Responding to increasing consumer security expectations and hacker sophistication
The bottom line
The general public are becoming more and more aware of online security pitfalls and expect the businesses that they are sharing their details with to keep them secure, that sensitive information is kept private and services are not interrupted. Those organisations that fall short in living up to these expectations risk suffering from a lack of customer trust that ultimately results in fewer sales and hits the bottom line.
It is hard to miss that more and more people are using the internet for everything from shopping to enjoyment. We are constantly prompted for credentials and information; the internet is just one big form collecting information.
In the early days of the rise of ubiquitous usage of the internet, there was a lack of understanding about what was actually going on with the information being requested and what the implications of it not being collected correctly may be.
But now the general online public, young and old, have been educated to look for the tell-tale signs of a ‘secure’ connection when entering any sensitive information. They check that there is a padlock in their address bar and that they should not simply select links in an email but copy and paste them to prove their origin.
This is a good start however, some sites still suffer from deeper more inherent issues such as how they are storing the information once it has been ‘securely’ transmitted.
A primary example of this is access credentials; most importantly your password. There are plenty of sites out there that store your password in plain text, and when they offer a password reset functionality, generally expose their lack of security by sending your password in an email.
This type of practice has been going on for some time and only until recently it has been exposed with large brands such as Tesco, Sony, LinkedIn and Play.com to name a few being highlighted in the press for either having poor security standards or by being breached and having credentials released.
In addition to the security of passwords, it is also important to be aware of other subtle ways that an online service can expose information or be used to cause disruption. In the case of password resets, it may be possible gain information about a user or even cause them a denial of service.
Take for example that you know someone’s email address and you enter it into a site’s password reset. As soon as it says “we have sent you an email” as opposed to “records for firstname.lastname@example.org were not found” you have found out that user has an account. This may seem trivial but in some cases could be detrimental depending on the service that the site is offering.
In some circumstances, if an email address is entered, found, and the password is instantly changed and mailed to the user they have effectively locked the user out of that account until they receive the email and retrieve the new password. This could cause significant disruption especially if done on a regular basis.
Identifying the problem
There are a number of problems that face companies in light of the security implications. The first problem is that that there is no foolproof way of completely securing a system that is exposed to the internet however, it can be made more difficult for unauthorised parties to access.
In some cases, businesses are not aware that they even have a problem. This may be due to either a lack of understanding of their systems or that there has been a false representation of security put in place by regular penetration testing that won’t expose such vulnerabilities or leaking of additional information.
In some cases businesses find out when it is too late; either being exposed by end users via social media or via other websites or forums. The damage caused to brand reputation impacts directly upon transaction and profit levels. Examples of this include when Tesco was exposed on twitter and Plain Text Offenders, a site dedicated to exposing sites that are known to store passwords in plain text.
Once aware of the problem, businesses have the challenge of making changes to their existing system. This may not be as easy as it may seem as the system that requires the change may be legacy systems, line of business or there may simply be a lack of funding available.
What can be done?
The risks surrounding making changes can be mitigated by taking a considered and phased approach that is well tested. In the case of passwords that are already one way encrypted, security might be further enhanced by an additional level of security using a salted hash and a different ‘slower’ hashing algorithm. Using a salted hash and an algorithm that is more CPU intensive and as such slower to compute makes decrypting passwords tedious for the hacker as it will simply take longer to break the passwords using rainbow tables and high end GPU’s.
When changes are made to authentication systems communication with the end user is vital. Keeping the user informed will ensure that they continue to trust a brand and reinforces the genuine security concern the company has for its customers.
The lack of funding is a business problem and a considered business case needs to be undertaken to understand the financial risk of damage to the brand against the initial cost of the transition.