When I first met expression 'ethical hacker' I grinned. It sounded like 'humane murderer' for me. Googling its meaning I found myself at http://www.oxymoronlist.com/, where such terms as 'Good morning', 'Customer Satisfaction' and even 'Marketing strategy' are listed as oxymora. Well, if 'good mornings' and 'marketing strategies' are the phenomena which one may never meet, to my surprise 'ethical hackers' do exist. They're also referred to as 'white hats', experts who attack the system on behalf of its owners, looking for vulnerabilities that a malicious hacker could exploit. If only all the hackers were 'ethical'...
Unfortunately they're not. Day after day the site owners should stand against this Evil. And when the IT experts come to the Dark Side, what they’re after is, obviously, not only the cookies...
Why everyone and their uncle keep trying to break into the store?
- Internet allows the hacker to stay anonymous and keep the source of the attack untraceable (at least, many of beginning hackers think so).
- A young but ambitious hooligan may treat it as a challenge to his skills. Passion is what moves him. But even if his goals are rather innocent, the site owner will still bear losses.
- This may be as 'productive' as taking a gun and robbing a bank, but requires less effort. The sophisticated attacker finds a vulnerability in a similar type of software (say, a particular software version is vulnerable to SQL injections or XSS attacs), and tries to use that to exploit the system. Given there are thousands of installations online, what is the probability that a system administrator forgot to apply a patch? The hacker can even automate the process of checks and patiently wait for results.
- What they really need is money. To be exact, the wallets of your customers. Since financial transactions are the backbone of ecommerce, an online store becomes a great target for their attacks.
Your site represents a complex system where several components interact with each other:
- Web application
- Users (Admin and Customers)
- Network connection (between Shopper/Admin and Web site's server)
This system is like a house - with front and back door, windows and walls. And depending on the degree of your dedication to details (or slovenliness) in security questions, you may have steel doors and burglar alarm installed, or vice versa, leave the front door and all windows wide open. But even if you're sure that you closed all the doors (say, ran some security check and the report returned no problems) you may never relax. This system is ever changing, and because of a single tiny fault your efforts may get flushed down the drain.
What 'tiny faults' I'm speaking about?
- You have hired a programmer who hurried to develop the functionality in accordance with the specification and in timely manner. He managed to, but in a hurry (or being not skilled enough) he left a 'hole' in the wall of your 'house',and the hacker is already here, trying to squeeze into it.
- You do monitor all the security updates from software vendors, but you (or your webmaster) were on vacations when the recent email was delivered, so you placed this task aside... While the malefactor is already looking for the site or server which is not patched yet.
- PCI compliant servers have already stopped using FTP in favor of secure protocols (SFTP, FTPS, SSH). But because of the difficulty involved with utilizing and administering secure FTP servers, or due to the inevitable complaints that come from clients who do not have the proper software installed to use SFTP, some hosting providers may still allow it's insecure predecessor (traditional FTP). By default, FTP transmits data completely in the clear and thus does not provide any level of security at all. And our bad guy is here to eavesdrop on your conversations and builds plans on burglar alarm bypassing.
- You or your employee tend to use the same credentials in several accounts: email, admin area of the store, several forums, Facebook page and Twitter account. Moreover, I've seen a person who set up the same password for MySQL, FTP and even root SSH access - it actually looks like locking the door and hanging a clear instruction on where to find the key for it.
Once at least one of these accounts is hacked, the others are also vulnerable, and it's only a question of time, when the hacker will finally open the door with the keys you left for him.
- You're only a startup, and you can not afford an expensive dedicated server or VPS. Instead you use the cheapest possible shared hosting. Do you know who your neighbors are? Are you sure their accounts - together with all the possible software they host - are secure? I bet you aren't. And once their account are compromised, you're in the risk group too.
- Your laptop is always with you. And often you're deceived by free WiFi. Why not to combine useful with pleasant, have a cup of cappuccino in a relaxing atmosphere and check if there are any new orders. You may forget that lots of wireless hotspots these days are completely unencrypted, as usually they're easier to connect to (baristas don't need to be giving out the internet password to everyone that walks in). This leaves you unprotected against malicious users in the same coffee shop. So you're supplying the username and password... And the hacker has already saved the credentials.
- Your username is pretty standard, and password is weak. A bruteforce attack, or exhaustive key search, may be successful.
- Even if your site and server and account are secure, you may still suffer from malicious activity: keyloggers and spyware on your customer's computer allow to steal Credit Card info - and place fraudulent orders in your store. If you don't detect it's fraud and hurry to ship the goods, you will be just out the inventory and the money - when chargebacks will be processed.
