theNet by CLOUDFLARE

Security for the holidays

Preparing e-commerce for impending threats

To no surprise, the holiday season brings with it increased opportunity for cyber attacks; with the e-commerce industry being the primary target. No matter what an organization sells online — be it clothing, electronics, travel experiences, or what have you — holiday-themed promotions are an unfortunately popular target for attackers as Security and IT are often overburdened during this time and more likely to be caught off guard.

Based on this trend, the question isn’t whether to prepare for an attack — but rather, which types of attacks pose the biggest risk to your business.

Effective security requires some degree of prioritization in addition to establishing a strong baseline of protection against common web application threats — such as DDoS attacks and zero-day vulnerability exploits — and predicting which more specialized attack types are likely to affect the business during the holidays, and preparing accordingly.

Answering the four questions below can help kickstart the prioritization process. In doing so, e-commerce organizations will be better positioned to succeed this holiday season — which may make up as much as 30% of their annual revenue.

  1. How price-sensitive are your products?

  2. Are your products available in limited qualities?

  3. Do you use a third-party payment system?

  4. Do you accept cryptocurrency payments?


Question 1: How price-sensitive are your products?

For some products and services — such as those that are lower-cost, highly commoditized, or widely available — small price differences between competitive companies can significantly impact customer buying decisions. If one company gets even slightly out-priced by a competitor during a holiday promotion, it could see a significant sales drop-off.

For this reason, companies with price-sensitive products should be particularly cautious during the holiday season about price-scraping bots, which scan a website for pricing information and feed that information back to a competitor. Using this information, the competitor can ensure their products are marginally cheaper — a significant advantage.

Price scrapers can be trickier to identify than other types of bots since they don’t cause obvious consequences like an increase in failed authentication, unusual purchases, or spikes in new user accounts. Signals to help identify price scrapers include:

  • Traffic spikes that don’t match expected consumer behavior — since price-scraper bots continually scan your site

  • Degraded site performance — for the same reason

  • Traffic IP origins pointing back to competitor sites

If you do identify price scrapers on your site – or suspect they might target you during holiday promotions — tactics like rate limiting could help prevent them from impacting site performance. But, it will likely still be necessary to invest in a more advanced bot management service that uses machine learning and detailed threat intelligence to filter out automated traffic.


Question 2: Are your products available in limited quantities?

For some products, scarcity is a valuable marketing tactic. Examples include high-profile consumer electronics, concert tickets, limited-edition fashion, and even NFTs.

Companies selling these products should be extra cautious of inventory-hoarding bots (aka “grinch bots”) during the holiday shopping season. These bots automatically purchase products or services faster than humans are able, typically to sell them at a markup on a secondhand market. Limited-edition sneakers, for example, have become the target of a specialized bot category; ‘sneaker bots’.

The effects of inventory-hoarding bots — products getting snapped up in minutes — aren’t difficult to spot. The trouble is, once you notice them, the damage is already done, and your real customers are already frustrated. To prevent these bots from ever completing their work, consider tactics like:

  • Challenges: Using managed challenges ensures only real users can make a purchase. CAPTCHA alternatives are now available as managed challenges that confirm a user is real without the poor experience of CAPTCHAs.

  • Rate limiting: To limit the frequency with which a bot can purchase inventory.

  • Setting up a ‘honeypot’: A honeypot is a fake target for bad actors that, when accessed, exposes the bad actor as malicious. In the case of a bot, a honeypot could be a webpage on the site that's forbidden to bots by the robots.txt file. Good bots will read the robots.txt file and avoid that webpage; some malicious bots will interact with the web page. By tracking the IP address of the bots that access the honeypot, bad bots can be identified and blocked.

Unfortunately, some of these tactics can hurt the user experience, and may not even stop the most advanced bots — so companies at risk from inventory hoarding may also have to invest in dedicated bot management using machine learning and advanced behavioral analysis.


Question 3: Do you accept credit card payments?

Every e-commerce company must protect its payment system from a variety of threats during the holiday season. For example, credit-card stuffing attacks bombard a payment system with stolen credit card numbers, and agecart attacks skim the credit card numbers from customers.

But companies using third-party payment services have something else still to worry about — securing the payment API. If the API has an unknown vulnerability, or is susceptible to API top ten security risks, attackers may be able to intercept credit card information. The same consequence could occur in an authentication attack, in which the attacker steals a relevant API key, or intercepts and uses an authentication token.

The first step in preventing these attacks is often identifying the APIs in the first place. Among industries, retail has seen the second-fastest growth in API traffic, making it important for e-commerce companies to use an API endpoint discovery service in the run-up to the holiday season. Once they’ve identified any at-risk endpoints, they can employ the following tactics:

  • Schema validation: Specifically, blocking API calls that do not conform to the API’s ‘schema,’ — i.e. the pattern of requests it is supposed to receive.

  • API-specific abuse detection: Understand abusive traffic and utilize API-centric rate limiting to block excessive, abusive API traffic, based on up-to-the-minute understanding of each API endpoint’s traffic.

API security tactics are also important for other third-party services — e.g. inventory trackers, location-based services, and dynamic pricing tools — but payment systems may be the most appealing target due to their use of financial data and thus deserve particular attention during holiday promotions.


Question 4: Do you accept cryptocurrency payments?

All cryptocurrency transactions are recorded on a corresponding blockchain — a long list of records that live on a decentralized network of many computers. To connect online stores to these decentralized networks, most businesses use a specialized API or gateway service.

In theory, blockchain transactions cannot be falsified or altered — but this is untrue of the corresponding API. These connectors are common targets for cryptocurrency theft. And since cryptocurrencies are a fast-moving and unregulated market, their corresponding APIs and gateways may not get the same security scrutiny as other payment tools.

To prevent these threats from disrupting cryptocurrency payments during the holiday season, e-commerce companies should explore the same API security tactics mentioned above — namely, schema validation and WAF rules.


Continuing the prioritization process

Answering these questions is an important step in the risk prioritization process, but they are only a start. Ideally, a business will be able to analyze attack data from prior holiday seasons to predict future threats. They can also consider factors like:

  • Which types of attacks could have the largest financial impact, whether through revenue loss or mitigation costs

  • Which attack types bring the biggest risk of data loss or compromise

  • Which attacks have the highest chances of causing site downtime

Cloudflare can help with prioritization, Cloudflare Security Center is included in every plan and helps organizations inventory their IT assets, enumerate potential security risks, and more easily investigate potential threats.

Additionally, Cloudflare’s application security services can help mitigate all of the threats outlined in this article, as well as DDoS attacks, bot attacks of all kinds, zero-day vulnerabilities, and more.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Key takeaways
  • Which specialized web application threats are a greater risk to your organization

  • When to pay particular attention to API security, bot management, and other security considerations

  • Why strengthening your security posture matters during the holidays




Dive deeper into this topic.

Learn more about important considerations in web application security. Get the Gartner MQ for Web Application and API Protection.

Receive a monthly recap of the most popular Internet insights!