Christmas is right around the corner and winter sales are arriving too. Online shopping is planned. Your banners, packaging and special offers are ready, but did you think of your website’s security?
We won’t remember you to update and install patches or to watch suspicious operations (what you are already doing), but we concentrate on three elements to protect your client data and to reassure them about your security level.
1/ HTTPS certificate
Using HTTPS is indispensable for an e-commerce website. Users expect to see the well-known padlock on pages where they give their information. Many people only rely on an URL starting with HTTPS and the padlock to judge the reliability of a website.
However, malicious hackers do know it too. Now they create websites with an HTTPS certificate to deceive users. A study from Phishlabs estimates that in the 3rd quarter 2018, 49% of phishing websites are using an HTTPS certificate.
(We detail here how to identify suspicious emails to avoid phishing attacks, which can be tricky even for experienced users.)
Indeed, the classic HTTPS certificate is a domain validated certificate. It only indicates that exchanges are encrypted between the browser and the website. It does not verify the content nor the identity of the website’s owner.
To counter that, more complete HTTPS certificates exist, that require a control by a Certificate Authority to be delivered:
- the organization validation certificate (OV SSL), which will include your name in the certificate,
- the extended validation certificate (EV SSL), which will display your commercial and company name in the address bar, in most browsers with a green background.
With a click on the padlock, the extended validation certificate gives complementary information: the city and country of the head offices of the company, details about who issued the certificate and other technical information, as you can see on the left.
You can dedicate a paragraph or a page on your site to explain your certificate to your customers. This will strengthen their trust towards you and will give them the keys to identify that they are on the right website.
2/ Your domain name
Your domain name is the base of your online presence. Its misappropriation is interesting attackers for creating fake websites copying yours, in order to steal personal and financial data, to conduct phishing attacks, etc. especially during the holidays season when orders are placed by people less comfortable online.
Your domain name can be misappropriated by registering:
- A close domain name with a spelling error,
- A name with a different top-level domain, (did you know there are 1535 TLDs?*)
- A name with a typographical change voluntary confusing.
To prevent that, register domain names that are very close to yours, as well as coherent extensions with your activity (for example .blog, .support, .delivery, .booking, etc.).
Of course, you cannot buy all possibilities, but to limit risks is important.
Users are more and more conscious of the risks and remain distrustful during e-commerce purchases. You can remember your customers to check carefully the address of the website on which they are before they type their credentials or place an order.
Moreover, you can detail on your website your processes (for returns, when changing a delivery address…), in order that your customers know if the email (or the text message) they receive is planned and true.
3/ Mixed contents
Mixed contents are for example images, audio files or a chatbot, which use HTTP in an HTTPS page. Mixed contents are either passive, which means they will get contents from a source that is not in HTTPS. Or it can be an active mixed content which interacts with the page, like a script.
When surfing on a website mixing secured and not secured contents, some browsers do not charge at all mixed contents, which leaves empty areas on pages or creates bugs.
In other cases, the browser indicates an alert about non-secured elements on the page. For your users, two reactions are possible. Either they listen to the alert, and leaves your website. Or they stay on your site, but with a doubt about security, and most probably won’t place an order.
In both cases, your visitors will think that you do not handle security correctly on your website. The mixed contents have damaged your brand image, what you do not want in this heavy spending period.
Risk that mixed contents are modified by attackers is real, for example to steal information given on the page (man-in-the-middle attack), or to modify content displayed, in order to harm you.
To remedy this risk, pay attention to everything that is used in your pages, and that resources are coming from secured pages.
Online customers are more and more aware of risks and want to have more information about how to protect themselves.
It is time for online retailers to reinforce the trust bond with their customers by giving them keys to understand the actions they put in place in order to guarantee the security of purchases.
*Source: ICANN, 4th Dec. 2018