Shape Security constantly rewrites an e-commerce site’s code to make it harder for criminals to cash in.
Thad Rueter , Senior Editor
After criminals steal payment card data and other personal information from consumers, those hackers still need to use those stolen credentials to commit online fraud. A relatively new company called Shape Security aims to erect a digital blockade between those criminals and e-commerce operators.
Hackers who steal such information in massive bunches typically sell that data to other criminals who then use automated “bots” or malicious software in a sort of digital frontal assault to try to log into e-commerce, financial and other sites. The idea is that because so many consumers use weak passwords, or fail to change passwords after cyber attacks, or employ the same passwords and logins for multiple sites, eventually the criminals will succeed, enabling them to make fraudulent purchases or assume control of consumers’ web accounts. Those criminals can employ publicly readable code that governs a site’s user interface to make their way past retailers’ security measures—for instance, such a tactic as a retailer blocking IP addresses that are suspicious.
Shape Security, a startup that made its debut in January, attempts to counter that with a technique it calls “real-time polymorphism.” Simply put, the vendor’s technology enables an e-commerce operator to allow its site to constantly rewrite the underlying code behind the user interface—for instance, the code that governs a site’s login form that greets consumers—which would then hamper the ability of a criminal to get past the login step on a site. “The resulting code breaks malware, bots, or other attacks programmed to submit that form, ” the vendor says, adding that the technology still enables the site to appear as intended to consumers.
Shape Security sells it technology on a subscription basis. The company is targeting larger e-retailers, including one that signed an annual “seven-figure deal,” a Shape Security spokesman says. The hope is that the technology proves appealing to high-profile retailers, sparking interest and sales among other merchants, including smaller ones. The company, though, declines to provide information about its clients or give metrics that further show how well its technology works.
The technology joins a growing list of tactics designed to make online payments secure. They include the use of swiped fingerprints for mobile commerce and the use of tokens, which is encrypted code that represents a consumer’s credit card account number rather than using the actual number. Such a process can help defeat hackers because stealing the scrambled data of the token would not allow them to commit fraud.