<< Back to news

Fraud and Hacks: Prevention and Recovery

Added on February 06th, 2007 - Impression Media

It is officially open-season on small businesses. Hackers, phishers, spammers and fraudsters often use small businesses as target practice before going after the big guys, though it’s news that often doesn’t make it in the headlines. No one really knows the true impact of online security breaches, as only 20 percent of businesses reported computer intrusions to legal authorities, according to the FBI and Computer Security Institute. And every online merchant knows the threat of bogus credit card purchases is one that never goes away. The reason for the silence is obvious: Many companies keep the episodes quiet so their public images aren’t tarnished. But just because no one is talking about security breaches publicly doesn’t mean it’s not happening. Just as you would backup your data and be sure your payment transactions were secure, prudent e-tailers should take steps to protect themselves from external vulnerabilities. And, in the case of credit card fraud, you can never be too vigilant. Here we’ll show you the best ways to protect yourself from attacks and credit scams, and how to recover from a security breach should you come under attack. Prevention Triage for Security Attacks
The first step, says Ken Dwight, author of Bug-Free Computing: Stop Viruses, Squash Worms and Smash Trojan Horses, is to realize that times have drastically changed. “It used to be that you knew you had a virus right away because weird things started happening with your computer. Today most threats are asymptomatic. The money-making aspect comes from the intent to use your computer or network as a host for sending spam, password grazing and critical data pilfering.” The second and most critical step starts and ends with employees. They are the key to keeping systems safe and protected and as such are the first line of defense. Educating them is very much like bolstering the forces of a mini-army that can help create a human firewall — an informed, prepared barrier between the company’s data and the outside world. Noted technology expert, Ted Demopoulos, explains, “Small retailers assume that security is a technology issue and that the problem can be solved only with technology. It’s not a technology problem. Security is a process.” The third step is to develop and implement a comprehensive, written technology strategy that includes data security. Not only will your technology strategy help you determine which technology will help you achieve business goals, but it will also help to pinpoint unforeseen areas of vulnerability - because anti-virus software alone just isn’t sufficient. Those are the basics, but there are also a number of other ways you can protect your business and your bottom line. Roger Thompson, CTO of Exploit Prevention Labs, stresses the importance of making sure your Internet Service Provider (ISP) is diligent about updating security patches. “A lot of the smaller ISPs are not as diligent as the larger ISPs. Retailers should question the ISP about how often they update security patches. It sounds like a simple step but it’s really important.” And there’s the ever-present challenge of managing credit card transactions. Merchants are now being held financially liable for data breaches to the tune of fines up to $250,000 and an additional $25 per compromised record. “Never store credit card data. Use a service that will store your credit card data for you. Many online retailers don’t understand the intense liability of storing credit card data. It’s been the downfall of a number of merchants who have small-ticket items,” says Richard J. Gordon, CEO of Bold New World, an e-commerce development company. Flagging Credit Card Activity
In regard to credit card scams, using filters and automated fraud detection mechanisms will flag suspicious activity before goods ship and, fortunately, implementing them doesn’t have to be expensive or time-consuming. The Forrester Research, Inc. report “Are Your Online Customers for Real: Online Credit Card Fraud Detection Services,” analyst Laura Koetzle recommends filters as the best option for small Web shop owners. Filters are a prescribed set of rules that examine transactions for known signals of fraud, says Koetzle, and that PayPal, Authorize.net and other such vendors provide custom ones you can employ. The most common, according to the report, include:

  • Mismatched Addresses - requests to ship the purchase to a different address, especially if it is overseas.
  • Frequent Repeat Buying - Multiple orders from a single IP address executed in a small time frame.
  • Card Blacklist - The detection vendor maintains a list of known fraudulent cards used for cross-referencing.
  • Amount Threshold - If the total differs significantly from typical orders, investigation is warranted. (Often thieves test a stolen card with a small order to see if it’s valid.)

Additionally, Koetzle recommends that e-tailers use address verification products such as QuickAddress to ensure that billing addresses actually exist. She also recommends contacting customers by phone or e-mail to verify a suspicious order; checking card verification codes by requiring the numbers on the back of cards as a back-up security measure. Another tip? Check with the card vendor and verify that funds are available and authorized before shipping the order.

