TECHNOLOGY SPECIAL REPORT
Hacker Safe: The Security of Online Commerce

In mid-March, BJ's Wholesale Club announced it was investigating a security breach that involved theft of credit card information from its computer network. Company officials ordered an exhaustive review of the retail outlet's state-of-the-industry technology systems with a leading computer security firm.

Following that review, BJ's ruled out the likelihood of a centralized security compromise and implemented several measures on its club-level systems to eliminate possible avenues by which credit card information could be accessed.

According to computer security experts, BJ's management did two things right: one, it didn't hide its possible security leak; and two, it didn't rely on its own IT staff to sweep the system for security holes.

Those two steps are critical whether the potential security intrusion touches a Fortune 500 corporation or a small e-commerce business. But the BJ's credit card theft highlights a mistake often made by both big and small Internet commerce firms. They wait until a security break-in occurs before seeking outside security certification.

"Think of it as preventative maintenance like you do for your car," Scott Shebby, director of customer services at ScanAlert, told TechNewsWorld.

Audit Fallout All Telling

ScanAlert is a security firm that certifies Web sites as secure from hackers. It audits e-commerce Web sites and maintains daily remote security sweeps to make sure hackers and other Internet intrusions are locked out. When Shebby and his staff conduct security audits, they typically find the same types of telltale signs of compromised networks.

Even when a company has a firewall and up-to-date antivirus software in place, rogue services are running, said Shebby. Although protected from viruses and some worms, these systems still have security vulnerabilities.

According to Nigel Ravenhill, marketing director at ScanAlert, the company certifies the daily site security of more than 50,000 e-commerce merchants. The security performance of many first-time audits leaves no doubt that consumers should be wary of shopping online. Approximately 77 percent of merchants that initially sign up for an audit fail to meet ScanAlert's security standards.

"We usually find IRC channels open and FTP services active," Shebby said. "These are not exactly spyware. These are regular services that users can log on to that set up a back door for hackers."

Shebby said daily remote security sweeps are essential to maintain a secure e-commerce Web site. New vulnerabilities crop up daily. Small e-commerce sites are particularly prone to intrusions.

"It's the small guys who usually don't care about intrusion security, wait for a break-in and then don't know what to do about it," Shebby told TechNewsWorld.

An Ounce of Prevention

James Pappas, general manager of JL Hufford Coffee and Tea Company of Lafayette, Indiana, didn't wait around for credit card thefts or other hacker intrusions to strike his two-year-old Web site sales operation. He had his Web site audited and certified Hacker Safe.

That proved to be a wise decision. His Web site had been previously audited and had received a report indicating all the needed security measures were in place. That previous audit created a false sense of security. It turned out his company Web site's security was fairly abysmal. He thought his site was secure. It took him just one day to find out he had a problem.

"It just takes one hacker to find out our weakness and post it online for other hackers. Our larger concern was what we didn't know," he said.

Pappas said his Visa credit card supplier now requires its merchants to meet a strict list of security precautions. Because of his Hacker Safe certification, he didn't have to obtain any other services to meet the bank's requirements.

The ability to prove to potential customers that their transactions will be safe is essential to Pappas for growing his business. He ran customer surveys on reactions to the Hacker Safe logo and a generic safe site logo on his homepage.

"It was a no-brainer for us. We found that more customers bought from us when we displayed the Hacker Safe logo," he said.

Safe E-Shopping Tips

Shlomo Touboul, CEO and founder of Finjan Software, a San Jose, California-based provider of content security solutions, talks about security strategies that every online user should know. His tips cover a wide range of Internet security trouble spots.

Perhaps most important is to pay close attention to the URL or Web address of the Web site. Copycat Web sites use a name or Web address that is similar to, but not the same as, that of a real online site or financial institution. The intent is to lure visitors into revealing enough personal information that hackers can steal their identity.

To avoid being misdirected, never trust a link embedded in e-mail. Manually open the Web browser and type the URL of a Web site. A common practice in "phishing" scams involves directing computer users to a phony Web site by sending them a link via e-mail that brings a user to the spoofed Web site of a legitimate company.

A simple maintenance step can insure heightened security: periodically erase cookies. A cookie is data created by a Web server that is stored on a user's computer. Cookies can contain a wealth of personal data that is sometimes the object of malicious code attacks.

You wouldn't leave your car keys in the ignition at the side of a busy highway, so why store usernames and passwords online? If your computer has been infected with a virus or worm that allows remote access by an unknown third party, a hacker can simply launch the browser and access your bank's Web site.

Lastly, install security software on your computer. Behavior inspection, antivirus, antispam, firewall and antispyware software also will help minimize the chances that your personal information could be compromised.