Site Speed and Security: 2 Sides of the Same Coin

The recently published Site Speed Standard benchmarking data has proven that site speed and performance are critical to higher conversion rates and lower bounce rates. But the other important topic that eCommerce brands must keep top of mind is cybersecurity. A secure site is just as important as speed and performance when it comes to protecting a brand’s bottom line. Fast page load reduces bounce rates and improves conversions, but if your site has a reputation for being unsecure, shoppers won’t buy from it, no matter how well it performs. Read on to learn about cyber-attack vectors that threaten your customers’ data and your brand’s reputation.

What are attack vectors?  

Attack vectors are a method for cyber thieves to exploit holes in an organization’s network or its users’ browsers. Cyber thieves’ main goal is to overtake, steal, or harm, and they are constantly looking for weaknesses in systems and sites. For eCommerce brands, unmonitored 3rd party technologies are one of the biggest gateways to a cyber-attack.

What attack vectors exist in the eCommerce world?  

There are a multitude of attack vectors that affect the eCommerce industry. Some of the most famous are Magecart attacks, where attackers gain access to websites via 3rd party services by injecting malicious JavaScript. This allows attackers to steal customers’ personal identifiable information (PII) like card numbers, addresses, phone numbers, etc.  

Here is a comprehensive list of attack vectors that exist in the eCommerce world:

• Content Tampering: Altering the data sent between a client and a server
• Customer Journey Hijacking: Stealing visitor sessions by injecting unauthorized ads
• Clickjacking: Tricking a user into clicking on something different from what the user perceives, potentially revealing confidential information
• Cookie Stealing: allows an attacker to steal sensitive information like login details, session tokens, credit card details, etc. from Cookies that can be further used for various kind of attacks like identity theft, account takeovers, targeted phishing attacks and more
• DDoS: A hostile attempt to disrupt the normal traffic of an earmarked server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic

• Bot Attacks: The use of automated web requests to manipulate, defraud, or disrupt a website, application, API, or end-users
• Client-side Malware: Client-side attacks when a user downloads malicious content
• Magecart: Malicious hacker groups who target online shopping cart systems to steal customer payment card information
• Cross-Site Scripting (XSS): A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites
• Tag Piggybacking: Tag piggybacking is when one marketing tag triggers another. This can lead to dozens or even hundreds of additional tags being launched without the website owner’s knowledge causing data security and privacy issues, as well as impacting website performance

• Session Redirects: Finding the session ID (SID) of an active user to impersonate or hijack
• Sensitive/PII Data Theft: Theft of personally identifiable information, or PII, that could be used to identify a particular person. Examples include a full name, social security number, driver's license number, bank account number, passport number, and email address
• Third/First Party Compromise: Malware infiltrates your system through an outside partner or provider with access to your systems and data
• MiTB Attacks: The attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other
• Cryptojacking: Unauthorized use of someone else's computer to mine cryptocurrency

• Malicious iFrame Injection: An attack that combines malicious JavaScript with an iframe that loads a legitimate page in an attempt to steal data from an unsuspecting user
• Cookie Stuffing/Affiliate Fraud: An illegitimate technique where a third-party drops multiple affiliate cookies on a user’s browser in order to claim the commission out of sales happening from that browser

The list will continue to grow because cyber thieves are always finding new and creative ways to gain information and cause damage.

What is the impact on brands if they are attacked?  

Brands can face major lawsuits and settlements, lose out on revenue, and take a big hit to their brand image if their security posture is weak and they’re attacked. Remember when Target underwent a major attack via a 3rd party vendor, with nearly 70 million people having their PII stolen? The settlement cost the company millions of dollars, with additional money being spent to tighten security measures. For a giant like Target, this may have been a slap on the wrist. But for niche brands, this could be disastrous.  

How can brands protect against different attack vectors?  

The amount and variety of attack vectors can be overwhelming. Maintaining a robust security posture takes layers of defense capabilities procured from different vendors. One security vendor can’t offer the whole solution, so online retailers need to keep current with the options that are available. Brands should seek out different security measures to keep their sites secure. The most important thing to do is continue to add and maintain layers of defense against cyber-attacks to keep your site, your reputation, and your bottom line safe.

‍