Prevention is better than cure
If the hacker's attempt is a success, along with losing the money you're also saying goodbye to your perfect reputation, lose loyal customers and thus sales, and to finish you off Visa may pay a visit - after which you pay penalties. And it's not fun at all, at least for a merchant, who feels furious, or upset, or both.
That's why you should start working on security hardening right now (and keep working on it daily!). But what can you set against ubiquitous hackers?
Actually you do have something up your sleeve.
1. Two-factor authentication (when in addition to your login details you need to supply a 1-time passcode which is sent to you in an SMS, or as a PUSH notification, or is shown in some mobile application) is a more and more known and common nowadays. You may benefit from Google's two-step authentication in Gmail, you're encouraged to connect your Mailchimp account with AlterEgo, Login Approvals feature is available in Facebook, PayPal adds an extra layer of protection to your account by means of 'PayPal Security Key'. This feature is also available in X-Cart - all you need is a 'Two-Factor Authentication' module. The module requires an account with Authy, and the free plan which includes up to 500 logins per month is more than enough to secure the admins' accounts of your store!
2. The "X-Access" module prevents illegal access to admin area due to a series of restrictions. You can restrict access based on time and date, or your can limit access by IP, moreover, you can select the sections in admin area which will be available for particular admin accounts. Good contribution in our 'security piggy-bank'!
3. External web-site monitoring service is widely used too, so you — not your customers — are the first to know about a problem on your website. When something breaks, (and as Murphy's Law reads,anything that can go wrong, will - at the worst possible moment), you're immediately alerted. Thus you can quickly notify the customers about this temporary problem and proceed with investigation and fix. This is exactly what X-Monitoring -Standard offers. But not very long ago we have rolled out 'Advanced plan' which is advanced indeed. In addition to server uptime monitoring it keeps an eye on the file system, reporting modifications in core x-cart files (you can even view diff), as well as permissions changes. You should either approve of these changes or restore the previous version. It means that even if the malicious person has modified the files, you will notice it right away - and fix the problem BEFORE your customers are deceived. I believe this tool is one of the best safeguards a store owner can imagine. By the way, free trial is available. More details about the module here.
Below is how the admin area looks like:
Another option is to use StopTheHacker's Website Security Services, this company offers a wide range of monitoring facilities.
4. One more point to consider. When did you last backup your file system and database? If it's not a part of your routine, this article is for you. When the site is already destroyed by the hacker, it may be too late.
5. Catching the fraudulent orders is a good preventive action if you want to decrease chargebacks. The module is already built in, all you need is to purchase a package of requests. The module uses a sophisticated algorythm to calculate the Fraud risk factor and return value from 0 to 10. It takes into account such criteria as address match, IP distance, order total, even email and previous orders placed by this customer.
6. Starting from X-Cart version 4.5.x ability to collect and store Credit Card details was completely removed from X-Cart code (and the admin can either select web-based payment integrations, when the user is redirected to payment gateway site to enter this sensitive info, or use PA DSS certified payment solution X-Payments), but if you use an older version, you should apply a PCI patch. What it gives you? Even if the store IS compromised, credit cards details are safe and sound, as you (your application) doesn't ever touch credit cards. Actually this paragraph is about PCI compliance, which is a must for ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Our partners - Comodo and McAfee - offer PCI scans, which are aimed at finding all the security problems of your server and application.
How much does your security cost? Don't be penny-wise and pound-foolish.
As you may understand, none of the solutions listed above, if used separately, can be treated as a silver bullet. Security is a kind of complex tasks where each component matters.
- Use reliable hosting. Better - a PCI compliant one.
- Don't install the software from non-verified vendor. Only trusted developers!
- Make sure RIGHT NOW that your software (Server-side software and web-applications) is up to date or at least all the security patches are applied.
- Use secure server connection and secure networks.
- Change ALL your passwords regularly, use strong alphanumeric passwords.
- Install antivirus on the PCs of EVERY admin who manages the store
- Set up firewall rules.
- Monitor your server uptime, keep a close watch on what happens on your server. Whatever strange thing (new files - or pieces of code in existing files - start to appear, while you didn't change anything; your traffic suddenly increases dramatically; new types of PHP/MySQL errors are recorded into the server log, new admin's accounts appear) may be symptom that your website is hacked.
- Make sure you don't collect and store credit card details.
If you don't brush aside these recommendations, but follow them minutely, you may reach the level, which will be high enough to drive it home to the "burglar", that he should better try another 'house', not your "fortress".
And may all your mornings be good, hackers- ethical, customers-satisfied! ;)