The Lurking Perils of Online Transactions

E-commerce has been part of the retail world for more than a decade, and today’s consumers seem to assume that because of this longevity, their transactions are secure. Beyond this, the average online shoppers are convinced their credit card numbers and other sensitive information are out of reach of attackers with a firewall and antivirus program, combined with shopping at brand-name retail sites.

However, the average consumers don’t scan the Internet for Web hack news. If they did, they would find a constant stream of stories about malicious hacks affecting the modern consumer.

TJX was one of the largest, but we can’t forget about the more recent attacks on the Rivkin online auction, QVC or the Colorado Rockies ticket site. One incident like this can cost corporations thousands of dollars in remediation costs, and can cause irreparable damage to their brand image. The consumers? Their Social Security numbers can go out the browser window and into the black market.

Most Intense Hacks

If you haven’t had time to translate the Web security jargon, allow me a minute to break down some of the Web’s most recent, most intense hacks, in e-commerce and beyond, for you:

  • The MySpace Samy Worm. What was the hack? Cross-site scripting (XSS). What’s that? The injection of malicious code into otherwise secure Web site code. So what? In less than 24 hours, self-propagating JavaScript malware infected more than 1 million user profiles and one of the Web’s largest properties experienced more than a day of downtime.
  • CardSystems. What was the hack? SQL injection. What’s that? The insertion of malicious code into the database layer of a Web site. So what? Hackers stole 263,000 credit card numbers and exposed 40 million more. Several million dollars worth of fraudulent credit/debit card purchases were made with these counterfeit cards.
  • Free Macworld 2007 VIP passes. What was the hack? Exploitation of a business logic flaw. What’s that? A number of attack methods that result in Web site code operating not as intended. So what? Several people discovered how to obtain free Platinum Passes (a $1,695 value). By viewing the source code of the sign-up Web page, they found hidden priority codes freely usable during registration.

Safety Measures

So, if you aren’t an expert in computer security, here are some top tips for a safer online experience:

  • Switch your Web browsers to Firefox, Mozilla, Safari, or anything else besides Internet Explorer. This is probably the single most important thing you can do to protect yourself online. You think you’re fine because a new patch is being released soon — to bring IE light years ahead of all other browsers? Sorry, that will get you nowhere, because a patch like that is like a glittery target for malicious hackers.

    With browsers, the best way to remain secure is by staying out of the line of fire, and Internet Explorer is well known for being in the crosshairs of viruses, spyware, and adware. If a Web site really does need IE and you really need to use the Web site, make sure the site is legitimate, then it’s reasonably safe to fire up IE.

  • Add more security to your Web browser. No matter what browser you choose, the Web is a hostile place and all Web surfing tools need a little help to defend themselves. Try NoScript for Firefox, the Netcraft Anti-Phishing Toolbar, the eBay Toolbar, or the Google Toolbar.

    All of these add-ons help identify phishing Web sites, prevent your computer from being hacked, and your passwords from falling into the wrong hands. Most people will only need the first two add-ons, but if you are an eBay buyer, using theirs is essential as well.

  • Don’t click on links in e-mail, almost ever. Whenever possible try NOT to click on any links in e-mail, especially since links themselves are dangerous and the latest phishing e-mails are difficult to detect. An ounce of paranoia is worth a pound of patches. If I’m unsure if an e-mail is real, one thing I do is manually type the domain name into the Web browser location bar.

    This way I know I’m on the real Web site. If an organization asks me to verify my account information by “clicking here,” instead I type in the organization’s URL then proceed to login. If a company you’re doing business with really wanted to verify your account information, they would ask at the point of login.

    With that said, some e-mail links are safer to click on than others. Like those sent in response to an action (account registration, password reset, order confirmation, etc.) you might have performed on the Web site within the last several minutes.

  • Defend your Web mail. Hundred of millions of people use Web mail, which is why in many ways e-mail is more important to keep secure than your bank account. Many people have important online accounts tied to a single Web mail address. If anyone gained access to your e-mail account, all accounts associated with it could be compromised as well. The best thing you can do is use unguessable passwords, change them every six months or so, and don’t use that password anywhere else. Bonus points for deleting e-mails with any sensitive information.
  • Use a single credit card for online purchases. In light of recent events, chances are the credit card numbers we use online are going to be stolen at some point. For that reason it’s best to try and limit any potential damage. Using a single credit card with just enough of a limit to conduct your online transactions makes it easier to monitor statements for any strange charges. Plus, any fraud is isolated to that one card. Also, refrain from using a debit card online since they don’t carry the same consumer legal protections as credit cards.

Normally, this is the part of the discussion where the experts start talking about SSL (secure sockets layer) and telling you to check for the lock symbol. In my experience just about every legitimate Web site accepting credit cards is now SSL-enabled. So the better advice is to make sure you’re actually on the one Web site you think you are on. Otherwise SSL isn’t going to matter much anyway.

Scared? You should be. Oh, but happy shopping.

Jeremiah Grossman is CTO of WhiteHat Security, a provider of Web site vulnerability management services.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels