theNet by CLOUDFLARE

Ecommerce security for the holidays

Preparing retailers for impending cyber security threats

To no surprise, the holiday season brings increased opportunity for cyber attacks; with the ecommerce industry being the primary target. Special events lead to Internet traffic surges — some of which are malicious. And ecommerce security and IT leaders are often overburdened during this time, especially if they need to manage multiple, specialized point solutions.

Based on this trend, the question isn’t whether to prepare for an attack — but rather, which types of attacks pose the biggest risk to your business.

Ecommerce holiday readiness requires some degree of prioritization. In addition to establishing a strong baseline of protection against common web application threats — such as DDoS attacks and zero-day vulnerability exploits — online retailers must plan and prepare for the specialized attack types that are likely to impact their business and revenue during the holidays, and prepare accordingly.

Answering the four questions below can help kickstart the prioritization process. In doing so, ecommerce organizations will be better positioned to succeed this holiday season — which may make up nearly 20% of their total sales revenue.

  1. How price-sensitive are your products?

  2. How susceptible is your business to inventory shortages?

  3. Do you rely on APIs to enhance your online presence?


Question 1: How price-sensitive are your products?

For some products and services — such as those that are lower-cost, highly commoditized, or widely available — small price differences between competitive companies can significantly impact buying decisions. If one company gets even slightly out-priced by a competitor during a holiday promotion, it could see a significant sales drop-off.
For this reason, companies with price-sensitive products should be particularly cautious during the holiday season about scraping bots, which scan a website for pricing information and feed that information back to a competitor. While web scraping is not new, given AI advancements, bots have become much more efficient at scraping pricing data, content, and more. Using this information, the competitor can ensure their products are marginally cheaper — a significant advantage.

Price scrapers can be trickier to identify than other types of bots since they don’t cause obvious consequences like an increase in failed authentication, unusual purchases, or spikes in new user accounts. Signals to help identify price scrapers include:

  • Traffic spikes that don’t match expected consumer behavior — since price-scraper bots continually scan your site

  • Degraded site performance — for the same reason

  • Increased volume of traffic from AI crawlers to your sites/apps

  • Traffic IP origins pointing back to competitor sites

If you do identify price scrapers on your site – or suspect they might target you during holiday promotions — tactics like rate limiting could help prevent them from impacting site performance. But, it will likely still be necessary to invest in a more advanced bot management service that combines real-time threat intelligence with the ability to automatically identify and filter out bad bots (including AI scrapers).


Question 2: How susceptible is your business to inventory shortages?

Product scarcity may stem from planned marketing tactics or strained supply chains, or excessive demand. Examples of the former include high-profile consumer electronics, concert tickets, and limited-edition fashion.

Companies selling these products should be extra cautious of inventory-hoarding bots (aka “grinch bots”) during the holiday shopping season. These bots automatically purchase products or services faster than humans are able to, typically to sell them at a markup on a secondhand market. Limited-edition sneakers, for example, have been the target of a specialized bot category; ‘sneaker bots’. One best-selling musician even attempted to battle sneaker bots by charging a 100x price markup if buyers didn’t have his fan club code.

The effects of inventory-hoarding bots — products getting snapped up in minutes — aren’t difficult to spot. The trouble is, the damage is already done at that point. To block these bots earlier, consider tactics like:

  • Managed challenges: Using managed challenges ensures only real users can make a purchase. However, the industry standard for challenges — CAPTCHA — can create customer friction, and can also be beaten by AI models every time. CAPTCHA alternatives are now available as managed challenges that confirm a user is real without the drawbacks of CAPTCHAs.

  • Rate limiting: Cap how often someone (or something) can repeat an action within a certain timeframe. This helps limit the frequency with which bots and fake users can add items to their cart, only to abandon them.

  • Setting up a ‘honeypot’: A honeypot is a fake target for bad actors that, when accessed, exposes the bad actor as malicious. In the case of a bot, a honeypot could be a webpage on the site that's forbidden to bots by the robots.txt file. Good bots will read the robots.txt file and avoid that webpage; some malicious bots will interact with the web page. By tracking the IP address of the bots that access the honeypot, bad bots can be identified and blocked.

Unfortunately, some of these tactics can hurt the user experience, and may not even stop the most advanced bad bots. For those who are at increased risk from inventory hoarding, invest in dedicated bot management using machine learning and advanced behavioral analysis.


Question 3: How much do you rely on APIs to enhance your online presence?

Aside from perennial threats like website outages and payment fraud, retailers face increased risk from expanding attack surfaces. For instance, many ecommerce businesses rely heavily on APIs for managing their CMS, product inventory, chatbots, payment systems, and more. The increased adoption of headless commerce to help enable hyper-personalized experiences further increases reliance on APIs.

Each new API is a new potential attack surface. But, you cannot protect what you cannot see — and roughly a third of organizations lack accurate API inventories. Unknown “shadow APIs” leave organizations vulnerable to data exposure, lateral movement, and other cyber risks.

For example, if an API has an unknown vulnerability, or is susceptible to API top ten security risks, attackers may be able to intercept credit card information. The same consequence could occur in an authentication attack, in which the attacker steals a relevant API key, or intercepts and uses an authentication token.

The first step in preventing these attacks is identifying the APIs in the first place. An API endpoint discovery service in the run-up to the holiday season helps identify any at-risk endpoints, then employ the following tactics:

  • Schema validation: Specifically, blocking API calls that do not conform to the API’s ‘schema’ — i.e. the pattern of requests it is supposed to receive.

  • API-specific abuse detection: Understand abusive traffic and utilize API-centric rate limiting to block excessive, abusive API traffic, based on up-to-the-minute understanding of each API endpoint’s traffic.

Retailers’ digital footprints continue to grow with the rise of generative AI, livestream selling, and other technologies that use APIs. In the long run, shifting to a DevSecOps approach can ensure that security is built into every phase of their app and API development cycle.


Continuing the prioritization process

Answering these questions is an important step in the risk prioritization process, but they are only a start. Ideally, a business will be able to analyze attack data from prior holiday seasons to predict future threats. They can also consider factors like:

  • Which types of attacks could have the largest financial impact, whether through revenue loss or mitigation costs

  • Which attack types bring the biggest risk of data loss or compromise

  • Which attacks have the highest chances of causing site downtime

  • Whether their application/API security can integrate with security that protects their internal users (i.e., employees, contractors, developers)


Achieving a healthier ecommerce operation with a connectivity cloud

Staying ahead of ecommerce attacks and trends year-round requires a cloud-native, low-latency, secure, and reliable security platform.

To help reduce costs, improve agility, safeguard sensitive data, and defend against evolving threats, Cloudflare’s connectivity cloud delivers both security and performance enhancements. A connectivity cloud is a unified, intelligent platform of programmable cloud-native services that gives organizations greater visibility and control over their IT environments.

Cloudflare unites web application security, API security, third-party tool security, Zero Trust services, and more on a single control plane, with all services powered by peerless threat intelligence.

Together, Cloudflare can help you achieve world-class security and performance across your entire digital customer experience, while regaining control and improving agility everywhere in the IT stack.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.


Key takeaways
  • Retail cyber security strategies to prioritize during peak holiday seasons

  • Ecommerce security tips for protecting against bad bots that hurt user experiences and threaten revenue

  • Holiday readiness strategies for defending against API abuse




Dive deeper into this topic.

The performance of customer-facing ecommerce websites and applications are constantly threatened by zero-day exploits, DDoS attacks, bad bots, shadow APIs, and more. Learn about evolving app security risks — and tips for mitigating them — in the State of Application Security Report.

Receive a monthly recap of the most popular Internet insights!