How to Keep Hackers’ Hands Off Your E-commerce Business
The Polish e-commerce market is quickly growing at an annual rate of 15-20%. There are more and more virtual stores, and at the same the number of people who frequent these sites are also rapidly increasing. According to a report conducted by Gemius, almost half of Polish Internet users have made online purchases at some point. It is also worth noting that 33% of people who buy goods through the Internet do it on their mobile devices*.
With e-commerce and m-commerce growth skyrocketing, it’s an exciting time to be an online business owner. Unfortunately for most people, it’s also a good time to be a hacker or online scammer. With more and more people exchanging vital infomormation to complete online transactions, there are many ripe opportunities for hackers to take advantage of.
Today we’re talking with Sebastian Gilon, a security specialist here at TestArmy. He will tell us how hackers work, what they can steal from e-shops and the most importantly: how to defend yourself against them.
What can hackers steal from virtual stores, or how can they destroy our businesses?
The first thing that comes to my mind is customers’ personal data such as login information, email addresses, phone numbers and home addresses (usually listed as the delivery address). Some stores
even require that customers send them a scan of a student card or even a photo ID to complete a purchase. In this case, hackers can gain extremely sensitive information, for instance: legal residential addresses or even a personal identity number. The hackers can use the customer’s data for their own purposes or sell the sensitive information on the black market.
Another equally serious situation can occur if someone steals authorization data from a payment system like Paypal. In this case we’re not just talking about customer data, but the business owner’s information as well. If a hacker can extract the owner’s data, they would be able to log into the owner’s business account and transfer all the funds collected from customers into their personal accounts.
In addition, if shrewd fraudsters are able to obtain the login information for the administration section of virtual store, they can do equally horrendous things like redirect a package to another address.
It’s important to remember that e-commerce sites are vulnerable to many different kinds of attacks from hackers, not just data theft. Different forms of security breaches can include swapping the contents of a page or in case scenario, „infection” of the store. In an infected store, it’s possible for an unknowing customer to click a link to a „product” that will instead infect his/her computer with a virus. What happens next? The customer’s computer starts to serve the hackers’ needs.
Other common offenses can include hacking of databases or obtaining source code. In this situation, hackers could copy the source code in order to analyze it or sell it on the black market, rendering all of the developers’ work useless.
How do hackers work? What methods do they use and how do they manage to steal confidential data?
The attacking methods of hackers are countless and ultimately depend on their creativity and how much time they invest into hacking. However, most methods are based on on errors and vulnerabilities in software that developers did not anticipate. Such errors can include:
– XSS bugs that allow extraction of user cookies and can enable a hacker to take control of a private account. This can turn into an even worse situation if the user turns out to be an administrator.
What would such an attack look like? If a hacker placed a script in a comment (under the selected product), that script will be executed on the administrator’s side and it would download the administrative cookies. As a result, a hacker holding a cookie will have access to the administration panel without the use of a login and password, and from there they can do what they please with the software.
– Errors type RCE that allow remote execution of commands on the system, using ordinary user permissions.
Sometimes, a lack of testing can be the reason behind an attack. In this case, all the hacker needs to do is to gain access to an invoice of another client and replace the ID in the URL.
Hackers often make use of un-updated scripts like pdf generators to make attacks.
How can entrepreneurs protect themselves against attacks?
First of all, make sure to test the payment system and check how the payment is confirmed. Usually, the confirmation process is carried out using web services. Web services receive data from payment systems and establish that the payment was made on the basis of the received data.
Hackers can try to attack web services and then send payment confirmation to the store. Then, the shop’s owner receives information that a payment had been made, even though it never even started.
There’s one major conclusion: One should always test the payment systems, check the feedback and implement changes correctly in accordance with test reports.
In regards to e-commerce safety, the standard at the moment is to have a certificate of SSL / TLS and I think just about every shop has that by now. SSL / TLS protocol encrypts communication, which protects against an eavesdropping connection. So if we use an encrypted connection, even in a cafe, we can be relatively sure that our transaction was protected. But if we are lacking a SSL/TLS certificate, then we have no reason to assume that our information is protected from prying eyes.
