Consider this hypothetical situation.
I'm sitting down about to have a glass of wine on Saturday night when I get 'the call'. The one you really don't want at all, but especially not on a Saturday night.
One website owner was having a really really really bad day.
Shopify's security is good. But any security is only as strong as your password, and the security of the machine on which you log onto the website.
The user's computer had a virus on it, which was letting the perpetrator log what was going on on the computer, including capturing any passwords that the user entered.
Once the perpetrator had the website owner's password, they could just log into the website as the owner. They watched traffic until a big transaction was going through the cart, and at that point swapped the PayPal payment account to their own, so that rather than the website owner getting paid for the transaction, the hackers did.
Now comes the clever bit - after the transaction had gone through, they swapped the site's linked PayPal account back to the site owner's original account (basically siphoning off an ammount small enough not to be instantly noticed, but big enough to really hurt). That way anyone looking at the site wouldn't realised it had been compromised without going a step deeper and checking logs.
Rinse and repeat. For a busy site that very quickly adds up, but the hackers were cunning enough not to take enough to be instantly noticed (the empty account).
The perpetrators also did this over a weekend when the user was least likely to notice what is going on, and had hoped that tech suppport was on to more than her first glass of wine.
They may also have used the email password they'd intercepted to remove or block safety email that notified the customer that the payment details had been changed.
Then they watched traffic, and waited until the game was up. At that point they siphoned money off any accounts they could, and legged it.
HOW DO YOU PREVENT THIS?
Update your browser security settings (for all browsers you have installed on the machine, e.g. safari, chrome, firefox, edge, IE, opera....) so they are automatically updated.
Check your email security settings. How will depend on what you use for an email. Just google it. But be careful of bogus websites that say 'click here to update your PCs security' - they are viruses waiting to be installed. Go to sites like Microsoft, GMail, Apple and get information from the source.
Do this for any website on your network. Or which joins your network.
Don't answer any of those Facebook type polls (or mention on Social Media) any of the information that is typically used as a password recovery question, or part of your password. The number of Facebook posts that subtly encourage users to share information about where they met their spouses, birthdates of children, dog names, favourite city, best names for a boy, first car you drove etc is truly frightening. And some are really subtle - one day you get asked about the month your child was born / you were married, and later in the week you get asked about the day of the week. The two seem safe in isolation, but consider what happens if it is the same poll creator both times and they combine your answers.
Consider installing child safety settings if anyone else has access to your password. I know your teenage son would never watch porn on your computer while you are out, he's a good lad. But I'm sure his friends would, so don't assume you know what happens on your computer if anyone else knows or can guess your password. All the antivirus in the world won't stop a teenager from clicking on the 'do you want to download xxx now' and accepting ALL the installation safety warnings in search of entertainment.
If you don't feel confident doing all this yourself, get your local PC Doctor, Geeks Are Us, Tech 2 U to come and do it for you. Don't procrastinate, book them now.
Shopify has something called two factor authentication (2FA). Put simply it means that as well as a password, when you log in Shopify sends a one time number to your phone that you also enter on the site to log in. The logic is that someone may have access to your computer, but probably won't have access to your phone as well. There are also keychain options, which are great and well worth investigating.
Don't finish drinking that coffee, go into your site and enable it NOW.
Get everyone who has an account on your site to do so (put a note in your diary to go back at the end of the week and make sure they have). Query any collaborators (your SEO, Web or marketing partners) to make sure they have done so.
Now do the same for any other accounts that have value, whether it be financial, health, privacy or social. Consider:
- Bank Accounts (most of them have compulsory
- Finance sites (Share trading etc)
- Medicare / Manage My Health
- ATO / IRD
- Social Media accounts
- File storage sites like Drop Box
The key thing is to DO all this - great intentions won't protect your site, and there are sophisticated bad guys out there.
NB: this information is general in nature and may not suit your specific situation.