The toughest thing about guarding against web site security breaches is that you never know how or when they will occur, or where they will come from. But one thing’s for sure: When they come, the consequences can quickly lead to lost sales. “Any kind of security breach that hits customers is devastating, because they won’t come back to our site if it doesn’t perform well or if they realize their credit card number was stolen,” says Ricardo Santos, CTO of Scrapology Inc.`s Scrap-ology.com, a retail site for scrapbook lovers.
As recent events have shown, a growing number of security threats can infiltrate web sites and computer networks in unexpected ways, causing major damage to any e-retailer that hasn’t scrambled fast enough to download the latest network security patch or established administrative rules that effectively guard against careless downloading of virus-plagued e-mail attachments.
And because criminal hackers are constantly thinking of new ways to attack-and are more capable of launching serious attacks due to the global spread of broadband Internet connectivity-web site operators cannot be too vigilant in trying to stay ahead of them. “The security threat is growing,” says Keith Powell, senior manager in the retail practice and a web site security expert at consultants BearingPoint Inc. “And it’s not just because hackers are smarter, but because they’re getting access to broadband from anywhere in the world.”
While broadband is good for quick downloads of graphics-intensive web sites, it also provides a wider pipe for hackers to break into a site to steal customer data like credit card account numbers or simply to disrupt operations, such as a denial of service attack, he adds.
At the same time, an expanding global market for stolen credit card data is providing more incentive for criminals to join the ranks of hackers, experts say. “The attack profile is growing in several dimensions, and there seems to be more motivated hackers and criminals,” says Richard Stiennan, analyst specializing in retail security systems at Gartner Inc. “What’s also growing is what criminals do with the credit card data after it’s stolen. In the past this was a game of 12-year-olds, now it’s a game of older and more pervasive perpetrators in Eastern Europe and other places around the world who realize there’s a market for the data. And if they get the data, they know how to sell it.”
Santos knows the threat posed by credit card account thieves all too well. A few weeks ago, his credit card issuer called to say his account had been canceled because the account number had been stolen following an e-commerce transaction. That’s one of the reasons Scrapology, which launched this summer, has taken extra precautions to assure a bullet-proof e-commerce operation. “Credit card data security is a real concern,” he says.
Fortunately, as Scrapology and other online retailers have learned, the growing security threat is accompanied by a growing number of ways to keep the criminals at bay. But no one’s saying it’s easy. “There are tens of millions of web servers and hundreds of thousands that take credit cards, and hackers are always fishing for the ones that are easiest to attack,” Stiennan says. “They scan the Internet looking for an open firewall port, or a site with an old version of patch software.”
Large online retailers have come to accept the fact that they must dedicate IT staff and infrastructure to guard against intrusions that can bring credit card account thefts, viruses and denial of service attacks. Ritz Interactive Inc., which operates 15 retail web sites including RitzCamera.com and BoatersWorld.com, has designed and built a proprietary system, using an operating system from Sun Microsystems Inc. on IBM’s Websphere platform, for encryption and deletion of customer data, says CEO Fred H. Lerner. “With our encryption and deletion strategy, our customers’ information is always protected,” Lerner says, adding that Ritz guards its network with a complex system of commercial firewalls. “We’ve never had a breach of security, no viruses or denial of service attacks.”
Smaller retailers, however, must often find alternate means to maintain security. And some are better than others.
Many small retailers use a web site hosting service, which can handle most of the chores of maintaining security. “When you’re a big retail shop, you can afford to have folks watching for intrusion or denial of service attacks,” says Santos. Scrapology.com uses a hosting service. “We like to take advantage of our hosting provider’s security expertise.”
Scrapology’s hosting service, which Santos declines to name, provides security benefits of running multiple network servers to separate different operations-in Scrapology’s case, serving up web pages, processing back-end transactions and managing product databases-but it offers additional benefits as well. Santos receives an update every hour on key performance metrics of his site, including whether the site is meeting its standard of being available for download more than 99% of the time.
Moreover, if someone tries to hack his site, Santos says, the host provider will arrange to isolate the attack from Scrapology while monitoring how it operates. “The attack will actually hit a web space where our provider can learn how to guard against it,” he says.
But even hosting services can run into security problems. And so Scrapology is planning to take another major step to even greater security by retaining a second web site hosting service. This will provide full redundancy of web site operation should its first hosting service ever fail due to a network intrusion or other problem, Santos says. “There’s always the potential of security risk, so you take the best measures you can,” says Santos, who formerly worked as a network systems engineer for Exodus Communications, an Internet service provider. “We want to make our customers’ first-time and second-time experiences consistently positive.”
Whether using a hosting service or not, e-retailers must be constantly aware of new threats that may arise to security.