Webshops are frequently targeted by cybercriminals. Personal data, passwords, PINs, and bank and credit card details are valuable black market commodities. And hackers often have little trouble getting hold of them, because many webshops' security simply isn't up to scratch.
Last week, we were present at the Webwinkel Vakdagen ('Webshop Trade Days') answering webshop proprietors' security questions. From our work in this field, it's clear that four security errors crop up again and again. To help you avoid them, they are described below.
1. Out-of-date software
Many webshops use out-of-date software and CMSs, often making it impossible to install updates. Updates are vital for a webshop's security and stability. If updates can't be made, the risk of security breaches is much higher. As soon as hackers discover a weakness in a widely used software package, they go all out to infect sites running that product. Robots are deployed to systematically search the internet for sites to attack. When the crooks find one, they use the weakness in the old software like an unlocked back door. Before you know it, they have made off with your data and maybe even taken your webshop off line. So it pays to make sure that you've always got the latest version of your software and to install updates at the first opportunity.
2. No open standards
For computers around the world to exchange data, international agreements are needed about how the machines should talk to each other. Those agreements — the digital plugs and sockets that connect everything together – are called internet standards. However, the original standards lack the security and scalability needed for the modern world. The good news is that updated versions are now available, which don't have the weaknesses of the originals. The bad news is that, in practice, the out-of-date standards are still in widespread use. That's something that really needs to change. Every webshop proprietor should be using the following new open standards:
IPv6: a huge, modern series of internet addresses
DNSSEC: security extensions for domain names
TLS: secure connections
DKIM, SPF and DMARC: anti-phishing and anti-spoofing standards for secure e-mail
If you want to find out more about the open standards and check whether your website is using them, you can do the self-test on internet.nl.
3. Incorrect data in the Whois
Whois is a protocol for looking up details of a domain name or IP address in a database. In our Whois, it's easy to see what information about your domain name is recorded in the .nl Whois database. It's important that the details are up to date, because webshop visitors can then verify that the domain name really is yours. Another reason for checking what the database says about your domain name, is that it's not uncommon for domain names to be registered in someone else's name, e.g. the name of your web designer. That can lead to problems if, for example, you want to switch to another service provider.
4. No SSL certificate
For security reasons, a functional SSL certificate is very important. An SSL certificate is a protocol for the encryption of data, so that outsiders can't read it. Every webshop or website should have one. Or, even better, an Extended Validation SSL certificate. That's a certificate that additionally validates the webshop proprietor. It's only with an Extended Validation SSL certificate that you get the familiar green padlock symbol in the address bar, which consumers look for. An added advantage of a sound SSL certificate is that nowadays it counts towards your Google SEO ranking. Coming out higher in search results means more traffic and more potential turnover. So having a certificate is a win-win situation.
One final tip for webshop proprietors: check that your hosting service provider's security is up to the mark. A good, reliable hosting firm will take care of many of the things described above, so that your customers can shop securely.