Is your online-shop safe? – Interview with security expert Hendrik Lennarz
The following article is an excerpt of an interview about security risks and scenarios of online attacks on internet-shops given by the Trusted Shops security expert Hendrik Lennarz in the magazine “webselling”. In the interview he gives insides about the different ways of protecting online-shops against attacks from hackers.
Learn more about security risks in the following Interview.
What kind of risks are shops facing that aren’t protected against attacks?
Hendrik Lennarz:
At least 80 % of all websites have serious weak spots. But online-shops are especially vulnerable because they usually collect a fair amount of sensitive data and enable customers to make various financial transactions.
In this context attack scenarios can create severe financial losses both to the online-merchant as well as to the customer. The takeover of access-data, the manipulation of prices in the data base or the accessibility of the online-shop are some of the threats the online-merchant have to face if they don’t take the necessary steps to protect their websites.
Because an attack on an online-shop doesn’t require special tools, scripts or programs so these days the potential of losing the customers faith trough an attack on their online-shop is quite high for online-merchants that don’t protects their shops against these kinds of attacks.
What are the most common mistakes that e-tailers make in this context?
Hendrik Lennarz:
It is important to differentiate between technical mistakes in the coding or the system configuration of a shop and flaws in the procedures and workflows of the online-shop.
The classical mistake is the missing validation of the input fields of a website. This enables hackers to enter dangerous code that allows cross-site-scripting, which eventually provides the hacker with access data and passwords. Needless to say that hackers like older versions of standard software because they don’t have to look for the weak spots of a site. These are mostly well known and are publicly available on the websites of the software companies.
Logical mistakes are as critical because they’re often used to prepare an attack. The display of detailed error messages often allows a try-and-error attack on a system. If a standardized error message is issued irrelevant of the fact if the password or the username was wrong, the hacker cannot obtain any additional information. The weak-spot I’ve mentioned are also referred to as “low-hanging-fruits”. On one this means that these can be easily used for attacks by hackers but on the other hand can be fixed without too much time and effort.
Input masks like the login for registered customers are mentioned very often as security risks. Should e-tailers stop using customer registration completely?
Hendrik Lennarz:
The registration sure is the target of many attacks on internet-shops. But to refrain from using this function in a shop is not the right solution because people expect a member’s area and the usability would be affected as well.
Further on I think that is often not the technical solution that is the problem but the “malicious users” that is using that feature. Password restrictions like a minimum length and the use of italics can increase the security and make it much more difficult for hackers. As an e-tailer you have to find the golden way between security and usability.
Hendrik Lennarz has studied business computer science at the University of Siegen with a focus on project management, IT-security, IT-controlling and software-development. In the past he was working as a software-developer for Deutsche Bank AG, Campana & Schott and DERTOUR. Today he is a web technology consultant with Trusted Shops responsible for security-audits, frontend-development and online marketing. (For more information go to Hendrik Lennarz’s XING-profile or to Lennarz Twitter-Profile)
