Self-defense against hackers – what online merchants need to do

Concept of cybercrime

Hackers can cause enormous damage to online retailers. You wouldn’t wish this absolute worst-case scenario on even your worst enemies, and it’s not even far-fetched. In addition, the mess created by a cyberattack may even be followed by a warning or fine.

In the police crime statistics from the year 2019, a total of 9.040 cases of the spying out of data after § 202a StGB seized, so police director Joachim Schneider, managing director of the police crime prevention of the countries and the federation on our inquiry. However, the police director added, these crime statistics only record cases known to the police. The actual number of hacker attacks is probably higher, because many victims do not report such an attack to the police. Many mistakes are caused by negligence and can easily be avoided. Therefore, in this article we show what retailers can do for prevention. However, in case the child has already fallen into the well, we have also collected advice and tips. Now it’s time to roll up your sleeves.


Better safe than sorry

We have already reported on a number of scary reports about hacker attacks on our information portal. Sometimes only a few or even a single person is affected. However, it also happens that the entire merchant community or a platform was the target of a cyber attack. "It won’t hit me!"This is what many companies in Germany seem to think when it comes to computer crime. But the numbers, as mentioned at the beginning, look completely different.

A survey from 2019 also shows that 39 percent of companies have already fallen victim to hacker attacks and the like. Only 28 percent of affected companies report that they were able to successfully fend off attacks. This value could be higher if companies would invest more in prevention. Fittingly, 90 percent of respondents said they consider carelessness to be a factor that makes cybercrime particularly. But a lack of security culture and inadequately trained personnel are also important factors.

We have therefore asked those who need to know: The police crime prevention of the states and the federal government. These technical recommendations and behavioral tips are given to protect yourself from hacking and malware:

  1. Basically pay attention to security in all applications on the Internet, z. B. always use the latest version of the operating system and all installed programs and always promptly install all available updates. A firewall and an antivirus program are essential for a PC if you use it to surf the Internet.
  1. Choose strong passwords: A strong password is at least twelve characters long. It should consist of uppercase and lowercase letters in combination with numbers and special characters, and at first glance should be meaninglessly composed. Exception: With WPA2, the recommended encryption method for WLAN, the password should be at least 20 characters long. Taboo are names of family members, the pet, the best friend, the favorite star or their birth dates etc.
  1. Never use the same password for multiple applications – this applies in particular to services on the Internet – and change the password at regular intervals.
  1. Keep your passwords safe and separate from your PC and do not share your passwords with third parties.
  1. When entering personal data on the Internet, always make sure that you use encrypted, secure connections (recognizable by the abbreviation "https") in the browser bar).
  1. Never open unchecked file attachments and think carefully about which link you follow in a message from your social network.
  1. Restrict the rights of PC co-users. Set up a separate user account for each computer user and do not surf the Internet with administrator rights. Then only you can make changes to the security settings of the operating system or install software. Further tips can also be found in the security compass of the police crime prevention of the federal states and the federal government.

Special prevention measures for online traders

Especially ransomware, i.e. malware like WannaCry and NotPetya, with which attackers encrypt the data of companies and release the data only for a ransom, is a growing problem, he said. For online merchants, from this point on, the store stands still, because without access to accounts and store software nothing works anymore. Especially for online store operators, the police crime prevention of the states and the federal government recommends the following points for a secure store and satisfied customers:

  1. Add security tips to your range of goods and services for your customers and business partners.
  2. Software manufacturers should test their programs extensively for security gaps and provide them with optimum security settings before they are released to the market. It is also advisable to emphasize the security aspect in the operating instructions and to document settings in an understandable and user-friendly manner.
  3. Pay attention to technical security. Enable secure data transmission.
  4. Join a seal of approval community (tested online store with "money back" guarantee).
  5. Have the payment behavior of a new customer checked by using scoring systems (z. B. SCHUFA) assess.
  6. Pay attention to orders that do not fit into the normal order process (e.g., for a product). "30 satellite dishes to Belarus").
  7. Deliver to customers for a first order only by cash on delivery – offer other payment methods only for further orders.
  8. Record electronically the exact designation incl. Serial numbers of the delivered goods as well as the exact weight of the package and the identity of the packer.
  9. Regularly check the ordering process internally within the company on the basis of identified cases of fraud.

We have already published another detailed post on security specifically for online retailers: How to: IT Security for Online Store Operators

Ebay: Tips are "not always taken into account"

An online marketplace like Ebay is of course even more vulnerable to attacks of any kind. Ebay experienced the last major super-gau with months of turbulence many years ago (2014), but it is still a long way off. Overall, cases of fraud on Ebay – measured by the total number of users and the large number of transactions – are very rare, Ebay told us. Concrete numbers are not available in this context, however, because this is ultimately the responsibility of the investigative authorities, so Ebay further.

