Cyber Monday Kicks Off Holiday Shopping Season With E-Commerce Security Risks

Online shopping websites often lack basic security protections when it comes to PII, allowing malicious actors to capitalize on consumer data or perpetuate retail and hospitality scams.

3 Min Read
Shopping cart with presents in the snow
Source: Valentin Valkov via Alamy Stock Photo

The post-Thanksgiving e-commerce shopping event known as Cyber Monday draws millions of consumers each year seeking out bargains online — to the tune of $11 billion in 2022.

However, amid the purchasing spree, consumers routinely share sensitive personally identifiable information (PII) on e-commerce platforms, including credit card details and addresses, and a recent survey by CyCognito explores the question of whether these sites prioritize security and compliance.

The report unveiled concerning insights on the risk of compromised PII, of which many remain unaware – and discovered substantial pitfalls in the security landscape of Cyber Monday e-commerce platforms.

Even though more than half (52%) of e-commerce Web apps exist in the cloud, the research indicated they aren't immune to security vulnerabilities.

The study revealed 2% HTTPS, the the secure version of HTTP and a protocol for secure data transmission. This poses a risk to around 520,000 of the estimated 26 million global e-commerce stores.

Researchers discovered more than a quarter (28%) of these platforms operate without a Web application firewall (WAF), and nearly one in four (24%) e-commerce Web apps that collect PII are missing a WAF.

Additionally, nearly six in ten (58%) e-commerce Web apps collect user PII, raising concerns about data handling. Equally worrisome is that 78% of these platforms don't seek user consent for cookies, a compliance red flag.

The array of security issues doesn't stop there, with 13% of ecommerce Web apps throwing up certificate validity issues, and just under half (48%) of platforms have one or more cryptographic vulnerabilities.

The report also found that 2% of ecommerce Web apps carry critical security issues, half of which involve PII, and more than three quarters (76%) of these critical issues are easily exploitable.

Rounding out the research findings was the discovery that 7% of all e-commerce Web apps monitored had at least one issue from the OWASP Top Ten list, a commonly used awareness document for developers and Web application security.

Threats Rise As Holiday Shopping Season Kicks Off

On the individual shopper front, it's worth a reminder that Holiday spending perennially catches the eye of threat actors, who exploit consumer behaviors and prey on the surge of online payments and digital activities during the holidays.

This has risks for organizations, too: Companies continually battle credential harvesting, phishing, bots, and various malware variants, with a recent Malwarebytes Labs report warning of a 50% uptick in credit card skimming in 2023 — and that's only set to get worse during the holiday shopping season.

Vandan Pathak, senior application security consultant at Optiv, says scammers are going to activate their plexus network of techniques to entice victims with fake promotions.

"Individuals are highly advised not to entertain any messages or calls they receive which offer them direct holiday discounts," he says. "In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season."

He notes that individuals must be aware of scammers and fake gift card offers — often, these "offers" come with the light lift of filling out a survey.

"Only, the survey is fake, and the sole result is your personal information is now in the hands of a bad actor," he explains. "These have historically been quite successful tactics during the holiday months."

He adds security front liners, such as network security engineers or analysts, should be attentive to upticks in unusual activity in company environments.

"Attacks on organizations during this time of the year are successful often due to teams' guards being down," Pathak cautions.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights