Could You Be A Victim Of Online Merchant Fraud?
Business use of the Internet has soared profitably in recent years, but those who would exploit corporate electronic systems via the web haven’t been far behind. In the United States, for example, security breaches of e-commerce websites have jumped more than tenfold in the past five years, leaving a trail of viruses and compromised customer information.
Fortunately, there’s much you can do to avoid these problems, according to Bryan Sartin, director of technology for the U.S. arm of Belgian-owned Ubizen, an online systems security consulting firm. His goal, more of a crusade really, is to make sure that businesses understand how their online systems are vulnerable, the signs of trouble they should be looking for, and what to do when they sense a security breach is taking place.
Sartin also argues the virtues of what he calls “risk mitigation strategies.” The idea here is to prepare for possible trouble by consistent monitoring and by using software that routinely scans systems for weaknesses. Sartin also advocates the use of online security support programs such as Visa’s Account Information Security Program. “These programs are very specific about what you should be doing and how to test for things as well,” he says.
The biggest problem for many companies is their complacency about online security. “We see great examples of very small organizations that are doing a really effective job when it comes to security, without spending a lot,” he says. “And there are very large organizations with very sophisticated programs that are extremely well organized. But for every one of these there are at least 10 examples of the opposite.”
In the United States, there has been a 300% increase in the number of security breaches of commercial electronic systems in the past two years, according to the Merchant Risk Council (MRC), a nonprofit organization of 6,500 merchants, vendors, financial institutions and law enforcement agencies.
In Canada, hard figures on the growth of online security breaches are elusive. Organizations like the Retail Council of Canada and the Canadian Federation of Independent Business say they don’t track online security problems, and Statistics Canada doesn’t collect regular data. Even the Royal Canadian Mounted Police considered leaders in the fight against cyber crime, have no broad data on online security breaches. Anecdotally, however, Sartin notes that, at any given time, probably one in five of his company’s ongoing forensic investigations of compromised systems in North America will be at a Canadian firm.
Based on U.S. data, those companies most at risk include e-commerce merchants, bricks and mortar retailers, companies that receive or process credit or debit card transactions, ATM processors and so-called payment gateways - smaller merchants, restaurants or e-commerce companies with limited connections to a bank or a payment processor. Sartin says “vulnerabilities” (a weakness in a system that occurs when update patching programs aren’t applied) can pop up anywhere in a company’s electronic network, “from the database to point-of-sale applications to servers and desk-top operating systems at work stations.”
And small businesses may be more susceptible than their larger colleagues. “In smaller organizations, the employees wear many hats, so patching the system and worrying about e-commerce security is often on the back burner,” Sartin says. “You have holes and vulnerabilities on those systems that you typically don’t have on more evolved e-commerce networks.”
For any company though, Sartin says online system intrusions can usually be traced to one of five major causes:
- Insufficient monitoring
Many companies fail at the “most critical piece” of online security - monitoring all aspects of the system that produce logs of activity. Take a system’s firewall, for example. It logs all the traffic going to and from a company’s system via the Internet. Simply by looking at this information regularly and watching for exceptional activity, companies can detect intruders.
- Unpatched systems
In nine out of 10 cases, Sartin says hackers gain entry into a company’s computer network system by detecting “an unpatched Internet visible system.” In other words, the company has failed to download and apply the software vendor’s updated patches for the system, leaving itself vulnerable to a hack attack.
- Weak application security variables
This is a technical way of saying that companies often don’t test the security of their online computer systems before they put them into production. As a result, they are left open to what are called Structured Query Language injection attacks. In an SQL injection attack, a hacker essentially uses the language employed by a company’s database server to trick it into revealing private information such as credit card data.
- Weak network level security
No matter how large and sophisticated an online system is, if all its constituent parts aren’t properly configured and protected by a security system that controls access and thoroughly logs traffic coming and going, the whole system is vulnerable to a hacker.
- No vulnerability scanning
Companies will often routinely fail to use vulnerability scanning programs that can detect weak spots in their online systems. Sartin estimates that 95% of all the “backdoors” that are used to gain entry into company systems could be closed by basic vulnerability scanning.
Hackers, of course, leave traces of their passing, and it’s a wise corporate IT professional who knows how to spot them. Among the most basic giveaways are suspicious files on your web server (that is, any file you didn’t put there) and programs that seem to be running unnecessarily. This last item could indicate the presence of a Trojan horse program, a blanket term that covers any malicious code a hacker leaves behind. Companies should also be on guard for unusual levels of web traffic. Says Sartin: “Look, for example, at web traffic originating from systems that store or transact credit card data - your production systems. They should never initiate outgoing traffic.”
If you think your online system has been compromised, Sartin advises that you treat it like a crime scene investigation. The basic steps you’ll need to take to contain and limit the damage include maintaining the compromised system just as it is. Do not change passwords and do not attempt to log on as an administrator and make changes. Do not turn the machine off, and make sure you preserve all logs (for firewall and database transactions). As Sartin puts it, you need to “lock down the environment.”
Once that’s been done, you need to alert your company’s IT security team and you may want to contact either your local police or the RCMP.
Above all, says Sartin, do not underestimate the possibility that hackers will break into your online system. “It’s really a much larger problem than most people think,” he says. “So many organizations just don’t think that security is a problem, but many of the security breaches we respond to are not publicized.”
by: Charles Davies
Source: http://www.visa.ca/smallbusiness/articles/article.cfm?article=235&category=60
Comments
Leave a Reply
You must be logged in to post a comment.
