Back to All posts
online-store-security-tips
Beginner's handbook

How to Protect Your Online Store with Free Tools and Mindful Habits

By Reading Time: 8 minutes

Where there’s money, sharks circle. And in ecommerce, there’s plenty of both—the market saw its fastest growth in seven years at the end of 2019. That makes small business owners valuable targets to malicious hackers who can commandeer compromised accounts to defraud you and your customers. 

But if you’re like me, you’re a bit bored with the endless data hacks that seem to headline the news every few months. There’s even an academic concept, “privacy fatigue”, to explain the feeling of futility we get when thinking about data breaches—they’re just so out of our control. A quick check of this database could snap you out of privacy fatigue—it tells you how many times your email or login details have been leaked and potentially sold on the dark web to fraudsters. If you got a positive result, you’re among the 47% of American adults who had their data exposed online in 2018 alone.

Although there’s not much we can do about large scale breaches, like Facebook’s 2018 data debacle, we can stop them from mattering as much by taking control of our online accounts. There’s also a whole realm of more individualized hacks that everyone has the power to prevent. 

Read on as I guide you through these common hacking methods and how to protect yourself from them. 

How could you get hacked?

When it comes to online security for small businesses, most ecommerce sites are PCI compliant. This means they invest a lot of resources into cybersecurity, protecting the way financial and login information gets handled server-side. However, hackers know how to target a soft spot that no amount of tech-defense can fix.

That soft spot is you. 

First, it’ll help to understand the two main ways hackers could hijack your digital life.

Phishing

Phishing is when hackers disguise themselves as companies you trust, then bait you to enter your login details to their spoof-site. They mostly use a fake email, call, text message, or a counterfeit search engine listing. Even a well-timed pop-up could end up with you giving away your details or installing malware with a misclick (a good ad-blocker will prevent this). 

Apps and browser extensions like Netcraft for Chrome will alert you to potential phishing attempts on desktop, but the main key to beating phishing isn’t the latest free security plug-in or tool. It’s to stay aware of the faults in your own thought processes—this is what hackers rely on.

Sneaky Hacker Animated Image
Via @vewn

Picture this—it’s the middle of the night, and you’re awoken by your phone. An email notification lights up your screen; “Suspicious login detected”. Someone has tried to log in to your ecommerce platform account! In a panic, you smash the email call-to-action button, urging you to “log in now” to change your password. You tap in your login details with trembling fingertips, wondering who tried to access your account. 

Unfortunately, you didn’t notice that the email “sent-from” address (support@amazonian.com) was slightly different than the real one—”support@amazon.com” and, you’ve just entered your login details into “www.amazonian.com”—a fake site. You also didn’t notice other tell-tale signs, like the generic greeting “Dear Sir/Madam”, as opposed to your name which is the way real companies usually open important emails. 

This is the lesson—scammers and hackers leverage panic and fear to make you rush and miss obvious signs. So keep calm and double-check all (even slightly) suspicious or panic-inducing emails. Reach out to the official support staff at the company in question when in doubt to verify the message.

This all might sound obvious to you, but even the smartest developers sometimes fail to recognize phishing, so be wary! Online fraudsters are consistently getting smarter. We’ll learn how to fight phishing in the “tools” and “habits” section of this article. 

Data breaches

When a successful cyber attack hits a big company’s private database, millions of users’ login details could become… not so private. Especially if the hacker leaks the database onto the internet. Famous examples include Adobe in 2013 and the infamous AshleyMadison.com leak in 2015.

Check haveibeenpwned.com, it’ll show you a list of websites that suffered a data breach—that included your details! It’ll also tell you what leaked; your email, first name, and possibly your password. Personally, I was “pwned” by tumblr, myspace, myfitnesspal and adobe.

If you had an account on any of the hundreds of sites listed, you were probably already notified—websites are usually transparent with their data breaches. But if you continue to use those same exposed credentials, you need to change your password. 

Let’s avoid becoming a victim of the second major hacking technique—“credential stuffing”.

In late 2019, thousands of ‘Disney+’ accounts got compromised just days after launch. Although Disney’s servers weren’t hacked in the technical sense, bad apples managed to match up combinations of previously leaked usernames and passwords. 

These stolen accounts were then sold on the dark web for fraudsters to log in to, then change the password, locking the real owner out—as reported by hundreds of reddit users.