The possibilities of attack variants are nevertheless manifold. The causes can also lie with the platform or with negligent behavior on the part of the merchants themselves. "Unauthorized takeover of eBay member accounts can occur, for example, if members choose very simple or short passwords. Especially on a foreign computer, such as in an Internet cafe, it is necessary to use the "log out" function to avoid unauthorized access by third parties", advises Ebay. "We also advise our members not to use so-called spoof or. to ignore phishing mails."

For this reason, the initiation of security measures is only partly in the hands of the platform. Each Ebay merchant would be responsible for the security of their account. "If sellers or buyers – certainly unintentionally – make their password available to third parties and fraudsters then post items using the eBay username and the correct password, we will only be notified of this with a very long delay."

Account holders on Ebay will automatically receive a notification when important account information is changed, e.g. B. when changing passwords, email addresses and the bank details for receiving payments. These messages are sent to the registered email address and provided in the "My eBay" section in the messages. Each of these notifications contains a note to contact Ebay if changes have not been made themselves.

Any suspicion of abuse of the marketplace should be reported to Ebay immediately. This is because there may be a security leak that could affect the entire marketplace. The platform will also have its own interest in the report, as other merchants may be threatened as well as for the image of the platform resp. of the store system can cause considerable damage. They are also required to take measures to ensure the protection of IT infrastructures.

The security portal is the central point of contact at Ebay for all information on the subject of security in the marketplace. Here you can learn how to protect your data and sell safely on Ebay. "If a case of identity misuse or another form of misuse is credibly reported to us, we support the affected parties as best we can within the scope of our possibilities as a marketplace operator. At the same time, those affected should also file a report with the police authority."

Amazon relies on two-step verification

A fortiori, Amazon is not immune from attacks and assaults. Upon request, we have not yet received a statement from Amazon by the editorial deadline. Only the reference to the two-step verification is a concern for Amazon. This is intended to protect the account from unauthorized access and will be familiar to many from online banking. As the name implies, not only one factor is sufficient for access to the seller account, but two are necessary. On the one hand, this is a static knowledge query (z. B. a password) and additionally a dynamic knowledge query (z. B. a one-time PIN).

In addition to two-step authentication, Amazon also advises in Seller Central to ensure password security (s. o.). If Amazon merchants work with multiple users as part of their selling activities, a separate account should be set up for each of them. This has often led to problems and should therefore be taken to heart. Incidentally, logging in from other IP addresses – for example, from a hotel WLAN that the merchant dials into, for example, on a business trip – has also led to many a sudden account closure. Rightly so, because Amazon has classified this as a danger for security reasons and has closed the account.

In the event of an actual hacking attack on the Amazon account, the following agenda must be worked through:

  1. Change password for Seller Central, if necessary. About the seller service
  2. Then: verify account information, especially email addresses, payment data, authorizations, Amazon merchant store especially the offers and prices
  3. If necessary. set up a new e-mail address or. set a different password for the email account
  4. Report hacker attack to vendor service; phishing emails can be sent to [email protected] must be reported.

What good is cyber insurance?

Another phenomenon that one inevitably stumbles upon when talking about hacking is cyber insurance. As soon as something has its own Wikipedia entry, it seems to have arrived in the middle of society. And this is the case with cyber insurance. A whole armada of ads is played out to the user during a Google search. At the same time, these are not only lockable for home use, but also for businesses. All large and well-known insurance companies now offer this type of insurance.

The services of the insurances often include prevention, which is rather unclassical for this industry. But even in case of emergency, the insurance company will cover the costs of restoring the damaged IT systems, business interruption costs, legal advice and even liability for data protection violations. This can be possible claims for damages. Many providers also offer a hotline with IT specialists who provide damage limitation in case of emergency. Even PR professionals can be asked for advice on how to avert and contain image damage. Against the fine itself, however, you can not protect yourself of course.

As so often, it is not possible without a provider and price comparison, because this insurance area is still in the making and therefore un(ter)regulated. For smaller online retailers, such an offering can make perfect sense if you don’t have the expertise in-house yourself. However, a certain degree of personal initiative is always assumed. Especially when the contract is signed, the company is put through its paces.

You should therefore be aware: Just as a household insurance policy does not usually cover theft caused by an open apartment door, a hacking attack caused by negligence is unlikely to be insured either.

The mitigation

Sticking your head in the sand? Not!

In addition to the threat of data loss and subsequent damage to the company’s image, however, the crown must be straightened and the damage must be admitted and contained in the best possible way.

