Magento 2 Security
Transactions and sensitive data security requires from store owners thorough and constant monitoring and upgrade.
With the improvement of protection methods the ways of hacking and fraud advance in absolutely the same degree and their scale sometimes is just staggering.
Suffice it to say that among the major crimes committed on the internet in 2015 were the following cases (Source: Forbes.com):
- Anthem Inc. – 80 million patient and employee records stolen, including birth dates, home and email addresses, Social Security IDs, etc.
- Ashley Madison – 37 million clientele records hacked and made public;
- Office of Personnel Management – 21-25 million federal worker records, including unchangeable credentials like fingerprints;
- Kaspersky Lab reported in their blog that they found some facts of spying on famous people, including participants in the international negotiations on Iran’s nuclear program.
In the digital world we currently leave these are really dangerous and scarring cases affecting our wealth and privacy. Usually we deal with less impressive data volumes, of course, still it doesn’t relieve us of the obligation to keep secured every handed record.
Despite that the above examples are not connected with ecommerce directly this area suffers not less than other digital areas. According to Trustwave, 43% of all data breaches investigated in 2014 were made in the ecommerce retail industry and 23% in 2015, accordingly. Well, it was a great improvement, but e-commerce still remains the most attacked retail digital sphere worldwide.
Most often, victims are located in the US, UK, and Australia. And, the most desired targets for digital thieves are credit cards data (POS environment), CNP (Card Not Present) transactions, proprietary information, financial credentials, etc.
Possible ways of breaching your web site are multiple, but some of them more common, according to Trustwave Global Security Report:
- Remote access – 13%;
- SQL injection – 12%;
- Misconfiguration – 12%;
- File upload – 10%;
- Phishing/Social Engineering – 8%;
- Malicious insider – 7%;
- Code injection – 7%;
- OS App Server – 7%;
- Weak password – 7%;
- Other – 17%.
According to the same report, in 2015 the number of self-detected breaches more than doubled, what is a real positive shift for better handling security issues and reducing possible damages.
Magento 2 Security Features
Security issues and successful hacker attacks may hurt brand loyalty and credibility of e-commerce businesses. So, it sounds natural that more and more retailers are going to pay greater attention and attract more investments addressing information breaches and security issues in their online stores.
On this way to more safe sales it is important to use only reliable and up-to-date e-commerce platforms able to reduce that risk of possible issues. As we have already told in our previous blog posts, Magento is really serious about security and the first releases of Magento 2 prove the same position.
Magento 2.0.4 and 2.0.6 Security Enhancements
Starting from the earliest versions of the platform the Magento team has already removed about 20 potential vulnerabilities, including remote code execution, information disclosure / leakage, cross-site scripting , etc. Here they are:
- An issue with persistent cross-site scripting via user accounts – Resolved;
- An infinite number of of password attempts allowing guessing passwords – Limited;
- Anonymous users access to Store, Catalog, and CMS APIs – Configured to require higher permissions;
- Arbitrary PHP code executions via the language pack CSV file – Prevented;
- Encryption keys – Strengthened;
- Reflected XSS through the Authorize.net module’s redirect data – Prevented.
- Authenticated customers change other customers’ accounts with SOAP or REST calls – Forbidden;
- Anonymous users retrieve private data of registered customers – Prevented;
- Minimum privilege users able to force Magento re-installation – Prevented;
- Magento installation code availability – Not Accessible after the installation;
- Anonymous users modify carts of registered customers – Forbidden;
- Magento internal path information during the installation process – Closed;
- The Administrator URL for unauthenticated users during setup – Unavailable.
No doubt, we advise you to update your store till Magento 2.0.6 or higher, the latest most secure version of the platform. Still, it’s only the first step towards the maximum safety of your store. In order to move it beyond the most possible threats you need to carry out some additional steps and actions. The damage possible as a result of security compromises is much more expensive than the efforts to improve security.
Magento 2 Security Best Practices
The scope of security measures necessary to protect stores against all or at least majority of threats is pretty large, but it is reasonable and comprehensible at the same time. And, if you are patient enough to walk it through and implement all the points in your store, you will certainly be able to consider yourself and your customers more secured.
Below we present you some comprehensible protection measures you can take even without any special administration or software security knowledge:
- Ensure reliable hosting;
- Launch your web store on HTTPs;
- Keep the software on your server up-to-date and apply all security patches;
- Use the minimum number of required software on the server;
- Use secure protocols (SSH/SFTP/HTTPS) to manage files;
- Use only minimum required permissions to perform certain tasks;
- Use only the applications directly related to the business process on the server;
- Follow password complexity requirements;
- Limit access to cron.php;
- Do not install new extensions directly to the production server;
- Use two-factor authentication for remote accesses;
- Allow only business-related inbound and trusted outcoming internet connections, e.g. payments;
- Use firewalls;
- Use only secure personal computers;
- Provide separate accounts for different employees to track their activities;
- Log all entries, activities, password changes and store logs for at least 90 days;
- Delete accounts of retired employees;
- Use up-to-date anti-virus software;
- Regularly conduct internal and external scanning to find vulnerabilities or suspicious behavior;
- Use custom admin URLs instead of the default “admin” suffix;
- Install only trusted extensions;
- Backup your databases;
- Develop a scope of actions in the case of a breach (disable website accesses, backup the database and configuration, try to locate the source of attack and its scale, inform all stakeholders about it, if necessary);
- Develop a business recovery plan.
This list is based on Magento Security Best Practices and created for store owners without advanced network administration experience. We have deliberately omitted several complicated recommendations to make it simple enough for real-life practice.
Taking advantage of the points above you’ll be able to get rid of most common vulnerabilities and protect your store.
Just imagine that, according to Cybersecurity Ventures, companies will spend about $1 trillion on cyber security globally from 2017 to 2021. But, surprisingly it sounds more reasonable if we’ll take into consideration the that the overall global cost of cyber crime is predicted to reach $2.1 trillion by 2019, according to Forbes.com.
So, it’s a really huge market of numerous freeloading companies/individuals and it seems to become even bigger. And, it’s better to start thinking about security right now until it is too late.