‘Tis the season to be hacked …

30 Nov 2009

Information security company Espion is encouraging online retailers to be more aware of the risks to themselves and their customers and take the necessary steps to guarantee safe Christmas shopping this year.

“Given the increase in the amount of personal and financial information that will flow over the internet in the coming weeks, opportunistic online criminals may try their luck by attempting to exploit weaknesses in online retail sites to gain access to lucrative information,” explains Colm Murphy, technical director with Espion.

“Sites may also be vulnerable to hackers able to manipulate the sales process to purchase for free.”

Espion’s IT security specialists are highlighting that security should be an integral part of web-application development. “Information security must be a continuous process, as technologies that improve user experiences online are often more complex and give rise to security vulnerabilities.

“The impact of these weaknesses in a retail context is significant, given the financial and personal data exchanged during an online transaction.”

Vulnerabilities – Ones to Watch:

Customer data in transit – As customers send their personal information to online retailers, there needs to be an assurance that the data is protected. The encryption of customer data when in transit is becoming standard practice – consumers are increasingly aware of Hypertext Transfer Protocol Secure (HTTPS) used on retail sites that provides encryption and secure identification.

Stored customer data – The majority of online retail sites have back-end databases that data is sent to and called from during a transaction. Hackers look to leverage mechanisms on the site, usually form fields or search functions, where data is relayed between the site and the database. SQL injections are malicious database queries that disclose details of the back-end technologies and allow a hacker to assess restricted areas of the site, from which data can be compromised. Online retailers should also ensure that stored data is properly secured with the appropriate firewalls, anti-virus and anti-spyware technologies.

Credit card data – Customer data stored or in transit requires significant levels of protection. When credit-card information is part of this customer data, there are compliance requirements to be considered (PCI-DSS) that mandates that the appropriate information security measures are in place.

Checkout scams -This vulnerability is specific to online shopping carts and payment gateways, where hackers can manipulate the code with web-application proxy to change the final payable price. While no customer information is compromised, the online retailer is essentially robbed. Depending on the price of the item or the volume of purchases, this can be extremely damaging if undetected and addressed in a timely manner.

Cross-site Scripting (XSS)/phishing attacks – XSS is a way of tricking customers to divulge sensitive data by appearing to be a legitimate site. The hackers use the site’s own code, edit it and republish it; either as a page or a pop up, to execute phishing attacks.

Espion’s tips for online retailers:

1.            Make security part of your development – do not wait for an attack or breach. Understand where the weaknesses are and address them. Regularly test your site to ensure it is robust enough to resist attack. The Open Web Application Security Project (OWASP) is an organisation that provides practical information about computer and internet applications. Open Web Application Security Project’s Top 10 project explains the 10 most critical web-application security vulnerabilities and how to protect against them.

2.            If you are using open-source applications, stay on top of any patches that are released. Often after a site is successfully breached, hackers move on to target other sites using the same open-source applications to repeat the process.

3.            Ensure that any administrative sections of the site are secured against unauthorised access. Many sites are maintained by logging into the site itself. This administrator login gives access to all areas of the site, possibly including details of the back-end systems and location of sensitive data, which could be damaging if breached.

4.            If online retailers are taking and storing credit-card information they are obliged to become PCI compliant. For many companies, this may be a valuable exercise and a prudent investment. For smaller sites, with limited resources, using a trusted third-party payment service such as Pay Pal or Google Checkout can circumvent the need for this expense: taking credit-card information out of the transaction processes and offering customers an increased level of confidence in your site.

By John Kennedy

Photo: The high rate of online shopping activity this time of year means identity thieves could be much more active online, as well.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years