The office supplies retailer say it sacrificed some sales to improve online profitability. It also redesigned its business-facing e-commerce site, StaplesAdvantage.com.
(Page 2 of 2)
Even the company’s Web host, Santa Clara, Calif.-based Exodus Communications, was caught off guard by the attack’s enormity. Gary Grossman, director of security research and development for Exodus, says attacks are getting more aggressive, but the components of the attack are usually easily recognized, enabling the company to quickly put defense filters into place. “What we cannot do is predict what the attack will look like before it occurs,” he says, admitting the procedure is a little like shutting the barn door after the horse has already escaped. The problem, most security experts agree, is that it is difficult to defend against or create a filter for something that does not yet exist.
In the meantime, to help fend off denial of service attacks, Grossman says online retailers who don’t use a Web host should have routing equipment at the head end of their site that allows filtering against these attacks.
But not even a Web host can provide a totally secure site for its clients, so many companies such as Buy.com are continually adding features and functionality to their security systems. “Our biggest issue is that customer privacy cannot be compromised so we are focusing on that and the threat that somebody can come in and shut our doors,” says Hawkins.
Staying a step ahead
If there is any advice Hawkins can pass on, he says it is critical for retailers to update, maintain and take any precautions possible to protect a site’s integrity. For sites using a Web host, make sure the host has a process in place that identifies the problem and takes the load off the site during an attack. Communication with customers also is important, he says. “Let your customers know what is going on. The biggest risk we have is to have these types of events be misunderstood. We have done our best to make sure that consumers feel completely confident that when they shop the site, they are in a secure environment,” Hawkins stresses. “The sensationalism that goes around this type of ‘hacking’ can create a lot of customer concern.”
While defending against denial of service attacks may be difficult, protecting customer information against break-ins is a much more manageable task. Chip Mesec, vice president of marketing for SecurityFocus Inc., a security information firm based in San Mateo, Calif., says it’s no secret to crackers that many retail sites store credit card numbers in plain-text files. Many also use the same server for credit card numbers as they do for company information. This allows crackers to not only get customer information, but employee records as well.
Without disclosing company names, SecurityFocus reports having found and verified security weaknesses in several Web sites that were so blatant that almost anyone could get into the site’s databases and extract Web content, credit card numbers and owner names, passwords, and even company staff information, such as employee records, salaries, social security numbers, addresses and other personal information.
Mesec acknowledges that companies of all types and sizes are not taking even simple precautions to keep hackers and crackers out of their systems. A cyber criminal can easily break into 20 to 30 small retail sites in one night. Even if each site only has 500 credit cards with a total of $25,000 in available credit, it can add up to $500,000 in a single nights work for the criminal.
But there is one promising note for e-retailers that may help to deter cyber crime. According to the Federal government, if caught and convicted, criminals could face penalties of five to 10 years in prison and fines up to $250,000, or in some cases twice the gross loss to the victim. Negligent, unintentional damage to a Web site is a misdemeanor, punishable by six months to a year in prison and a $100,000 fine.
But first you have to catch Internet criminals. Even as security specialists develop improved software and Web site safeguards, most agree that when a better mouse trap is built, the mice only get better at stealing the cheese. Building a better mousetrap
With the heightened awareness of e-commerce, cyber crime is going to become more of a problem for Web companies. It doesn’t matter how big or a small a retailer is, safeguarding customer information is more critical than ever.
To help e-retailers gain an advantage, security experts offer some important advice:
- Maintain good password discipline on all systems-don’t use log-in, common, company and other obvious names, or default passwords or the return key.
- Purge credit card information daily.
- Keep all security software up-to-date and firewalls properly configured.
- Encrypt your customer database.
- Keep a close relationship with credit card companies-if customer card information is compromised, resolutions will occur more promptly.
- Never connect your business database to your Web site.
- Outsource credit card payment systems.
- Monitor your sites hourly, if not daily.