Cybercriminals targeting e-commerce website vulnerabilities this holiday season
Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.
Disturbing lack of security measures
Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.
98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.
“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.
Key findings from the survey
- Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
- User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
- The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
- Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
- Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.