Amazon, Walmart Hacked – Is Your Ecommerce Safe?

Amazon, Walmart Hacked – Is Your Ecommerce Safe?

December 24th, 2009 | Filed under Blog,Security

Amazon, Walmart, & Expedia were all hacked just days after the multi-million dollar hack at Citibank.

While the breech was contained within about an hour, it reflects just how vulnerable even the biggest e-commerce sites really are.

More info about the incident available on CNN: http://www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html

This brings the question: How safe is a mom-and-pop e-commerce site for credit card processing?

The answer can be quite safe, if it is coded properly.

Here are some good rules of thumb to go by…

1) Those sites that are not secure, are the first to go– Allowing other sites to see the breech and improve their defenses.

Many e-commerce websites are not coded with basic security measures– having an .htaccess file that provides an extra login prompt before getting to an admin page, having an admin directory labeled something obscure, having secure passwords, removing “powered by [e-commerce platform name]” from the footer and source code, having an SSL Certificate, and other common measures.

These small sites that are not coded with security measures, are generally the first to go.  They are hacked easily, and are hacked first before the hacker-bots can get through the secondary precautions set up on more properly secured sites.

This lets more secured sites see the breech, and gives them a chance to cure the issue on their own site, before the hack-bots can get through their second line of defenses.  So ecommerce sites that have added a secondary .htaccess login, an obscure admin directory, and a more complex password can generally see the threat in time, and often the fixes to their ecommerce platform has been released in forums and can be installed before the breech can ever get through.

Some cutting-edge e-commerce platforms, such as the Magento online shopping cart software, will alert the Admin that there is a security patch.  (The same is true of WordPress, the popular Content Management System site owners often use to edit their website’s own content).

The lesson is: Have a professional ecommerce web design firm secure your site!  And monitor your ecommerce site for updates, regularly installing those security patches!

2)Follow PCI Compliance, and Then Some.

PCI Compliance is a great law, although being PCI Compliant does not mean that your credit card processing website is 100% hacker proof.

PCI Compliant simply means following some rules such as adding an SSL.  While that does help encrypt, PCI Compliance still allows for credit card data to be saved to a server.  Generally, it would take a hacker bot about 3 months to break through the encryption of an SSL Certificate… and if the hacker does break through and get into the site, it may therefore have access to all your store’s credit card numbers if they were saved on your site’s own server.

To be safe, the best strategy is to never save credit cards to your own server.  Several ISO’s are compatible with certain Gateways and Shopping Carts that will allow the data to be sent through the site to the Gateway, thereby passing the data through without saving it to the merchant’s own website.

And if a record of a transaction is ever desired to be saved, such as for void/returns or automatic recurring billing, then a token may be saved in place of a credit card number (a token being a line of encrypted data referencing a particular order number, that is then associated with the credit card at the Gateway level).  This means that if someone does hack the site, they have a token that is only useful for re-ordering the same product to the same address/customer, rather than obtaining a full credit card number that can be used elsewhere.

3) Amazon and Walmart were hacked because someone was directly targeting them.

If someone who is a top hacker wants to get into your site, they generally will be able to.

Most mom-and-pop ecommerce sites are not individually selected by a major hacker.  Usually, robots scan for the weak sites, searching for the easiest point of entry, and hack those other sites… so as long as you are secure, and stay current with your platform’s security patches, your site should be in good standing.

4) Be on a reliable ecommerce hosting company.

Some hosting companies are frequently hacked at the server level at the hosting company itself, allowing hackers to have access to hundreds of sites in one fell swoop.

By being with a reliable hosting company (we can recommend a few), you are giving your site an extra layer of protection.

Also, being with a website hosting company that provides management and has ecommerce technicians within their company to help you if a breech should ever arise, is also a great perk to be on the look for when choosing an ecommerce hosting provider.

5) Place your ecommerce website on a secure shopping cart, such as Magento Commerce.

Some shopping carts are easier to hack than others.  Being on cutting-edge software has its advantages.

Comments are closed.