Cyber shopping: Keeping security high when shoppers buy online

By Rick Caccia, info@arcsight.com

It is surprising to realize that 2010 is coming to a close. To me, it seems like only yesterday that we spent New Year’s Eve wondering if the Y2K bug would shut down the computers and the power grid. In the ensuing decade, the retail industry, like many others, has seen some very clear technology trends: More information is online and stored in systems connected to the web; employees, partners, and customers have more access to information and applications (for example, account self service or online shopping) via the web; and as a result, there is now greater opportunity for loss of information, particularly payment-card information, than ever before.

We believe these trends will continue. Shoppers expect more access to information and easier ability to pay, both of which often involve leveraging third-party software to make it happen. New technologies enable online retailers to roll out better user experiences for less cost and effort. Additionally, these businesses continue to grant employee (and contractor) access to more applications and data so that they may do their jobs efficiently and productively. And as a result, the possibility for sensitive data to be exposed or even lost is suddenly much higher. The trick is to operate securely in a world of new technologies and new business opportunities.

While companies in almost any industry face some common security-related business risks, retailers are especially susceptible to certain risks, and should consider these when designing an information risk-management program:

Account takeover: Customers who enjoy the shopping experience are more likely to be repeat customers, and stored address and payment information certainly makes the experience better. Of course this means that retailers face many of the account takeover risks that banks face every day. Controls that detect and mitigate account takeover should be a part of any online risk-management program, and the techniques are well known. These include analysis of the shopper’s home location versus ordering location (e.g., you live in Spokane but are ordering plasma TVs from a computer in Russia) as well as new shipping addresses.
 
Malware: Many of the high-profile data breaches at retailers, consumer payment processors, or banks involved some form of malware, such as a “bot,” that gained access to the customer credit card system, then subsequently stole card numbers and sent them out via the network to an external IP address. Even Google, a very secure consumer company, was subject to such an attack. The most common route for malware to enter the company is via an employee’s web browser. While it may be hard to believe that a shipping clerk in a warehouse looking at an online greeting card could trigger a massive loss of customer credit-card numbers, remember that the corporate network ties together many systems, and one person’s browsing can expose the company to significant loss. While modern malware can be quite subtle and tricky, there are again known techniques for detecting attacks, including looking for unusual network traffic. Many bots, upon installation on a user’s computer, try to “phone home” for additional instruction. This “beaconing” can be detected by looking for certain types of network traffic heading to foreign IP addresses. While not perfect, these and other detection techniques can find threats early, before they cause significant loss of customer data.

“Web hacks:” By this I mean breaking the normal online shopping process with unexpected commands, such as the SQL Injection attack, where a hacker enters a database command that retrieves credit-card records into a normal data field such as “First Name.” These vulnerabilities come about because of poor application development practices, and are still very common. However, they can be detected through a variety of techniques and a good risk-management program will consider some of these.
 
Employee access: Finally, employees themselves may present weaknesses in the online security process. Retail is unique in its use of seasonal workers and related worker turnover, and many firms provide significant self-service access to internal systems. For example, a retailer might give all temp workers access via the web to account information so that the workers keep their addresses (for end-of-year W-2 mailing) up to date. While greater access improves productivity, it also can create cracks in the system where hackers can slip in and data can slip out. The corporate risk-management program should include controls to limit employee access and monitor how that access is used.

None of the scenarios described above are new; each has caused multiple security breaches in online shopping systems. Moreover, each scenario can be minimized through well-known techniques, allowing retailers to manage risk to an acceptable level. However, despite this, many retailers still do not have a strong risk-management program in place and leave their businesses exposed needlessly. Perhaps this holiday season, these retailers should do some shopping of their own -- and load up their shopping carts with solid programs to help reduce security risks in a measurable and manageable way.

Rick Cacci, VP product marketing for ArcSight, has spent 15 years designing and managing infrastructure systems, with a focus on security and identity management. Prior to ArcSight, he led product management at Symantec for e-mail and web security products (info@arcsight.com).