Preparing for Security Breaches
| Tweet |
|
Free PDF Download User Acceptance Testing Can Improve Your Website's Chances - By Glen Morris |
In March of 2007 online auction powerhouse eBay was hit repeatedly by a hacker identifying himself as Vladuz, believed to be a Romanian fraudster long sought by Romanian police. Vladuz posted his name on several eBay pages and taunted eBay to catch him. He was after more than fame, though. According to an article in eWeek, Vladuz was also posting fake items for sale faster than eBay could take them down, and the payments by the winning bidders went to him. Vladuz also posted the account information of 15 individuals, including their banking info, mother’s maiden name, credit card numbers, and much more.
How bad the Vladuz incident was depends on who you listen to. According to eBay, Vladuz did nothing more than many hackers have done at eBay. According to eBay’s critics (especially at firemeg.com), Vladuz was either extremely lucky or one of the most talented, and dangerous, hackers in the history of e-commerce. In any case, the incident raised a lot of issues that any business selling products or services on the Internet ought to consider. If a security breach can happen to a company with eBay's resources, it can happen to smaller businesses, too.
All things considered, it's hard to believe eBay's version of the incident. For public relations sake, EBay has a lot or reasons to minimize the damage Vladuz caused, and some of the things Vladuz did on the eBay site have rarely been seen before.
Among other things, Vladuz made postings to different groups on the eBay Website that only an eBay employee should have had the security access to be able to do. In addition, the rate and volume of the fake auctions Vladuz was posting, using stolen but still valid user accounts, could have only been done if Vladuz had cracked the security surrounding eBays seller accounts databases and was using some kind of automated tool to make the auction postings. Even a large team of people could not have posted so many items in so little time (by some estimates over a million fake items were posted by Vladuz).
In fact it is likely that there are eBay specific software tools for sale designed to help hackers ripoff eBay customers, just as there are rootkits for sale at rootkit.com, for somewhat similar purposes. Given eBay’s size, it’s not only a natural target for hackers, it’s a big enough target that it would be economical to develop and marketed specific software for the sole purpose of bilking eBay buyers out of their money. If true, it’s probably only a matter of time before other hacker applications are created that target specific shopping cart applications, and that could spell trouble for smaller businesses online.
Most small businesses don’t even have a security staff, let alone one that continuously monitors the security of their e-commerce Website. For smaller businesses, it’s more likely that customers will notice security breaches before anyone inside the business does, and because of that businesses need to have a system in place that will bring security breaches reported by customers to the attention of the right people. Setting up a process for this is actually fairly easy.
Many of the companies used as bait by phishing attacks, like PayPal and Washington Mutual, have dedicated email address for customers to report phishing attacks to. Phishing attacks send out email asking consumers to update their ID or account information and threaten consumers with suspension of their account if they don’t provide the information. A few of the millions of people who receive these phishing attempts fall for it, but the correct response is to forward the email to the security section of the company being used as bait. Usually it’s spoof@something.com or some variation, like fraud@something.com.
This approach costs little if anything to implement, and it could save your company a lot of heartache and expense. If you have an e-commerce Website, you need to make your customers aware of where they should send email in case they see anything suspicious, and you need to designate a person, or team, to constantly monitor that email’s mailbox.
Another thing your online business needs to do is understand and comply with the growing number and complexity of state and federal laws regarding what companies are required to do in case of a known security breach. In California, businesses are subject to the following law:
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. In effect, even if a business was not responsible for the security breach in the first place, it is still liable for any cost to the consumer if it doesn’t immediately notify the consumer about the security breach.
With identity theft becoming one of the most common and expensive crimes consumers may be subjected to, we can expect many states to follow California’s lead, and possibly go even further. This means every business should have a process in place to notify customers when their account information has been compromised. It can be done by phone, email or certified letter, just so it is done immediately. It will not be a good idea to wait until a security breach happens to set up the notification process.
It may be impossible to prevent security breaches, but it is definitely possible to minimize the damage they can cause businesses and their customers, and the sooner your business prepares for the worst, the better off you and your customers will be.
Related Articles
Mobile Application Development and Enterprise Mobility
Corporate Network Security Technology Comparison
2012 – The Year of Cyber Espionage?
Retail Security
Security in the Digital Age
How to search your employee’s computer and email (legally)
BlackBerry Application Development - The Apps Run on the Securest OS
MORE HACKING. WHEN WILL IT STOP?
Ending the Franchise Relationship
Excel Spreadsheets for Time Tracking - Hazard or Handy Tool?
How Thieves Physically Steal Your Data!
Data Security & Outsource Service Providers
SECURITY CLEARANCES
PHP V/s ASP.NET: Which Is Best
Protecting Your Company From An Online Data Breach
Gone Phishing
New laws protect the privacy of Social Security numbers for New York residents
Home Based Business Opportunities: Is Working Environment Important?
Ease the Hassle of Payroll with New Technologies
Email marketing is a waste of time and money
|
Free PDF Download User Acceptance Testing Can Improve Your Website's Chances - By Glen Morris |
|
About the Author: Glen Morris For over 14 years I've written a monthly column, "Advertising and the Internet" for the Colorado trade magazine Advertising & Marketing Review exploring the uses and consequences of Internet technology. During that time I also worked on the development teams of the Apple Web Server, VideoVision (the first broadcast quality digital video production system), the WebMD context sensitive content publishing system, and I was the Product Manager for Adobe's first PostScript 3 release. Previously I was the Technology Editor and DTP guru for the trade magazine Colorado Media, Agencies and Client News. Click here to visit Glen's website.   A Process For Quality The Learning Curve to Prosperity User Acceptance Testing Can Improve Your Websites Chances When Less is More Why Working Less Hours Can Mean Greater Productivity The Greening of Expectations |
Related Forum Posts
Re: The road to success.
Re: What's the best anti-virus/spyware software?
Marketing a company
Re: Google Calendar
Re: Obama Wants Social Security for Illegals
Share this article. Fund someone's dream.
Share this post and you'll help support entrepreneurs in Africa through our partnership with Kiva.
Over $50,000 raised and counting - Please keep sharing! Learn more.
Featured 
Expert
Expert
Cody WardTrending Articles
Today’s Profiles of Entrepreneurship in Africa: Aliko Dangote
Is Your Business Tough Enough to Survive Recession?
Catch Someone Doing Something Right
How to Listen like a Detective
|
|
Like this page? PLEASE +1 it! |  |
Newsletter
Get advice & tips from famous business
owners, new articles by entrepreneur
experts, my latest website updates, &
special sneak peaks at what's to come!
Get advice & tips from famous business
owners, new articles by entrepreneur
experts, my latest website updates, &
special sneak peaks at what's to come!
Popular Articles
What is Discretionary Cash Flow
I am me – (living by my own authority).
15 Ways to Create High Visibility with FaceBook
What is Discretionary Cash Flow
I am me – (living by my own authority).
15 Ways to Create High Visibility with FaceBook
Suggestions
Email us your ideas on how to make our
website more valuable! Thank you Sharon
from Toronto Salsa Lessons / Classes for
your suggestions to make the newsletter
look like the website and profile younger
entrepreneurs like Jennifer Lopez.
Email us your ideas on how to make our
website more valuable! Thank you Sharon
from Toronto Salsa Lessons / Classes for
your suggestions to make the newsletter
look like the website and profile younger
entrepreneurs like Jennifer Lopez.