First publishedin ITS International
Non-profit Let's Encrypt helps reduce the cost of converting to the secure HTTPS Protocol.
If a hacker can penetrate your website, they can do business as you. Joe Dysart explains how you and your customers may not discover the fraud for some time.
In the latest twist on identity theft, hackers are clandestinely taking over business websites - and then brazenly billing visiting customers as if the sites are their own.
“From the perspective of a cyber professional, I would not use the word ‘happy’ to describe my opinion of the current state of web security,” says Chuck McGregor, vice president of cybersecurity at Parsons. “It’s well known that our adversaries are constantly evolving and the threat and sophistication they pose is ever-increasing.”
While any sort of website identity theft is alarming, the version that results in a hacker taking command and control of your website - and ultimately your business dealings - is especially brutal. Under this scenario, hackers find a way to break into a website and take over all the interfaces the business’s uses to operate that website. Simultaneously, the hacker also gets access to the business’ accounts payable and receivables software, as well as its email correspondence software.
With all the tools in hand to do business as the legitimate owner, the hacker starts cutting deals with customers via the website, instructing them to wire payments for goods and services to a new bank account - one owned and operated by the hacker. After a few quick deals and lots of laughs, the hacker vanishes - along with all the cash that has been wired to their bank account.
Ultimately, the victimised business only finds out about the scam weeks or months later, when hordes of angry customers start calling, demanding goods and services that were never delivered. Perhaps most unsettling about this new spin on cybercrime is that, even the most strongly secured websites - properties that are maintained by technologically sophisticated, multibillion global corporations - are still vulnerable.
Indeed, IT security researcher Arun Sureshkuma, proved that reality with chilling clarity last summer, when he demonstrated how he could hack any Facebook page - and take it over as administrator - in less than 10 seconds (see index.php/2016/09/16/facebook-page-takeover-zero-day-vulnerability).
Moreover, once established as administrator, Sureshkuma could easily have set-up payment processing on the hijacked page using popular payment processors like PayPal and Stripe.
Fortunately for businesses that use Facebook, Sureshkuma alerted the social media goliath to the security glitch, and it was immediately patched. But his ruse highlighted that no business, regardless of how big or powerful it is, is immune to website identity theft. In fact, according to an April 2016 study by IT security firm Symantec, more than 75% of popular sites on the web have unpatched vulnerabilities.
Online fraud - including website identity theft - is rapidly escalating and is expected to reach $25.6 billion by 2020, up $10.7 billion from 2015, according to Juniper Research’s 2016 study, “Online Payment Fraud: Key Vertical Strategies & Management 2016-20020”. As Sureshkuma demonstrated, while few websites are impenetrable to a determined hacker, every business at least needs to give itself a fighting chance against criminals looking to hijack its web identity.
Here’s what web security experts say business owners should do to ensure their business is not perceived by hackers as ‘low-hanging fruit’:
• ‘Bullet-proof’ the website’s dashboard: Your site’s dashboard – the place where you enter your website authoring software with an ID and password to make changes and updates – needs to be super secure.
This should start with a super-strong username and password by creating both randomly – perhaps using the likes of Random’s Random Password Generator. This can create passwords and IDs up to 24 characters long that are extremely tough to crack. And you can even add two passwords together to provide even greater security.
Meanwhile, ensure the web designer adds a double-authentication requirement for entry into the site’s dashboard – a system already in use by many banking customers when accessing their online accounts. They initially enter a username and password for their account but before users can fully log in, they must enter a special numerical code the bank sends to their email account each time access is requested.
It is possible to ‘harden’ a website dashboard by only allowing access requests from pre-determined IP addresses - each computerised device can be assigned a specific IP address for identification purposes. Plus, the designer can program the website so it will be frozen after, say, three incorrect log-in attempts and can then only be accessed with human intervention from a pre-authorised IT department.
- Establish ongoing security training for staff: “Often, it’s easier [for criminals] to talk their way into an organisation’s network than it is to hack their way in with technical exploits,” says Andy Keller, cloud security manager at Decision Lens.
- Get a free Webmaster account from Google which offers a plethora of tools for site owners and can also often detect when a website has been hacked and will inform the rightful owner via their account, according to Evy Hanson, owner of Leap Online Marketing.
- Secure all website folders: While all website files and folders should have proper permissions and ownership, this basic step is often overlooked, so ensure the web designer has applied these controls. These can deny attackers the ability to upload malicious files and execute a code that can compromise not only the site, but the server as well.
- Keep all website software up-to-date: One reason web software companies continually update their software is to plug security holes, but in doing so they often inform the public about the security holes they’ve plugged. So a hacker knows where to look to find an easy way in to websites where the update has not been made, according to Leap’s Hanson.
- Be doubly careful if the website runs on Wordpress. Wordpress’s web authoring is a victim of its own popularity and has become a favourite target of hackers who know that if they find a security hole in a Wordpress site, there are probably thousands – if not millions – of other websites with the same weakness.
- Install a firewall: “A firewall routes web traffic through a separate server and determines whether it’s safe or not before allowing it to go to the website,” Hanson says. “This does not cause a delay for the end user.”
Most modern firewalls are cloud-based and are provided as a plug-and-play service for a modest monthly subscription fee.
- Install a security plugin: There are a number of free security plugins for Wordpress such as iThemes and Bulletproof Security and similar software exists for other content management systems.
- Use HTTPS Protocol: Technically speaking, HTTPS guarantees visitors that they’re talking to the server hosting the website they’re trying to each. And it guarantees that no one can intercept or change content coming from the website - or transactions between the website and visitor. Non-profit organisation Let’s Encrypt helps businesses reduce the cost of converting to HTTPS.
- Auto-scan all devices plugged into the network: The IT department can secure the system with software that automatically scans any device – such as a flash drive, external hard drive, etc. – for malware, any time such a device is attached to the network.
- Back-up frequently: As a rule of thumb, back-up both on- and off-site and keep a third off-network record that is disconnected from the network as soon as the daily back-up is made. Then, if the worst happens, everything is backed-up.
- Use a monitoring service: Services like SiteLock can monitor websites daily for malware, viruses, suspicious code, attempted break-ins and out-of-date software.
- Talk about security with the web designer: Knowing about such safeguards allows business owners to talk intelligently about website security and convey the importance of such security to the business.
- Be relentless: “Being satisfied with anything related to security indicates complacency – and complacency kills,” says Parsons’ McGregor. Mohammad Nejat Mohammad, a software director at Picomixer, agrees: “As a software engineer I believe that security on the web should always continue to improve.”