Safe and sound

Stick your head above the parapet and people will start taking aim. As soon as any computer system is plugged into the internet, it starts getting attacked almost immediately, as all manner of humans and computers try to find chinks in its armour.

My 15-year-old nephew is rather good at cracking passwords. I’ve been training him on our research systems with a few tools that you can download for free from the internet.

By educating him about identity theft and information-gathering, he’s learning how the bad guys do illegal things by ‘harvesting’ information about people and businesses online. This is helping him to understand the importance of online security, protecting his information and raising his awareness of data privacy.

His mother – my sister – works in a large convenience store and I told him how the introduction by wholesalers of click & collect and their removal of people from order-taking means he could order a massive amount of chocolate and have it ready and waiting for him at a local warehouse without anyone realising he wasn’t a shop. Even better, someone else would pay for it.

It seems far-fetched. Yet no one would have believed that in the early years of the 21st century, it would have been possible to bring a major high street retailer to its knees by exploiting a fundamental flaw in its click & collect system. My company is lucky enough to have the enviable power (and permission) to hack into computer systems in an effort to stop bad things happening and fortunately, we found the flaw before a teenager ran the mere three lines of computer code it would have taken to reserve everything in every one of the retailer’s stores around the country.

The trouble is fraudsters are cunning and they don’t want huge boxes of chocolate or to reserve every household item they can lay their hands on. They want data: yours and your customers’.
The bad guys know we each tend to have the same password for every website we use or at least one from a small pool we can remember. If your transactional website is the weak link, you’re doing your customers a disservice by making it easy for their treasured tiny selection of passwords to be stolen, along with potentially sensitive personal information that would help a fraudster commit some completely unrelated crime. Eventually, it’d be traced back to your insecure ­website.

If you were buying a new lock for your front door you’d want to be sure it was well-engineered. However, brute force attacks can get into almost anything. I recently took an angle-grinder to my heating oil tank’s padlock because the key had snapped. Two minutes later the lock was off. Similar brute force attacks happen on the internet but they’re usually undetected unless you’re actively looking for them. Are you checking for suspicious activity?

Secure web forms Encrypt, don’t leave clues and check for holes

messages your website sends out to casual observers. Check the basics, such as whether your login page is secure.

When you log into your bank account, the web browser’s little padlock shuts and it makes a big deal of telling you it’s secure. Encrypting login details such as your username and password as they are sent across the internet is the most basic sign of attention to security. If even this is not being done, it’s blatantly obvious and sends out a signal, like a huge flashing beacon, that the company doesn’t have a handle on even the simplest of best security practice.

Does your option to reset forgotten passwords give any indication of whether the email address or username just tried exists within the database? If it does, this is useful information to someone snooping around: in a street where all the houses bar one have a burglar alarm visible, which one do you think the criminal is going to think about targeting first?

A ‘search’ box that helps customers find products on your website can be used to rummage around in other information if it’s not been coded securely. Make sure people can’t do malicious searches that show them all your customer details.

Look out for people typing unexpected characters: forms where people can type stuff in are one of the most prevalent security holes on websites and so one of the most common points of attack.

Credit risks Know the rules and issues of online credit card transactions

Taking credit card payments online is not without its hassles. Understand where responsibility lies if the card is later reported as stolen: there are special considerations if you’ve taken card details online.

Be suspicious of unusual orders for high-risk categories, such as tobacco and alcohol. Consider carefully what you’ll deliver if you’re using a separate courier service and are not necessarily in control of all elements of delivery.

Wholesalers are being tempted to jump into click & collect and online ordering without weighing up the security and risk points for fraudulent transactions. They’re rushing to have new accounts sign up more quickly and provide credit card details so they can buy online immediately. This is the standard in retail e-commerce, but retailers have suffered a lot as a result and learned a lot of painful lessons about how to do fulfilment in a way that reduces risk.

Check up on PCI DSS, a data security standard with which you must be compliant if you want to take credit card payments online. Unless you can prove that you are compliant, the credit card companies may remove your ability to take payments altogether, not just online but in depots, too.

You shouldn’t be taking payments from credit cards until you can despatch the products. Be prepared to deal with chargebacks: anyone who orders from you online and pays by credit card can very easily get a chargeback against you. For small orders this may not be a problem, but if you’ve supplied thousands of pounds’ worth of tobacco to a customer using a third-party courier, you may find the risk worth thinking about.

Even without credit cards in the picture you’ve got the issue of giving access to credit accounts online. Most of your customers probably don’t have rigorous security processes in their stores. Having an unauthorised person make a telephone order is always a risk, but it’s a far bigger security risk to enable customers to log into their web accounts and place orders without any interaction. How can you know for sure who is putting through an online order and who is authorised to do so?

Many big names on the high street are now employing teams of up to a dozen people just to manage online security and risk. It’s not something you can turn over to your teenage nephew.