Preparing for Security Breaches
In March of 2007 online auction powerhouse eBay was hit repeatedly by a hacker identifying himself as Vladuz, believed to be a Romanian fraudster long sought by Romanian police. Vladuz posted his name on several eBay pages and taunted eBay to catch him. He was after more than fame, though. According to an article in eWeek, Vladuz was also posting fake items for sale faster than eBay could take them down, and the payments by the winning bidders went to him. Vladuz also posted the account information of 15 individuals, including their banking info, motherís maiden name, credit card numbers, and much more.
How bad the Vladuz incident was depends on who you listen to. According to eBay, Vladuz did nothing more than many hackers have done at eBay. According to eBayís critics (especially at firemeg.com), Vladuz was either extremely lucky or one of the most talented, and dangerous, hackers in the history of e-commerce. In any case, the incident raised a lot of issues that any business selling products or services on the Internet ought to consider. If a security breach can happen to a company with eBay's resources, it can happen to smaller businesses, too.
All things considered, it's hard to believe eBay's version of the incident. For public relations sake, EBay has a lot or reasons to minimize the damage Vladuz caused, and some of the things Vladuz did on the eBay site have rarely been seen before.
Among other things, Vladuz made postings to different groups on the eBay Website that only an eBay employee should have had the security access to be able to do. In addition, the rate and volume of the fake auctions Vladuz was posting, using stolen but still valid user accounts, could have only been done if Vladuz had cracked the security surrounding eBays seller accounts databases and was using some kind of automated tool to make the auction postings. Even a large team of people could not have posted so many items in so little time (by some estimates over a million fake items were posted by Vladuz).
In fact it is likely that there are eBay specific software tools for sale designed to help hackers ripoff eBay customers, just as there are rootkits for sale at rootkit.com, for somewhat similar purposes. Given eBayís size, itís not only a natural target for hackers, itís a big enough target that it would be economical to develop and marketed specific software for the sole purpose of bilking eBay buyers out of their money. If true, itís probably only a matter of time before other hacker applications are created that target specific shopping cart applications, and that could spell trouble for smaller businesses online.
Most small businesses donít even have a security staff, let alone one that continuously monitors the security of their e-commerce Website. For smaller businesses, itís more likely that customers will notice security breaches before anyone inside the business does, and because of that businesses need to have a system in place that will bring security breaches reported by customers to the attention of the right people. Setting up a process for this is actually fairly easy.
Many of the companies used as bait by phishing attacks, like PayPal and Washington Mutual, have dedicated email address for customers to report phishing attacks to. Phishing attacks send out email asking consumers to update their ID or account information and threaten consumers with suspension of their account if they donít provide the information. A few of the millions of people who receive these phishing attempts fall for it, but the correct response is to forward the email to the security section of the company being used as bait. Usually itís firstname.lastname@example.org or some variation, like email@example.com.
This approach costs little if anything to implement, and it could save your company a lot of heartache and expense. If you have an e-commerce Website, you need to make your customers aware of where they should send email in case they see anything suspicious, and you need to designate a person, or team, to constantly monitor that emailís mailbox.
Another thing your online business needs to do is understand and comply with the growing number and complexity of state and federal laws regarding what companies are required to do in case of a known security breach. In California, businesses are subject to the following law:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. In effect, even if a business was not responsible for the security breach in the first place, it is still liable for any cost to the consumer if it doesnít immediately notify the consumer about the security breach.
With identity theft becoming one of the most common and expensive crimes consumers may be subjected to, we can expect many states to follow Californiaís lead, and possibly go even further. This means every business should have a process in place to notify customers when their account information has been compromised. It can be done by phone, email or certified letter, just so it is done immediately. It will not be a good idea to wait until a security breach happens to set up the notification process.
It may be impossible to prevent security breaches, but it is definitely possible to minimize the damage they can cause businesses and their customers, and the sooner your business prepares for the worst, the better off you and your customers will be.