| Page 3 of 3 < |
ID Thieves Turn Sights on Smaller E-Businesses
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
Jason Lam, who teaches a course on securing Web sites for the SANS Institute, a Bethesda, Md.-based security research and training group, estimated that Web site scanning services in most cases only identify about 60 percent of a Web site's potential security problems.
"Having one of these scanning services in place is definitely better than nothing because a lot of small and medium sized online stores don't have the staff in place to make sure their applications are secure," Lam said. "That said, a lot of [e-commerce] software is very customized and a lot of the problems in Web applications are logic-based, can't easily be found by machines, and require manual testing."
The data security problem at Web businesses is big enough that Visa, MasterCard and other major credit-card companies this month demanded tougher security guidelines for all online merchants, new standards that can spell heavy fines if ignored or flouted.
According to a report released this month by VISA, four-out-of-five of the top causes of card-related breaches were digital security weaknesses common at merchants large and small, including missing or outdated software security patches, misconfigured Web servers, and the use of vendor-supplied default passwords and settings, all of which are a violation of new payment card industry standards.
Cellhut.com manager Khalid Singh said the company is not sure how the data was compromised, and that it is working with ScanAlert to find the source of the data breach.
Brett Oliphant, managing director of security services for ScanAlert, said his company is still investigating the data breach, but that it could find no obvious signs that the hack leveraged a flaw in Cellhut's Web site.
"We've identified several other areas where the data might have leaked from -- including the payment processing and order fulfillment sides," Oliphant said.
Oliphant said that prior to becoming customers, roughly 75 percent of the companies ScanAlert contracts with were vulnerable to some sort of Web site flaw that hackers could use to steal sensitive data. Still, he said, no amount of Web site scanning will prevent companies from losing control of customer data if they fail to secure all of the means by which that information is transmitted.
"Even when the Web site itself is secure, there are all kinds of other points in the chain that need to be secured."
