The trend is irreversible.
The clicking of seat belts as part of driving to a store is being replaced by the clicking of Buy buttons to do that shopping at home.
The dark side is this increase provides even more opportunity for hackers.
A 2012 data breach investigations report from Verizon estimated 174 million compromised records back then, 81% of which utilized some form of hacking. That’s 170 million more than in the previous year’s report.
Security measures in e-commerce should be stressed as its most important element. In order for brands and consumers to prevent attacks, they need to understand what’s at stake for the brand, the consumer, and the hacker.
What’s at Stake?
When a hacker steals a consumer’s information from a company database, who pays the ultimate price: the consumer or the brand?
The brand is held responsible for securing the customer’s information. If that privacy is breached, the customer suffers consequences such as identity theft, stolen credit cards, bank accounts, and other information that’s of value to the hacker.
Once a customer’s information is stolen, the consumer must quickly report and cancel all accounts. Generally, the bank or company reimburses any compromised activity; this puts the consumer at a major inconvenience but holds the seller financially accountable.
Scot Terban has been a security consultant — formerly known as an “ethical hacker” — since 1996; he’s worked for IBM’s global security services group since 2000.
According to Terban, both the consumer and the brand are at risk, though there are more concerning calculations for the latter.
“The consumer has the risk of losing money either by theft of service — use of their accounts or credit cards/bank accounts, etc — but often are reimbursed by the bank if the card has been compromised in some way.
“Now, if a site — the company selling a service — is the source of the compromise, and it can be shown now that they have not made the proper strides to protect their clients’ data, then they may end up footing the bill in some cases as well as garner large bad press on the incident and their services.”
When a brand is hacked, it’s not only left with financial damage to clean up, its reputation is going to need repair, as well.
Take LinkedIn, for instance. The company took a severe blow after more than 6million of its users’ passwords were leaked online in June 2012. The company quickly confirmed and apologized for the password breach but was still sued for $5million.
Public awareness of mega-hacking is now front and center. Target (2013), Sony (2014), and a USA government agency (2015) sent up more flares.
And who didn’t hear of the Ashley Madison hack?
So, how in the world was anyone surprised when the Russians had their way with both the Democratic and Republican national committees?
The only revelation was how naïve the victims were … and possibly, still are.
The risk factor between the company and customer also depends on what’s at stake for the hackers themselves. Most prefer the least amount of risk, but there’s always the chance of getting caught.
Steve Santorelli is a former detective with Scotland Yard and an investigator at Microsoft. He’s currently director of global outreach at a cybercrime research company called Team Cymru. (Yes, that’s Welsh for Wales; nothing wrong with referring to one’s roots.)
Santorelli compares the hacker’s initial decision to break into a computer or its network to an ROI.
“How much time and effort does the miscreant need to spend to get what size of reward? What’s the easier route to the maximum pile of eventual cash?”
“Spending months planning and executing an audacious attack on an accounts payable department might make sense if you can extract seven figures of reward. Compare that to the average phishing attack — which now lasts a few hours and nets less than a handful of victims, likely with limited funds if they are regular account holders.”
What Consumers Should Do
In the event that your data has been hacked from an e-commerce database — depending on what data has been given to the site — Terban suggests that the consumer do the following:
– If you have a credit card number saved in your profile, you should alert the bank and have a new credit card sent to you after cancelling the compromised one.
– If your email address is a primary one that you use for everything, be aware that it may now be fodder for phishing attacks on you for more information. Make sure your spam filters are working and always think before you click links or open files sent to you in that account. Frankly, it’s wise to create or designate one address for online usage and keep it separate from your usual correspondence channels.
– If the site collects personal data, such as date of birth or — and this should not happen — your Social Security number, then you should obtain some identity theft protection for which the company which lost your data should pa. This will alert you if someone is trying to open new accounts as you obtain the data they have stolen.
What Businesses Should Do
Businesses commonly make the mistake of neglecting to monitor and maintain the security of their site, and software and other tools are constantly evolving.
Both Santorelli and Terban agree that sites often are attacked when they fail to keep good hygiene.
Greg Hammermaster, president of Sage Payments, concurs:
“Web and mobile application developers are often not savvy to payment security requirements and secure programming methods, which can create security holes that can be exploited by hackers that look for high value targets, such as ecommerce sites.”
Security should also be an important factor when mapping out the design goals of a website. Most sites do this with an SSL security certificate. You can purchase a certificate, or there are some ecommerce platforms like Shopify have a default built-in SSL upon checkout.
Perhaps the most effective way to protect your business from hackers is to think like a hacker.
Terban says the best way to do so is to hire one to protect your network and infrastructure.
“This is not always the easiest thing to do because you really need someone you can trust and who knows what they are doing.
“Accreditation in the Information Security business is getting better, but, in general find someone who can prove their technical worth, as well as having a proven track record in either the defense of networks or the penetration thereof.”