To make sure that a store has an SSL certificate just look at the url. All addresses beginning with “https: //” (not “http: //”) are encrypted – but it does not mean that all page elements are transmitted in an encrypted manner, and that all communication is encrypted.
Another method of half-dealing with attacks is to use WAF software (Web Application Firewall), the system which protects websites. This system controls all content entering the site and thus detects and removes attempted attacks. However, WAF never gives a 100% guarantee of safety and some professionals are able to bypass WAF filters.
E-commerce businessmen should determine an appropriate security policy for their sites. Do not store passwords in plain text form in a database. Another major risk is sending a new password to a client’s email address. Even if the store offers the highest safety standards, they cannot control the security of the client’s inbox, which may allow important information to be stolen.
In addition, e-commerce owners should force the users to use strong passwords (using both uppercase and lowercase letters, numbers and special characters).
I discourage the use of simple methods of hashing passwords, such as MD5. Breaking saved passwords often takes less than 1 second.
You also can not forget about the current and regular backups, and about helding them on other servers than the store.
Additional protection can also come in multicomponent authorization This requires users to verify their identity several times and can include things like multiple passwords or confirmation of a login attempt via SMS. However, I think that in e-commerce businesses, this method is too complicated and will only frustrate their users, driving bussiness elsewhere.
If we are talking about security in e-shops, then we can’t skip the choice of hosting. Many owners of small and simple e-commerce sites decide to have shared hosting (they share its server with other users). This is risky because incompetent management can result in a breach of client’s data.
How can the owner of an e-commerce site check whether their store is safe enough?
By outsourcing security testing to specialists – penetration testers. A Penetration Tester is an ethical hacker, who probes for, and exploits security vulnerabilities in web-based applications, networks and systems.
In other words, you get paid to legally hack. The process of legally hacking is called a pen test and
there are 3 methods of conducting a pen test: white box, grey box or black box.
The most interesting of them is the black box method, since penetration tester does not receive any access to the site and must hack the site using information that is only available to the average user. Such tests also test the functionality of the software from the point of a guest user, logged-in user and a registered user.
While executing a pen test, I try to access the administration panel and check the strength of passwords. In addition, I examine the security of the server, whether data is stored there in the right way, and if anybody has access to temporary files or files of other users.
When the tests are done, the penetration tester writes a report and then gives it to the client and his/her developers. In general, the report contains a comprehensive list of errors and defects that were discovered, risk assessment, tags specifying the type of vulnerabilities, the exact steps reproduction (including parts of the code and screenshots) and suggested methods of repair.
What happens next?
The information presented in the report is sufficient for developers to understand what is wrong and understand the critical failures of the software. Clear instructions allow them to implement solutions and prevent further attacks.
Is a pen test safe?
Yes, they are absolutely safe and urgently needed. When I perform such a test, I usually create a suitable environment so that testing does not overload the database, doesn’t result in the loss of customer data or don’t cause other fatal errors in the results. But of course, there are also tests that take place during production, with appropriate procedures. It is worth noting that all data leaks, regardless of the test environment, are sent via a secure connection and under the supervision of penetration tester on the server. There is also no concern that the data obtained ever sees the light of a day, because during testing they it is stored in encrypted volumes, and when the test is completed, they are removed.
Unfortunately, hacker attacks: were, and always will be prevelent. You can not avoid them, but you can prevent them. In the case of e-commerce it is especially important, because the price for “doing nothing” could be the loss of a lot of money, customer data and the company’s reputation. And the latter does not have an easy fix.
In the end, it is worth to remember the provisions of the Regulation of the European Parliament and the Council on the protection of individuals in relation to the processing of personal data.
Colloquially RODO (GDPR – General Data Protection Regulation), which will take effect from 26 May 2018, requires all businesses to implement adequate data protection measures.
It is worth thinking about safety today.
*According to a Mobile Institute survey
Sebastian Gilon – co-owner and security director at TestArmy/Testuj.pl, Performs controlled hacking attacks and detects deeply hidden bugs on daily basis. After work – he is a leader of tourist trips, an avid angler and the world’s biggest whiskey lover.