By Ken Pang // 19 December 2008 // Related Categories: Security

The Internet has revolutionised the way we do business. With a few simple clicks, it's now possible to order everything from baby goods to plant equipment from the other side of the globe, without ever having inspected, or communicated with a live person. This new type of business "self-service" is called eCommerce, and it is bringing new efficiencies to the world economy, and opening up world markets to small businesses.

However, as with any new opportunity also comes with risk for the unwary. Every few weeks we hear of another company that has been hacked, resulting in millions, or even billions of dollars in loss and legal liability. Just two weeks ago, Luxottica, a large online luxury retailer was compromised, revealing the credit card details and addresses of thousands of customers. What are the risks and what do you need to be aware of if you have, or are intending to have, an eCommerce part of your business?

Let's start with defining what eCommerce is. eCommerce is conducting your business over the Internet, usually through some sort of labour saving automation. So, for example, if you had a website with a list of all your products, but a customer would still have to call you to order the product, you don't have an eCommerce enabled business. However, if a customer could order the product online, enter their payment details, and have their desired goods delivered without ever speaking to your business, you could say that your business was an eCommerce enabled business.

There are no doubts that eCommerce is an amazing opportunity to build your business without high initial set up costs, and expand your market beyond your geographical location, but there are a number of risks that need to be considered.

  1.  What would happen to your business if your client's details were stolen? The worst case scenario, of course, is if your client's credit card information was stolen. This has been a common, though low profile event but it set to become much more high profile, if the mandatory data breach disclosure laws before parliament are passed.  For example, Roses Only was forced to reveal that it had been hacked in September 2007 - months after the actual hack occurred (*note Roses only was not forced to reveal the hack by legislation, but rather by the card issuers). During these months an unknown number of their clients were exposing their personal details, including the credit card numbers, to an unknown group of criminals.
  2. What would happen to your business if an attacker found a way to beat your eCommerce system, to get you to send free goods to them? Or even worse, initiated "refunds" into their own bank accounts?
  3. What would happen to your business, if your eCommerce site was used in the assistance of another crime, such as launching attacks on other businesses, or verifying stolen credit cards are still valid? This happened late last year to MD Webhosting according to "Australian IT", The real victims were MD Webhosting's clients, whose websites were then used to promote other businesses.
  4. What would happen to your business, if an extortionist were able to demonstrate the ability to shut down your site any time he wanted, unless you paid "protection money"?

While high profile examples of these are rare, they are fairly common, but go unreported simply because the companies involved don't want the negative press of being known to be hacked. Would you enter your personal details into a website you knew was hacked recently?

eCommerce is without doubt, one way a small business can compete successfully against very large businesses without exorbitant spending on marketing and branding. However, as we have seen, an online eCommerce presence brings with it plenty of risk. Next week, we'll look at how your small business can assess and reduce these risks. In the mean time, if you've ever experienced an attack on your e-Commerce site, or if you are concerned about the risks of buying and selling online, please share your thoughts with us.

Kenneth Pang is a very well respected Australian computer security expert. From 1997 to 2003 he was the key technical engineer for a leading IT security manufacturer and he now contracts to many high-profile Australian corporates testing for network and website vulnerabilities.


Comments: 0 // Share:

Add Comment