An example of a Reddit user posting about their Disney+ account being hacked into

The worst thing you could lose with your Disney+ account is your subscription fee. But when your online store is the target, there’s a lot more a stake for you and your customers. This is why it’s essential to use security tools to keep your store and personal accounts secure.

What are the best tools to improve online security?

Avoid phishing attempts and data breaches by making sure you have fail-safes in place. The best online security apps will partially cover you, even if you insist on using your dog’s name as your password. But please, please don’t. 

Two-factor Authentication (2FA)

If only Disney+ offered two-factor authentication (2FA), a second layer of defense against hackers who manage to get past your password. 

A study by Google found that 2FA prevented 96% of bulk phishing attempts. That failed 4% could include people who set up 2FA via mobile text message, which can be intercepted by savvy hackers. Text message based 2FA is vulnerable to mass-scale phishing attempts where the entire login page and 2FA screen can be faked to steal your details. 

I recommend app-based 2FA such as Google Authenticator or Authy, for their robust simplicity. The best 2FA apps are free and compatible with many sites, including Printful. Although some sites like Facebook and OneDrive have their own dedicated 2FA apps, the most reliable option by far is Google Authenticator (it’s in Google’s best interests to pump time, money and development into keeping their accounts as secure as possible). Sites that support 2FA should give you some backup codes when you sign up, in the event that you lose your smartphone and access to your 2FA app. Keep these codes handy but secure in a word document or write them in a notebook. 

To illustrate how important 2FA is, here’s a personal example. I received an email recently, claiming that one of my accounts had a login attempt from the other side of the world. For a millisecond I panicked, but then I remembered that I’d enabled 2FA for that account. It’s reassuring to know that the only way this mystery hacker could get any further was to:

  • Somehow gain access to my Gmail to reset my password for whatever they’re hacking. Unlikely, since my inbox is protected by Google Prompt (Android only, sorry Apple fans),
  • Realize I have 2FA enabled when trying to change my password, and, this is where it gets interesting,
  • …somehow steal my phone to access my 2FA app (and my fingerprint to unlock it).

In my Mr.Robot-inspired feverish dreamscape, I realized that a hacker would have to do all that while I’m unable to remotely wipe my phone, which I can do from my laptop. So, they’d essentially have to kidnap me.

Is all that worth my Shopify password? Probably not (yet).

Amimated Image of Boy Daydreaming
OK, daydream over.

Best free password managers

Admit it, you probably have just one or two passwords you switch up with special characters and numbers depending on the specific site requirements. 

Change that bad habit with a password manager. It’ll generate strong passwords, keep them all in one place, and auto-fill your login at the touch of a button. You’ll find password managers that work for both Mac & PC, and on most browsers. They usually work by the use of a master-password or your fingerprint which then auto-fills the correct password. When creating your master password, check out this complete guide on how to make an easily memorable, but strong password.

Here’s my selection:

  • Myki stores your login details right on your smartphone, not the cloud. This is more secure as cloud-based data is always more vulnerable to hacks. The only danger here is losing your smartphone, so keep those backup codes handy. Myki also includes an authenticator service to potentially replace Google Authenticator. 
  • Bitwarden is an open-source alternative that supports all browsers and platforms. Their secure sharing feature allows you to share encrypted passwords with co-workers securely. Useful if you have employees or business partners who need access.
  • LastPass is my personal choice of password manager—the Android app is fantastic, and it’s also compatible with iPhone. I particularly like how you can change an account password with a click of a button within the app, making it much easier to develop the habit of changing your passwords. 

A password manager makes it easier to use a unique password for each of your accounts, which makes it harder for hackers to use leaked login data against you. This makes those big data breaches matter less. Oh, and they’ll also save you from forgetting your passwords.

Develop mindful security habits

Develop habits around your online accounts and login details, treat them like the keys to your home. Take care of them, and give them thought— there’s a lot at stake. 

An animation of meditation practice.
Security is often just awareness.

As habits are notoriously hard to make stick, I recommend using your Google Calendar—that’ll make it easy to set reminders. Set yourself periodic alerts to do quarterly or monthly security checks.

