Yahoo Stores features ‘automatic’ PCI compliance for secure payments, among other options.
(Page 2 of 3)
Moreover, hackers are always looking for new ways to attack sites, whether they’re looking to steal credit card data or simply disrupt operations, causing the list of potential security threats to grow constantly. In recent months, for instance, many companies have prohibited their employees from changing their desktop screensavers, because hackers had discovered that screensavers downloaded from the Internet provided a good way to infiltrate hard drives and corporate networks with a worm or virus.
This past summer’s Blaster and SoBig viruses created huge numbers of e-mail messages to hit in-boxes, taking up precious time as well as clogging and sometimes shutting down e-mail systems. “SoBig hasn’t radically disrupted our ability to respond to customers, but it’s certainly wasting our IT resources,” Dave Dierolf, vice president of IT for consumer electronics retailer Crutchfield.com, said after the virus hit. “We’re always irritated by having to spend time on viruses instead of customer service.”
Worms and viruses can be programmed in an unlimited number of ways to harm computer data. For example: a worm can kick off a malicious code that destroys data and automatically spreads to other network applications, and a virus can spread destructive codes as well as clog e-mail in-boxes. “A worm is a software program and can be made to do anything,” Powell says.
Web site operators also need to be wary of e-mail attachments that are not clearly from a known source. “I see stuff get into sites through made-up queries to customer service from alleged buyers,” says Powell. One of the more common techniques is for a hacker to attach a seemingly harmless though unusually worded attachment to an e-mailed customer service inquiry, such as “screenshot.jpg,” he adds.
“Whenever you see an attachment with a jpg file from someone you don’t know, there’s a good chance you’ve just received a worm,” Powell says.
Network infrastructure can also make a big difference in a company’s ability to control security breaches. Most recent viruses have attacked Microsoft’s Windows network operating systems, leading some network administrators to opt for alternative systems such as Apple Computer Corp.’s Macintosh operating system or the Linux open-source platform. But even these other systems need to be closely monitored to ward off viruses, Powell says.
“People think that Linux is free from viruses and worms, but that’s not true,” he says. Although Linux is most often implemented by companies with sophisticated IT staffs that can provide their own virus protection, Powell cautions that individuals or companies without much IT expertise should be aware of Linux’s vulnerabilities. Not only is it susceptible to viruses, but it is not compatible with any commercially available anti-virus software, such as Symantec Corp. software commonly used in Windows, he says.
And though Microsoft Windows operating systems are the target of most attacks, not all Windows systems operate at the same risk. Because Microsoft provides most of its security attention-and software patches-to its latest available operating systems, including Windows 2003 and XP, web sites using older versions could be at greater risk, Powell says. “If you’re on Windows NT or 95 operating systems, it may be a good time to upgrade to take advantage of the patches,” he says.
Raising the threshold
Crutchfield and other retailers say they’ve been able to keep their e-mail marketing and other forms of e-mail communications, such as order confirmations, flowing by taking steps to guard against getting infected by SoBig and other viruses and worms. In addition to assuring their systems have the latest anti-virus software patches, retailers are paying closer attention to the way they manage outgoing e-mail, to assure it has “from” and “subject” headings that are clear to recipients. “You have to raise the threshold for monitoring e-mail for every domain,” Dierolf says.
Crutchfield also uses what it says is an effective anti-spam tool, SpamAssassin, which runs on a Linux server and is available from SpamAssassin.org. It also runs WebShield from Symantec.
Altrec.com, a retailer of outdoor sports apparel and gear, got hit with hundreds of SoBig e-mail messages daily, but effectively guarded against the virus by using the open-source MailScanner anti-virus software, also running on Linux, says Shannon Stowell, co-founder and vice president of business development.
And at Bluefly.com, an anti-spam program enabled the discount-priced fashion retailer to experience a strong August-despite that month’s SoBig attack-in terms of the number of e-mail marketing messages delivered and converted to orders, says executive vice president Jonathan Morris. “We’ve not seen any interruption this month,” he said following the SoBig attack.
On Guard: Steps to minimize breaches
To guard against web site attacks, there are two major steps web sites need to take, says Keith Powell, senior manager in the retail practice at consultants BearingPoint Inc.: installing intrusion detection software or services, available from companies such as Cisco Systems Inc., IBM, Microsoft Corp., VeriSign and Vontu, to get an early warning of any impending security breaches, and deploying tiered security layers with multiple servers to minimize intrusions into any one area.
“You should have a minimum of three servers in a retail environment,” he says. “For example, one to serve up web pages, another to run applications like shopping carts, and a database server for providing product information.” He adds that critical applications like shopping carts should not be exposed to web servers, but run on private network servers to protect personal consumer data.
Also crucial, Powell adds, is the way servers and firewalls are configured in a TCP/IP environment. While a server for displaying web pages typically uses the TCP/IP entry point known as port 80 for basic http (hypertext transfer protocol) data transfers, a server that handles credit card transactions with Secure Sockets Layer encryption should use port 443 for https data transfers.