Getting Back to System Status Quo
If you are unfortunate enough to have a breach of security, the first order of business is to focus all efforts on sealing the leak and bringing business systems back to a state of equilibrium. If an account has been compromised, freeze the account and set up a close watch for any access attempts or changes. If there is an attack on the company Web site or other servers, close down all access points and detach it from the rest of the network to avoid a domino effect and contain the rogue occurrence. Contacting the authorities is also an option. The Breach Autopsy
The next task is to determine the source of the compromise. This step is critical because without this knowledge, the vulnerability remains a mystery leaving the business susceptible to future and more disruptive attacks. Some of the questions to ask your technology team are: Was this an inside or an outside job? How did the intruders gain access? When did they gain access? Were there any signs that were ignored or left to be investigated at a later date? What technology tools did they use to exploit the system? Taking the time to conduct a thorough investigation will shed light on the source of the problem and will serve to pinpoint other weak points in the company’s infrastructure. If the weak link is an employee, determine if the attack was intentional or simply the result of poor judgment. It also wouldn’t hurt to have an impromptu staff training session on data security and fraud prevention to drive the point home. To Disclose or Not to Disclose
It is at this time that company management must decide if the affected information warrants a full disclosure to parties that may suffer losses as a result of the breach and if that disclosure should occur immediately or later on. Many companies choose to save face at the outset and regret it later when lawsuits start pouring in. The public knows that companies that have nothing to hide, hide nothing. Customers and clients would much rather be told by the business in which they have invested their trust, than to find out through the Internet rumor mill. Policy and Procedure Review
Once you’ve contained the breach and identified the source of the susceptibility, update your policies and procedures, if applicable, to include the latest findings. If there are no written procedures, use this as an opportunity to develop them. They needn’t be fancy, just the basics written in plain, easy-to-understand language. The Post-Incident Test
To avoid a false sense of security, it is critical to test the system to ensure that the weak link has been fully repaired and shored up. There are even consulting firms called ethical hacking companies, led by former not-so-ethical hackers, that will put the infrastructure through the rigors of a “sanctioned attack” for a modest fee. This, of course, is not necessary but it may give some business owners the peace of mind needed to regroup and recuperate. Disclosure Done Right
We come full circle to the issue of disclosure again. If you determined that either a customer’s, vendor’s or partner’s confidential information has been compromised, take the following steps:

  1. The company that experienced the breach must break the news to the injured parties.  It is considered poor form to have attorneys or public relations reps contact affected parties. The news should be delivered by the owner of the company, ideally through a postal letter referencing an online video and followed by a supporting e-mail.
  2. Avoid tossing blame around. Accept and own responsibility. Research shows that doctors who have solid, up-front, responsible relationships with their patients are less likely to be sued even when they are clearly at fault than do doctors who may only be marginally at fault but who excel at passing the buck. Surely this line of reasoning extends to business matters.
  3. Be honest about the nature of the breach. This is not the time to embellish the truth or take creative license with “spin control.” Let the affected people know what happened and what measures you’re taking to wrap up loose ends and avoid future incidents.
  4. Don’t engage in drama and disclose only the core facts. People who are just finding out that their home address or debit card number may be in the hands of a criminal aren’t that interested in intricate, technical details. Additionally, providing too much information may present a serious liability for the company, while providing too little information may seem suspect or skittish.
  5. Provide a single point of contact for anyone who has questions. Take three minutes to create a dedicated e-mail address and provide one phone number for an internal decision-maker in the company. Customers and clients will only be further annoyed if they call for more information and the person on the receiving end is ignorant of the situation or has no power to make even small decisions about the matter.

Bottom Line
In the end, remember that a security breach does not have to be a death sentence. There are ways to recover from fraud and attacks, but it depends on knowing your customers and vendors and respecting them enough to deal with them as valued allies. No business is perfect and in this day of hyped marketing, creative accounting and public relations double-talk, people truly value honesty and integrity. After all, people do business with businesses they know, like and trust. And, protecting yourself from credit fraud can be easier than you think — make the time to set up filters and rules that flag suspicious activity. January 31, 2007
By Lena West
Impression Media can advise you how to navigate your way through the pitfalls of an e-commerce solution and enjoy trouble-free on-line business.  Contact us for further information…

  

Lena L. West is the CEO of xynoMedia Technology, a company that helps high-growth companies use technology to do more so they can earn more.

This article was first published on Ecommerce-guide.com.

quick links

our services
about us
our news archive
client area
Web Design e-Commerce Solutions Media Development Photography
Copyright 2008 Impression Media | Privacy Policy | Hosted by Encaptured Web Hosting

Powered by eShop v.2