In this 5-10 minute audit:

  • Secure your Google account—it’s the master key to all your online accounts if you use Gmail. Bookmark this neat Google security checkup and clear it every few weeks. That checkup also includes a “Compromised Password” check, alerting you if your passwords were in a data breach. Also included, a “Repeated Password” check. That’ll alert you if you have multiple accounts with the same password—a bad idea, as we know from Disney’s “credential stuffing” case. 
  • This one isn’t talked about enough—reduce your online footprint. No point in keeping your personal details stored away on a site you no longer use, waiting for a potential breach. Identify all of your online accounts quickly and easily with this free, nifty web app: deseat.me. 
  • Make sure your social media accounts have appropriate privacy settings—Facebook offers a smart checkup tool, for example.
  • Check if you have any out-dated or abandoned apps installed. These old apps are more likely to have weaker defenses, meaning your data is at risk.
  • Make sure your accounts’ security settings are up to date—check your recovery questions. Set answers a fictional character would give, or make them random and write them in the back of your favorite novel.
  • For store owners, check your online store’s admin panel for who has access to your store under Settings > Account > Staff or similar. Remove users that are out-dated or aren’t essential. This could mean freelancers that worked on your theme last year or well-meaning friends who could be less careful with login details. 
  • Expire your user sessions in your Account Settings. That way, even if anyone did access your store, they’ll be logged out. This is especially important if you ever use public computers such as at college libraries to check up on your store.
  • Finally, ask yourself, do feel more secure? You should, after completing this audit.

Everyday habits

In day-to-day life, you should think about the way you use public Wi-Fi and shared computers. Cybersecurity experts warn not to enter your login details at your regular coffee spot or airports (auto-fill is still okay). You wouldn’t wear your password on a t-shirt in public, so don’t type it into a public network either—assume that someone will notice.

This will vary between generations, but be mindful of how much personal information you post on social media. Remember that you are a valuable target for hackers. Don’t include your home address on resumes that are in public databases like LinkedIn, and finally, make sure your Twitter isn’t a personal diary that could be used to get to know you a bit too well.

Take back control

We’re not trying to make you paranoid, just recommending that you invest in the free tools above, and take the time every few weeks to clear your conscience. I get it, we like to shift responsibility to the big tech companies who probably should be looking after our data a little better. But owning your online security will pay off dividends in relaxation points when you hear about the next big data breach. By making it harder for hackers to use the leaked data against you, those data breaches matter less. 

Do you have any stories like mine? Did someone try logging in to your store? How did you handle it? Let me know in the comments and teach other entrepreneurs your top tips.

Ottis keeps on top of the latest trends in Tech, Psychology, and Entrepreneurship. If there's exciting new research in these fields, he's read it.

If you enjoyed this post, subscribe to updates

Get actionable drop shipping advice in your inbox

  1. Filip Pejanović

    Great article as always Ottis, I just used deseat.me to get rid of some old accounts, but what if someone hacks into my Google account and uses deseat.me to delete all of my other accounts! It’s a scary though, should I be worried?

    1. Ottis Bailey Post author

      Thanks, Filip! I hear you, that’s definitely a consequence of our “Sign in with Google” culture. If your Google account gets hacked, deseat.me is probably the least of your worries as the hacker could reset any of your account passwords! That’s why it’s so important to protect your Google account at all costs—it really is a master key to your online life. I recommend setting up Google Prompt if you’re an Android user or setting up 2FA for your Google account for extra peace of mind.
      In terms of the use case for Deseat.me—it uses the Google OAuth protocol. This means the app won’t have access to your login information, it just finds the accounts you created that might want to delete, or just be more aware of.

  2. Anatolii Ulitovskyi

    My WordPress website was hacked a few times. The last time when it happened I almost lost all organic reach and recovered 3 months because the hack changed settings on some WordPress plugins to disallow Google indexing. For me, it’s better to pay for paid antivirus tools.

  3. clipping path

    Every day I try to learn something more challenging on different blogs. It will always be stimulating to read content from other writers and practice a little something from their store. Here I enjoyed your content and learned lots of useful terms. I really appreciate your thoughts.

  4. Cindra

    Thanks for the solid information. I have several emails that I have collected over the years. I plan on closing those after finding out I’ve been “pwned”! Unfortunately, Google is saying that signing into deseat.me has been temporarily disabled. But what a great idea for secure passwords! I’ll be doing a lot of updating in the next few weeks. Appreciate you taking time to share.

Leave a Reply

Your email address will not be published



Back to All posts

Ready to try Printful?

Connect to an ecommerce platform or make an order

Get started