to endpoints that contain sensitive data (contact details, credit card numbers etc.). Because of this, hackers are increasingly targeting APIs as a pathway to access retailers’ most sensitive data. Indeed, recent research found that up to 12% of all cyber incidents in the retail industry can be attributed to API insecurity. And, as ecommerce continues to grow in complexity, this figure is likely to rise over the next 12 months. 

Taking action

Combatting these threats isn’t easy and there is no silver bullet to ensure an attack won’t succeed. Instead of just waiting for the next big attack to happen, retailers should take steps now to safeguard themselves. This could include organisations ensuring they have an inventory of which APIs they actually have and use, what those APIs connect to, and their associated vulnerabilities. Investing in DDoS mitigation is also necessary, as is the ability to monitor for ATO attacks at all times. This will prevent the root cause of most of the big attacks that retailers face and help protect them for the year ahead. However, if the worst does happen, it’s vital retailers also have disaster recovery processes in place so they can resume operations with minimal damage or disruption. Taking these steps is a crucial stage in helping to make the industry safer.

Lynn Marks is a senior product manager at Imperva

Read More

Register for Newsletter

Group 4 Copy 3Created with Sketch.

Receive 3 newsletters per week

Group 3Created with Sketch.

Gain access to all Top500 research

Group 4Created with Sketch.

Personalise your experience on