By Jeremiah Grossman E-Commerce Times
01/21/08 4:00 AM PT
Hundred of millions of people use Web mail, which is why in many ways e-mail is more important to keep secure than your bank account. Many people have important online accounts tied to a single Web mail address. If anyone gained access to your e-mail account, all accounts associated with it could be compromised as well.
eMarketer Whitepaper: Optimizing the E-Commerce Experience
From the Web to the Contact Center, are you prepared to proactively engage and keep your savvy customers? Read how e-commerce leaders are optimizing their sites with ratings, reviews, live help, Web analytics, mobile and more.
E-commerce has been part of the retail world for more than a decade, and today's consumers seem to assume that because of this longevity, their transactions are secure. Beyond this, the average online shoppers are convinced their credit card numbers and other sensitive information are out of reach of attackers with a firewall and antivirus program, combined with shopping at brand-name retail sites.
However, the average consumers don't scan the Internet for Web hack news. If they did, they would find a constant stream of stories about malicious hacks affecting the modern consumer.
TJX was one of the largest, but we can't forget about the more recent attacks on the Rivkin online auction, QVC or the Colorado Rockies ticket site. One incident like this can cost corporations thousands of dollars in remediation costs, and can cause irreparable damage to their brand image. The consumers? Their Social Security numbers can go out the browser window and into the black market.
Most Intense Hacks
If you haven't had time to translate the Web security jargon, allow me a minute to break down some of the Web's most recent, most intense hacks, in e-commerce and beyond, for you:
The MySpace Samy Worm. What was the hack? Cross-site scripting (XSS). What's that? The injection of malicious code into otherwise secure Web site code. So what? In less than 24 hours, self-propagating JavaScript malware infected more than 1 million user profiles and one of the Web's largest properties experienced more than a day of downtime.
CardSystems. What was the hack? SQL injection. What's that? The insertion of malicious code into the database layer of a Web site. So what? Hackers stole 263,000 credit card numbers and exposed 40 million more. Several million dollars worth of fraudulent credit/debit card purchases were made with these counterfeit cards.
Free Macworld 2007 VIP passes. What was the hack? Exploitation of a business logic flaw. What's that? A number of attack methods that result in Web site code operating not as intended. So what? Several people discovered how to obtain free Platinum Passes (a $1,695 value). By viewing the source code of the sign-up Web page, they found hidden priority codes freely usable during registration.
Safety Measures
So, if you aren't an expert in computer security, here are some top tips for a safer online experience:
Switch your Web browsers to Firefox, Mozilla, Safari, or anything else besides Internet Explorer. This is probably the single most important thing you can do to protect yourself online. You think you're fine because a new patch is being released soon -- to bring IE light years ahead of all other browsers? Sorry, that will get you nowhere, because a patch like that is like a glittery target for malicious hackers.
With browsers, the best way to remain secure is by staying out of the line of fire, and Internet Explorer is well known for being in the crosshairs of viruses, spyware, and adware. If a Web site really does need IE and you really need to use the Web site, make sure the site is legitimate, then it's reasonably safe to fire up IE.
Add more security to your Web browser. No matter what browser you choose, the Web is a hostile place and all Web surfing tools need a little help to defend themselves. Try NoScript for Firefox, the Netcraft Anti-Phishing Toolbar, the eBay Toolbar, or the Google Toolbar.
All of these add-ons help identify phishing Web sites, prevent your computer from being hacked, and your passwords from falling into the wrong hands. Most people will only need the first two add-ons, but if you are an eBay buyer, using theirs is essential as well.
Don't click on links in e-mail , almost ever. Whenever possible try NOT to click on any links in e-mail, especially since links themselves are dangerous and the latest phishing e-mails are difficult to detect. An ounce of paranoia is worth a pound of patches. If I'm unsure if an e-mail is real, one thing I do is manually type the domain name into the Web browser location bar.
This way I know I'm on the real Web site. If an organization asks me to verify my account information by "clicking here," instead I type in the organization's URL then proceed to login. If a company you're doing business with really wanted to verify your account information, they would ask at the point of login.
With that said, some e-mail links are safer to click on than others. Like those sent in response to an action (account registration, password reset, order confirmation, etc.) you might have performed on the Web site within the last several minutes.
Defend your Web mail. Hundred of millions of people use Web mail, which is why in many ways e-mail is more important to keep secure than your bank account. Many people have important online accounts tied to a single Web mail address. If anyone gained access to your e-mail account, all accounts associated with it could be compromised as well. The best thing you can do is use unguessable passwords, change them every six months or so, and don't use that password anywhere else. Bonus points for deleting e-mails with any sensitive information.
Use a single credit card for online purchases. In light of recent events, chances are the credit card numbers we use online are going to be stolen at some point. For that reason it's best to try and limit any potential damage. Using a single credit card with just enough of a limit to conduct your online transactions makes it easier to monitor statements for any strange charges. Plus, any fraud is isolated to that one card. Also, refrain from using a debit card online since they don't carry the same consumer legal protections as credit cards.
Normally, this is the part of the discussion where the experts start talking about SSL (secure sockets layer) and telling you to check for the lock symbol. In my experience just about every legitimate Web site accepting credit cards is now SSL-enabled. So the better advice is to make sure you're actually on the one Web site you think you are on. Otherwise SSL isn't going to matter much anyway.
Scared? You should be. Oh, but happy shopping.
Jeremiah Grossman is CTO of WhiteHat Security, a provider of Web site vulnerability management services.
Listen to Your Customers to Find the Blue Oceans January 18, 2008
As W. Chan Kim and Renee Mauborgne, the authors of the book Blue Ocean Strategy: How to Create Uncontested Market Space and make Competition Irrelevant, show in their research, the ability of manufacturers to reassess the unmet needs of their customers and create entirely new products and solutions that match customers' changing preferences is critical.
Related Stories
Financial Analytics in E-Commerce: Starting to Take Shape January 17, 2008
"The new analytics products work with new information formats, such as items found on blogs, as well as traditional data sources, such as information stored in databases," said David Schehr, research director at Gartner. E-commerce companies may find they could correlate information, such as Web customer reviews, to product sales.
Payoneer: Taking Prepaid Debit Cards to the Next Level January 16, 2008
Some customers see the approach to Web payout options that Payoneer provides as better than cash. In 2CheckOut.com's case, Payoneer's prepaid debit card, which carries the 2CO logo, lets that company pay its vendors by depositing the money due directly to the account of the person issued the card. "The challenge we had was how could we do this internationally," said oDesk CEO Gary Swort.
A Host of Hot Niches on the E-Commerce VC Trail January 09, 2008
Many companies in the luxury sector has proven adept at attracting affluent customers and delivering a top-notch customer experience, said Forrester Research analyst Carrie Johnson. "Investors know that companies that can find traction with that demographic can be very successful. A lot of attention is being paid to that segment now that consumers have shown they'll buy even high-end luxury items site unseen over the Web."
Headline Feeds
world for more than a decade, and today's consumers seem to assume that because of this longevity, their transactions are secure. Beyond this, the average online shoppers are convinced their credit card numbers and other sensitive information are out of reach of attackers with a firewall and antivirus program, combined with shopping at brand-name retail sites.
Talkback: 
