By the year 2014 it is estimated that close to $250 million a year will be spent by consumers at online retailers. With web applications like Zen Cart, Open Cart and Magento making it easy for brick and mortar shops to quickly set up an ecommerce site, more businesses are moving to get their products in front of a larger market using the web.
For some business owners, the ease in which an e commerce site can be set up may actually come at an unexpected cost. Using one of the web applications mentioned above, or any number of proprietary solutions as well, someone with very little knowledge can set up shop and begin collecting credit card information from their customers. While an online shop may be too attractive to pass up, web applications that run ecommerce sites have become a "soft spot" for cybercriminals interested in stealing credit card information and other customer data. For this reason, Web application security is a vital consideration for e-commerce site owners.
Over the years, the methods used by ecommerce sites to process and store credit card information has become much more sophisticated than the early days of online shopping. This progress has helped online shopping overcome one of its greatest obstacles, consumer trust. As evidenced by the amount of money spent online each year, people feel much more secure in shopping online than they ever have. Unfortunately for businesses, the methods used by cyber criminals trying to steal their customer’s information have made it easier than ever for them to compromise a web application.
Sophisticated cyber criminals use bot nets to launch coordinated attacks against unsuspecting web sites that are vulnerable to attack in order to steal credit card information - credit card security is one of the most important components of e-commerce security. The infamous TJX security breach disclosed in 2007 is a good example of what can happen to companies that do not have the proper security measures in place. This breach resulted in 94 million accounts being compromised with losses exceeding $70 million due to fraud the result was a lawsuit filed against TJX by over 300 banks. When the attacker, Alberto Gonzalez, was finally caught it was found that he exploited SQL Injection vulnerabilities in various web sites to net over 130 million credit cards.
Some of the most common exploits used in financial data theft include:
Unfortunately, most sites that are vulnerable to these types of attacks don’t know it until it is too late.
It could be that a competitor is trying to hurt your business, or maybe just an attacker learning how to exploit known vulnerabilities. Quite possibly, it could be that someone has compromised your web server so that they can use its resources: hard drive space, processing power, and bandwidth. Whatever the reason, a Denial of Service attack can hurt any business because customers cannot get to your site while you are under attack. Not only is revenue lost because your customers cannot get to your online store, but they may think twice before ever shopping their again if they know that your site is vulnerable to attack.
When credit cards are stolen from ecommerce sites, it usually makes the news. When a theft reaches the headlines, both existing and potential customers tend to avoid using that merchant. Even the most loyal customers think twice and may turn to a competitor if they are concerned about the security of their financial data.
Theft is not the only way an attack can hurt an established brand name either. With many Internet users relying on browser add-ons that seek out and report on potentially harmful sites, if your web site is thought to be spreading malware or loaded with spam as a result of a link injection you could quite rapidly see a loss of traffic.
Companies fight hard to achieve the premier listings in the search engine results page, often spending a great deal of money on Search Engine Optimization specialists to help them rank high. All it takes is a Cross-Site Scripting attack that feeds your visitors with malware, or a link injection attack that flags your site as a spam delivery site and those rankings you worked so hard for will plummet. Larger search engines will remove potentially harmful sites from their search results altogether.
Once a web site has been cleaned, a request can be made to have it re-evaluated and returned to the search engine results, however it can be a rather time consuming process and it is a process that is sure to hurt traffic and revenue.
In 2004 five different credit card security programs merged to form the Payment Card Industry Security Standards Council (PCI DSS) with the purpose of creating an extra level of protection for card issuers making sure that merchants (both online and brick and mortar) meet basic levels of security when storing, processing, and transmitting cardholder data.
To set a minimum level of security, the Payment Card Industry set 12 requirements for compliance that fall into one of six groups called control objectives. The control objectives consist of:
Companies that fail to comply with the PCI DSS standards risk losing the ability to process credit card payments and may be subjected to audits and fines.
As many web sites are powered by web applications, and the application layer being a soft spot for attackers, the PCI Data Security Standards specifically address how to protect web applications.
In what is known as requirement 6.6, web site owners who process credit cards are given two options for compliance. Option one requires a code review to be done by an internal employee or a trusted third-party source and must consist of one of the four methods:
The problem with code reviews is that they can be time consuming, they can be expensive, and they don’t protect against zero-day vulnerabilities. For instance, if a highly qualified reviewer is hired to check the source code for compliance, he may be able to locate vulnerabilities that are known to him today, however the vulnerabilities that have yet to be discovered most likely will not be caught in a standard code review.
Option two of requirement 6.6 allows for a company to implement a web application firewall solution in place of regular code reviews. A web application firewall, either a hardware appliance or software solution, is placed in between the client end point and the web application. Web application firewalls, or WAFs, protect cardholder data because all web layer traffic is inspected looking for traffic that is meant to exploit known vulnerabilities as well as patterns that may suggest a zero-day exploit being launched against the application.
Without having to dedicate programmers to inspect every line of code, web application firewalls are known to protect against:
and many more.
When it comes to protecting your ecommerce site from attackers having access to the credit card data, security needs to be a top priority. To ensure that all online merchants who process credit cards are taking the same precautions, the Payment Card Industry mandates compliance with their Data Security Standards.
A successful attack against an ecommerce site that puts credit card data at risk will most certainly draw the attention of the PCI. Odds are that a vulnerable web site who has allowed card holder data to be accessed illegally will be found out of compliance with these standards. In addition to the possibility that such a breach could result in lost revenues, the victim may also find themselves subject to fines imposed by the PCI.
By acting as a Security-as-a-Service solution, dotDefender is able to provide protection to web servers whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject.
Architected as plug & play software, dotDefender provides optimal out-of-the-box protection against the common threats that the PCI Data Security Standards were put in place to protect against.
The reasons dotDefender offers such a comprehensive solution to your web application security needs are:
dotDefender's unique security approach eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender focuses on analyzing each request to the web server and the impact it has on the application.
In just 10 clicks, a web administrator with no security training can have dotDefender up and running. Its predefined rule set offers out-of-the box protection that can be easily managed through a browser-based interface with virtually no impact on your server or web site’s performance.