Most hackers use the same forms on the same Web pages where legitimate customers input their information, but hackers input special combinations of characters that can give them access to the database behind the application — with its trove of personal customer information — or let them take control of a site as if they were the owner.
The shopping cart software Smith used was vulnerable to two hacking techniques that he says were unheard of five years ago when the original cart software was developed. Since then, they've become so widespread that it's easy to find instructions on how to use them by Googling their names — SQL injection and cross-site scripting.
In SQL injection hacking, the perpetrator goes to a merchant site and inputs special character sequences in the User Name and Password fields. A vulnerable SQL-based application on the server interprets them (correctly) as commands rather than simple data input. One character string, for example, tells the software to accept as valid all user names and passwords entered from that point on.
Mission Control: ScanAlert's software reports on all vulnerabilities found on the site and displays the results over a five-day period.
"I have to admit, it's very, very clever," Smith says. "It's pretty easy to fix if you know about it, but you have to know about it."
Cross-site scripting attacks vulnerabilities at sites where the data entry page posts customers' input to a second page before completing the transaction. The site may be secure enough that the second page will not accept application commands from the first. But hackers have found ways to create their own bogus first pages, which then allow them to send commands to the application via the second page.
These are just two of thousands of vulnerabilities for which ScanAlert monitors, Shebby says. Some are application specific, others are more generic and can even be found in internally developed Web applications. Some are widely used by hackers; others are very rare. ScanAlert tests every site for all of them.
It uses automated systems to scan subscribers' Web sites every day. Daily scanning is essential, the company says, because many Web sites change on an almost daily basis — and any change could expose an existing vulnerability. Hackers are also uncovering and exploiting entirely new vulnerabilities all the time. As soon as the company learns of new ones, it adds them to its scanning software.
"Our scans are perfectly safe," Shebby adds. "We scan thousands of Web sites a day and we have no problems with servers not being able to handle them. It's a very stable technology. It's also very low noise — it never overloads the server."
A Sign of Security
The ScanAlert service is mainly intended as a preventative measure, but the certification process brings additional benefits. The company says Hacker Safe certification signifies a Web site has "reduced its vulnerability to hackers by 99.99 percent by meeting the highest government and industry security standards." ScanAlert tests to its own standards — which Shebby claims are the most stringent in the market — and also to Visa, MasterCard and FBI standards.
The company claims research shows that the presence of its Hacker Safe certification mark can also increase sales at a Web site. In one 2002 study conducted with 25,000 Internet shoppers at Binoculars.com, 50 percent of visitors saw the certification mark while the other 50 percent did not. The results showed 32 percent more shoppers purchased after seeing the certification mark.
Certainly online consumers are growing more concerned about the security risks involved in shopping on the Web. In an annual survey conducted by the TRUSTe organization — which is now partnering with ScanAlert to offer privacy and security certification — 44 percent of participants cited fear of credit card theft as a concern about online shipping. This is up from 30 percent in 2003.
Smith's client opted to take the ScanAlert service for only one month to ensure the shopping cart software upgrade eliminated the vulnerabilities that had allowed hackers to get in the first place. Smith, who says he won't be satisfied until the site goes six months without further incident, has urged the client to subscribe for a year, arguing that it would restore trust among customers affected by the earlier incidents.
"To me it's the responsible thing to do," he says. "But the clients I deal with are mostly very small — $2,000 is a lot of money to them. They're more apt to say, 'Let's just wait and see what happens.'"
Which of course could be a big, big mistake.
Based in London, Canada, Gerry Blackwell has been writing about information technology and telecommunications for a variety of print and online publications since the 1980s. Just for fun, he also authors features and columns on digital photography for Here's How, a spiffy new Canadian consumer technology magazine.
