As big business finally gets a hold on security, SMEs relying on off-the-shelf e-commerce tools are easy prey.
Small businesses are now becoming prime targets for the hacker. Take, for example, an interesting trend emerging in "script-kiddie" hacker attacks. One of the most startling was a note by Visa that more than 80 per cent of all the hacks involving card data theft are against merchants that carry out fewer than 20,000 card transactions a year.
This suggests that big business is finally starting to get security right. No great surprise, given the various compliance drivers, increased spend on security and more readily available expertise they have at their disposal. The PCI DSS (Payment Card Industry Data Security Standard) may have taken its time in addressing the security of credit card transactions (it was initiated in January 2005) and be far from perfect, but there's little doubt it has made processes more uniform.
It's true that the biggest prizes are to be found in big business. It is the behemoth retailers that have some of the largest databases of customer card data, and the most significant "attack surface", given their physical presence. The problem for the hacker is that these businesses also have anti-fraud departments and the ear of the police. But if I were a hacker, I would probably go after a small online retailer that uses an off-the-shelf e-commerce package that I know is full of issues.
I would use Google to find the store, searching for a path or file I know is associated with that particular e-com package. A few minutes later, using automated tools, I would probably have access to their complete customer database. And, if they're carrying out their own card transactions, I may have accrued a reasonable number of card numbers.
Repeat the process several times against several online retailers using the same package, and I have a significant, saleable database of customer and card data. These SMEs may be small fry, but for the hacker it's like shooting fish in a barrel.
The problem is exacerbated for small merchants that use a hosted service. Online stores are frequently hosted by a third party, probably on a shared web server as small businesses can rarely afford dedicated hosting. As a result, I might just hit the jackpot and find that even the database is shared, giving me instant access to the data from every website hosted on that same box.
If that sounds like scaremongering, then don't just take my word for it. Take a look at www.zone-h.org. The site lists occasions where large quantities of web sites have been quickly defaced, usually on shared web servers. Even worse, some automated script-kiddie attacks appear to write to databases using injection methods. These "infections" can be Googled, so one can easily find vulnerable web applications to attack.
Suddenly, the much maligned PCI standard looks like a good idea. But remember that merchants processing fewer than 20,000 transactions per year do not have to provide evidence that they are following the standard. They have a duty to achieve and maintain compliance but are usually exempt from the audits and ASV (approved scanning vendor) scans required of their larger brethren, creating a loophole the hacker can exploit.
Smaller businesses in general are also now a target because they are deploying state-of-the-art technology. As the cost of new technologies decreases, many are deploying sophisticated equipment such as push email on Windows Mobile, which is easily hooked up to Outlook Mobile Access. What they forget is that policies and support are needed to back up this kit.
So what should the small business do? Our advice for retailers would be to adhere to the PCI advisory guidelines of conducting a quarterly scan if you can. For other SMEs, it's imperative to update your software and ask any third-party hosters what security assurances they can give you. That way, you may just make yourself that bit harder to attack than the next SME, and the hacker will go for them, not you.
- Ken Munro is managing director of SecureTest. He can be contacted at firstname.lastname@example.org.