How secure is your Magento website?
By Yasmin Duggal / 28th May 2021
There are more than 250,000 merchants using the Magento open commerce platform around the world, resulting in millions of users accessing a Magento website every day.
That was before the Covid-19 pandemic hit and drove a colossal surge in online activity and, unsurprisingly, consumers significantly exceeded spending predictions. In 2019 there were two days of digital sales that reached $2 billion, and in 2020 there were more than 130.
But such a significant increase in online activity comes with a price. It creates the perfect breeding ground for cyber-attackers who can hide illicit behavior amongst the noise. We saw evidence of this throughout 2020, when 96% of eCommerce enterprises reported that card fraud posed a significant online threat to their business.
During our recent webinar, we discussed why Magento merchants must make cybersecurity a priority in 2021, with insights from Matt Parkinson, CEO at Gene Commerce, and Matthew Gracey-McMinn, Head of Threat Research at Netacea.
How to secure your Magento website
The Magento platform itself is as secure as you want to and can make it, because no platform offers 100% protection against cyber-attacks.
For the two thirds of Magento merchants continuing to use the outdated Magento 1 platform (which reached its end-of-life date in June 2020), securing the business must begin with upgrading to Magento 2. This is critical as without this shift, merchants expose themselves to security risks on unsupported software.
For many Magento merchants, addressing what Matt Parkinson refers to as the must-do checklist for Magento security, is an effective first step:
- Compliance with PCI-DSS (payment card industry – data security standard)
- Change default admin username
- Change admin URL
- Use two-step verification for Magento admin login
- Use IP allow listing for Magento admin
- Set a strong password for policy and criteria
- Rate limit login attempts for Magento admin
- Enable CAPTCHA for login, account register and contact forms
- Set recommended file and directory permissions
- Set recommended admin user roles and permissions
- Update security patches from a trusted source such as the Adobe marketplace
- Secure your sever with a web application firewall (WAF)
What are the cybersecurity threats to Magento websites?
Let’s focus on point three, the admin URL, and why this is critical to Magento security. Out of the box a Magento website URL is /admin, and to a cybercriminal this is a signpost that this is the door to your back office. Merchants can obfuscate the URL or mask it, but this is light touch and these measures are easily identified. The only way of truly protecting your admin is to use IP protection or better still, multi-factor authentication (MFA).
Neglecting this vital measure exposes the website to Google Dorking, a technique widely used by adversaries to find security vulnerabilities, by exploiting Google’s advanced search functionality. Within the hacking database, our threat research team discovered a vulnerability for Magento 1 [Fig. 1]. Using a very simple search, the team was able to return 138,000 login pages to the admin sites of anyone running Magento version 1, with the URL /admin, in less than one second [see Fig. 2].
An attacker will then use a bot to perform a credential stuffing attack, firing thousands of username and password combinations at the login page, until they find a successful match and take over the account. The attacker has gained access to the website’s backroom, which will contain an untold amount of data relating to both the business and its customers.
Protecting your Magento website against bots
So, what can merchants do to harden their application against attacks such as credential stuffing?
Matt Parkinson stated: “It really comes down to the cost benefit of managing the risk for a merchant. If you’re a high-value, well-known brand, that perhaps runs a successful loyalty scheme, then you’re going to be a far greater target than a parents and baby shop. It’s weighing up the risk and how high you want to build that wall.”
Implementing a rotating strong password policy, WAF, device fingerprinting, CAPTCHA or MFA will make it more difficult for the attacker to access the site using credential stuffing.
If MFA is used, the account holder will be alerted of the illicit activity when they receive an unsolicited email or SMS with the verification code. This enables the account holder, and the business to act accordingly and prevent the attacker from accessing the account.
However, it’s crucial to recognize that these measures are more effective when used together, rather than one alone. What merchants need to incorporate is defense in depth.
Matthew Gracey-McMinn, Head of Threat Research at Netacea said: “We recommend layering your security and using as many defensive measures as you can. I’ve spoken to people in the past who felt that MFA and forcing customers to change their passwords if they’ve experienced a breach could be detrimental to the customer experience. There’s a fight between security and customer experience.
“What I find is the companies who implement the security and are good at explaining to their customers why they’re doing it, get a positive response. They achieve this using language such as ‘we advise you to implement MFA and this is to protect you and your information’. The customers feel valued and cared for.”
If this blog has set the cogs whirring and you’d like to know more about common Magento vulnerabilities and how to secure your business against them, then why not watch the webinar on demand, with Matt Parkinson and Matthew Gracey-McMinn?