Web developer Dave Smith wasn't entirely surprised when one of his clients, a small clothing e-tailer in southern California, came to him recently and said the site Smith developed for him had been hacked.
Smith is not his real name, and he won't tell us his client's name — even off the record. "It would just be so damaging for him if this came out," he says.
Hacking is the dirty little secret of the e-commerce world. It has become a major risk factor for Web merchants, especially under-resourced small businesses. Hackers can break in to servers through Web applications and steal customer credit card information, or worse.
Developers like Smith who cater to small merchants know about many of the vulnerabilities and make sure they protect their clients, but they can't know about all of them, especially if they use off-the-shelf components, as Smith did. It was the shopping cart software he used that turned out to be the weak link at this particular site.
As in most such cases, the site owner found out about the vulnerability only when an angry customer called to say that someone had used his credit card illegally — and that this was the only site at which he'd personally bought anything with the card.
When Smith investigated, he found that the version of the shopping cart software used at the site did in fact have known hacker vulnerabilities. They had been fixed in a subsequent upgrade, and the software company had also posted coding changes that site developers could implement to remove vulnerabilities in older versions.
But a few weeks after Smith made the recommended changes, his client reported more angry customers claiming their credit card information had been recently stolen. "That was enough for us to bring down the site," Smith says.
It Could Happen to You
The impact of the hacking was considerable. His client had lost the trust of several valued customers. Voluntarily shutting down the site resulted in further loss of revenue. And the only solution was either an extensive overhaul of the site using different software — dismissed as far too expensive — or a full upgrade to the latest version of the existing shopping cart software. Even the less expensive option ended up costing "a few thousand" dollars, Smith says.
"But my client said to me, 'How do we even know this upgrade will fix the problem?'" he recalls "You know, I don't know how to answer that. The problem is just so subtle."
Seal of Approval: ScanAlert's Hacker Safe logo certifies that an e-tailer has taken steps to protect the site – and customers – from hackers.
That's when he went looking for a solution and found ScanAlert Inc., a Web security auditing and monitoring firm that certifies sites "Hacker Safe" and allows them to display a certification mark similar to companies such as TRUSTe's that certify sites as having acceptable privacy policies.
He rebuilt the site using the upgraded shopping cart software. ScanAlert automatically scanned both the new site before it went live and the old one that was still using the patched older version of the cart software. The new one showed no vulnerabilities, the old one remained hacker unsafe.
Smith's client is one of the relatively lucky hacking victims, says ScanAlert director of customer support Scott Shebby.
"Eventually, credit card companies get wind of the fact that a site has vulnerabilities," Shebby says. "They have ways to track it back. And when they do, they make sure you're shut down and that you can only get back up again on their terms."
That could mean being out of business on the Web for a month — disastrous for Web-only merchants — and technology fixes that could cost $20,000 or more. This is just one reason it makes sense to use the ScanAlert service, Shebby argues. At as little as $179 a month (with a one-year contract), ScanAlert prevention costs less than a cure.
Hackers stealing your customers' credit card information is bad enough, but it's not the worst thing that can happen. Clever hackers could also take control of your Web site or servers and use them to sell illegal merchandise or mount attacks on other sites. Shebby hasn't heard of Web merchants being sued or prosecuted for not ensuring their sites are secure, but believes it is the direction things are headed.
