Tuesday 26 November 2013

How to Stay Safe on Ecommerce Sites

As more consumers move online to do their shopping, the ecommerce industry continues to boom. 

This increase provides even more opportunity for hackers. The data breach investigations report estimated 174 million compromised records, 81% of which utilized some form of hacking. That's 170 million more than in last year's report.

Security measures should be the most important factor stressed in ecommerce. In order for brands and consumers to prevent attacks, they need to understand what's at stake for the brand, the consumer and the hacker.


What's at Stake?

When a hacker steals a consumer's information from a company database, who pays the ultimate price: the consumer or the brand?

The brand is held responsible for securing the customer's information. If that privacy is breached, the customer suffers consequences such as identity theft, stolen credit cards, bank accounts and other information that's of value to the hacker. 

Once a customer's information is stolen, the consumer must quickly report and cancel all accounts. Generally, the bank or company reimburses any compromised activity — this puts the consumer at a major inconvenience, but holds the seller financially accountable.
According to experts both the consumer and the brand are at risk, though there are more concerning calculations for the latter.

"The consumers has the risk of losing money either by theft of service (use of their accounts or credit cards/bank accounts, etc.) but often are reimbursed by the bank if the card has been compromised in some way. Now, if a site (company selling a service) is the source of the compromise — and it can be shown now that they have not made the proper strides to protect their clients' data — then they may end up footing the bill in some cases as well as garner large bad press on the incident and their services.

When a brand is hacked, they're not only left with financial damage to clean up, but also their reputation. Take LinkedIn, for instance. The company took a severe blow after more than 6 million of its users’ passwords were leaked online in June. LinkedIn quickly confirmed and apologized for the password breach, but was sued for $5 million.
The risk factor between the company and customer also depends on what's at stake for the hackers themselves. Most prefer the least amount of risk, but there is always the chance of getting caught.

The hacker's initial decision to break into a computer or its network to an ROI.
How much time and effort does the miscreant need to spend to get what size of reward? What's the easier route to the maximum pile of eventual cash?.

Spending months planning and executing an audacious attack on an accounts payable department might make sense if you can extract seven figures of reward. Compare that to the average phishing attack — which now lasts a few hours and nets less than a handful of victims, likely with limited funds if they are regular account holders.


What Consumers Should Do

The most common mistake for consumers is to assume that a product which has a "hacker proof" logo on it will actually keep a hacker out of it. 

In the event that your data has been hacked from an ecommerce database — depending on what data has been given to the site — Experts suggests that the consumer do the following:

1. If you have a credit card number saved in your profile, you should alert the bank and have a new credit card sent to you after cancelling the compromised one.

 2. If your email address is a primary one that you use for everything, be aware that it may now be fodder for "Phishing" attacks on you for more information. Make sure your spam filters are working and always think before you click links or open files sent to you in that account. 

3. If the site collects personal data, such as date of birth or (and this should not happen) your social security number, then you should obtain some identity theft protection that the company which lost your data should pay for. This will alert you if someone is trying to open new accounts as you obtain the data they have stolen. 

What Businesses Should Do 

Businesses commonly make the mistake of neglecting to monitor and maintain the security of their site, and software and other tools are constantly evolving. Sites often are attacked when they fail to keep good hygiene. 

Web and mobile application developers are often not savvy to payment security requirements and secure programming methods, which can create security holes that can be exploited by hackers that look for high value targets, such as ecommerce sites. 

Security should also be an important factor when mapping out the design goals of a website. Most sites do this with an SSL security certificate. You can purchase a certificate, or there are some ecommerce platforms like Shopify have a default built-in SSL upon checkout. 

Perhaps the most effective way to protect your business from hackers is to think like a hacker. The best way to do so is to hire one to protect your network and infrastructure. 

This is not always the easiest thing to do because you really need someone you can trust and who knows what they are doing. Accreditation in the Information Security business is getting better, but, in general find someone who can prove their technical worth, as well as having a proven track record in either the defense of networks or the penetration thereof.

No comments:

Post a Comment