Online shopping and e-commerce fraud security risks are on the rise. Read any news source and you will see references to the latest, weekly attacks against all types of organizations – retail, financial, healthcare, government, commercial – the list continues to grow every day.
Given the recent disclosures of credit card theft (Target, Michaels, etc); one has to consider, is any transaction where a credit card is used safe?
No matter if it’s a physical transaction via a card swipe (where well documented POS problems exist) or an online transaction, a number of attack vectors exist. These risks could reside in either the Web page you’re ordering from or the downstream systems within the organization that process and fulfill the order.
Taking into account the weak security due to the lack of two-factor authentication amongst almost all online services, the problem is only going to get worse until there is a more rigorous standard adopted. This security standard for e-Commerce vendors would remediate the online risks of doing business with vendors of every size, and be mediated by the government, the credit card companies, or both.
Looking at recent hacks, like the ones with EBay and iCloud, weaknesses in the initial v1, v2, or v5 vendor application deployment don’t always consider security measures. Instead they may be introducing attack vectors that haven’t yet been discovered. Online criminals continue to evolve their attack techniques to find new ways to rip folks off need to be considered based on what they find exposed at the vendor’s front door via their websites data leakage.
For hackers these are the days of leak testing, finding a doorway to expose and gain access to basic personal information or credit card numbers. They are not necessary hacking in the truest sense, but more like the early 90’s where finding flaws in the existing system lead to others to be leveraged. Think Sony circa 2010, but four years later. Hackers have gotten more clever and resourceful to tie up the loose ends to find a way to get your info at all costs.
At a base level, many selling, payment and fulfillment solutions think of security as an afterthought and may not know they have a problem until after they are hacked. Data elements are collected in clear text, no encryption is used in the storage or transfer of data and it is not really part of the initial development, QA or release testing process. Later once added, its weaknesses as part of the afterthought allow for further exploit since it isn’t part of the original architecture.
If a hack does take place, companies often view the risk versus reward of fixing the problem. Some companies may opt to fix right away, some later and others may avoid fixing based on financial or other corporate reasons – BlackPOS or Heartbleed as prime examples. Those who rely on open source solutions can also run into problems. Even if a company can fix their internal code bugs or their paid vendors’ code, they can’t always fix the bugs introduced by external parties or open source partners they rely on,
For many e-commerce site providers and vendors, this means they don’t control their own destiny – they are instead reliant on the tools they run to make available the fixes necessary to secure the sites they manage. This is contrary to the model where many sites proclaim that they offer the highest level of security available out of the box when they do business with you. Even with the common e “My Site is Secure” badge a lot of sites show, you really just don’t know how secure the background is.
At this point, a number of suggestions can be made before doing purchases with any e-commerce site:
– Make sure you have an add-on that is solid as it relates to Heartbleed. Make sure it’s approved by your browser and has good reviews. In recent history, there have been some dicey options for this that lead to malware sites.
– Make sure you have an add-on that is solid as it relates to Reputation when visiting websites. Most recent AV/Malware/Spyware tools include one of these. If your tool of choice says don’t visit, DON’T.
– Make sure you heed attention to Search engine warnings on bad or false sites. In recent years Google and Bing have opted to keep an eye on bad websites – i.e. those noted to have problems in native form or otherwise. If they tell you to avoid, do so or risk problems.
– Before you purchase anything online, take a moment to read the Terms and Conditions. If they get hacked, what do they offer you the customer, in terms of protection?
As it relates to vendors you do physical business with, check their websites and/or call the companies directly. Also, check your credit card regularly and do take advantage of regular reviews of your credit card as well as any free services the vendors offer you in terms of credit protection both before and after any problems arise. At the end of the day, the security of your data rests with you.
Tom Polsdorf, VCP, has served as Edgewave’s IT Manager since 2011 where he is responsible for Edgewave’s Cloud, Colocation and Internal systems. Tom is a veteran of the United States Navy with a diverse 27 year career with wide range companies and experiences with computer systems, satellite/network communications and electronics.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.