In the event of a hacker attack, the first thing that should be done, according to the suggestions of the police crime prevention of the states and the federal government, is to immediately try to stop the hackers’ access to the merchant account:

  1. If still possible, change the passwords immediately, if necessary. Also about the "forgot password" function and use secure new passwords
  2. Immediately notify platform operators of the hacking attack and have the account suspended.
  3. file a complaint with the police.

Other measures include data protection with its information and reporting obligations. These are on the one hand the duties towards the authorities and on the other hand a duty towards the affected persons.

Duties towards the supervisory authority

The GDPR creates an obligation to "notify personal data breaches to the supervisory authority". According to the GDPR, a personal data breach is an incident that has led to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of personal data.

In this regard, the GDPR primarily ties in with the risks that may arise for the affected parties, for example immaterial damages (z. B. damage to reputation) or financial losses. A duty to register therefore does not apply if no risks are expected for the people concerned. Unlike the currently valid German data protection law, however, the obligation to report applies not only to data breaches involving particularly sensitive data, but in principle to all personal data.

If an unauthorized data transfer or a similar incident occurs as a result of a hacker attack, the responsible party must report this to the competent supervisory authority without delay and, if possible, within 72 hours of becoming aware of the incident. For the non-public sector, which also includes online commerce, the respective state commissioners for data protection are generally responsible in Germany.

No duty exists, on the other hand, if the data theft is not likely to result in a risk to data subjects. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.

This message contains the following information, which may. can be made available with a time delay:

  • A description of the nature of the breach, including where possible the category of data affected and the approximate number of records affected,
  • the name and contact address of the company’s data protection officer,
  • a description of the likely consequences,
  • a description of the measures taken or proposed to remedy the data protection breach and, if applicable. Measures to mitigate the possible effects.

The company responsible also documents the data breach, including all related facts, its effects and the measures taken. Violation of the reporting obligation can result in a fine of up to 10 million euros. Euro or up to 2 percent of the annual turnover achieved worldwide.

Appropriate notifications to the relevant authorities and comprehensive information about the hacking attacks are crucial for security authorities to get a picture of the situation and better assess current threats. Also possible measures or warnings are only possible if a situation picture is available.

Reporting obligations to those affected

Finally, the GDPR also provides for "notification to the data subject of a personal data breach" if the data breach is likely to pose a high risk to the data subject. Affected parties may include: Business partners, customers, banks, insurance companies (z. B. Social Security). The notification must convey the data breach in clear and simple language and in an easily accessible form, and must include at least the basic data. For example, the name and contact address of the data protection officer may be provided, or the likely consequences may be explained.

However, the GDPR has also provided exceptions for companies that work with huge data sets. Notification of those affected is not necessary if notifying them would involve a disproportionate amount of time and effort. In this case, a public announcement or a comparable measure must be made instead, informing those affected in a similar manner.

Sample letters are provided by the Handlerbund free of charge.

And then also admonished…

But that’s not all: Due to the intrusion, there may also be other legal violations, for example because legal texts are completely deleted or other essential information is missing, which could lead to a warning letter. To want to get rid of the responsibility in case of the warning is understandable, but almost impossible. The German Federal Court of Justice (Bundesgerichtshof) clarified that Marketplace merchants who offer products for sale on the Internet sales platform Amazon Marketplace have a duty to monitor and check for possible changes in the product descriptions of their offers (ruling of 3. March 2016, case no: I ZR 140/14). The ruling was not about a hacker attack. But is conceivable that the jurisdiction can also be extended to such attacks. A possible warning should therefore be taken just as seriously as any other warning.

Reversal of concluded sales contracts

For most people, a smart TV at a price of 99.90 euros will already be clear: "Something’s not right here." However, these customers are usually not the problem. It usually gets hairy with the orderers who stubbornly demand the delivery of the goods, if necessary "I sue for it!". So merchants have their hands full with the steps above and then also face angry customers and negative reviews. First of all, it is necessary to remain calm. Has a sales contract been concluded at all?? A customer can only demand a delivery if he has a legal basis for it, i.e.: a legally binding purchase contract has been concluded. Answers give the Shop-AGB, because this is a legal duty to inform.

The conclusion of a contract cannot always be prevented. In particular, stores with instant payment methods such as PayPal are equipped in such a way that an order is tantamount to the conclusion of a contract. Once a contract is made, it must be fulfilled, it is generally said. However, there are ways and means to get out of the contract again. The magic word is "challenge". A remedy to be exhausted in any case. This declaration of rescission must clearly indicate that the trader wants to withdraw from the contract, and it must be pronounced immediately after becoming aware of the mispricing. As a result of an effective challenge, the sales contract is dissolved and considered void from the beginning.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: