Five Steps Online Merchants Can Take to Batten Down Their Sites

While most of the high-profile data breaches involving card numbers have happened at point-of-sale merchants, consumers continue to express reluctance about entering card information at e-commerce sites. And, for at least some of these sites, such consumer concerns may be justified, according to Nicholas J. Percoco, vice president of consulting for Chicago-based Trustwave, a firm that specializes in data security and compliance audits. Speaking recently at the Internet Retailer Conference & Exhibition, a major conference for online merchants, Percoco pointed to a range of security flaws he has found at merchant Internet operations, including openly available log files and, in one instance, a hosting operation conducted inside a wooden shed. In response, Percoco outlined five steps Web merchants can take to better secure their sites: –Check data flows. “Organizations really don't understand where data [are] flowing within their networks,” Percoco said. “When somebody clicks on 'place order,' where does that credit card data go?' He cited as an example a case where a hacker found a log file that was storing all the transaction data the merchant had collected as a result of a so-called debug mode a developer had created and had never been turned off. The file was so open, Percoco said, that it turned up in Google searches. –Validate inputs. A Web application should indicate whether information being entered in a particular field is appropriate for that field, Percoco said. “In many cases, it's not being done at all,” he said. Without such validation, merchants expose themselves to so-called SQL injection attacks. In such intrusions, hackers enter code in password or other fields in an effort to penetrate Web systems with executable programs, like file browsers, that can pick up data. “The solution is to make sure you're doing input validation whenever you can,” Percoco said. –Check on hosting environments. When merchants outsource their hosting function, they sometimes lose sight of just who and what is behind their Web sites. Percoco told of an instance where he found one merchant's hosting service housed in a wooden shed behind a house. “There was no air conditioning, it was extremely hot, and there were no locks on the doors,” he recalled. “And about 20 cats were living [there].” Yet this service was supporting more than 10,000 Web sites with some 500 servers. –Run scans to detect vulnerability. These days, fraudsters are very quick to zero in on new sites. “We see attacks happening within two weeks” of a site's coming up live, Percoco said. “It doesn't take long for people to figure out if you're vulnerable.” Merchants, he said, should run monthly system scans, quarterly network-penetration tests, and an annual application-penetration test. –Encrypt data. Masking information so that it's useless to anyone who intercepts it can prevent breaches, yet “often data encryption is not being done,” Percoco said. This applies as well to back channels companies may use to move data within the organization. “You may have a site located in New York and a back-up site hosted in Seattle,” he said. “Making sure that channel is encrypted is extremely important.”