Can't donate to charity?
Volunteer computer time
or Adopt a Scientist!
R&D Sponsorship Center
Fonts.com
April 2007

Home Page
Feature Archive
A&I Column Archive
Production Tools
State Marketing Data
US Marketing Data
World Marketing
Classifieds
Service Directory
Quality Assurance
Subscribe to Advertising & Marketing Review!
Contact Ken Custer at 303-277-9840.


Preparing for Security Breaches

by Glen Emerson Morris
Share
Related Columns
A Process For Quality
How establishing and documenting a formal QA process can payoff.
How the CMMI Process Improves Website Development
Again the Indians, not us, use it.
User Acceptance Testing Can Improve Your Website's Chances
It's cheap, and it works.
Saving Motion, Time & Your Business
Motion time studies can save you money.

Preparing for Security Breaches
It's a matter of when, not if. Be ready.

Quality Assurance Homepage

Recommended Columns
The Greening of Expectations
It's not a fad, it's critical to our survival.
The Learning Curve to Prosperity
Buckminster Fuller predicted the resource crunch now hitting us. He also gave us the tools to deal with it.

In March of 2007 online auction powerhouse eBay was hit repeatedly by a hacker identifying himself as Vladuz, believed to be a Romanian fraudster long sought by Romanian police. Vladuz posted his name on several eBay pages and taunted eBay to catch him. He was after more than fame, though. According to an article in eWeek, Vladuz was also posting fake items for sale faster than eBay could take them down, and the payments by the winning bidders went to him. Vladuz also posted the account information of 15 individuals, including their banking info, mother’s maiden name, credit card numbers, and much more.

How bad the Vladuz incident was depends on who you listen to. According to eBay, Vladuz did nothing more than many hackers have done at eBay. According to eBay’s critics (especially at firemeg.com), Vladuz was either extremely lucky or one of the most talented, and dangerous, hackers in the history of e-commerce. In any case, the incident raised a lot of issues that any business selling products or services on the Internet ought to consider. If a security breach can happen to a company with eBay's resources, it can happen to smaller businesses, too.

All things considered, it's hard to believe eBay's version of the incident. For public relations sake, EBay has a lot or reasons to minimize the damage Vladuz caused, and some of the things Vladuz did on the eBay site have rarely been seen before.

Among other things, Vladuz made postings to different groups on the eBay Website that only an eBay employee should have had the security access to be able to do. In addition, the rate and volume of the fake auctions Vladuz was posting, using stolen but still valid user accounts, could have only been done if Vladuz had cracked the security surrounding eBays seller accounts databases and was using some kind of automated tool to make the auction postings. Even a large team of people could not have posted so many items in so little time (by some estimates over a million fake items were posted by Vladuz).

In fact it is likely that there are eBay specific software tools for sale designed to help hackers ripoff eBay customers, just as there are rootkits for sale at rootkit.com, for somewhat similar purposes. Given eBay’s size, it’s not only a natural target for hackers, it’s a big enough target that it would be economical to develop and marketed specific software for the sole purpose of bilking eBay buyers out of their money. If true, it’s probably only a matter of time before other hacker applications are created that target specific shopping cart applications, and that could spell trouble for smaller businesses online.

Most small businesses don’t even have a security staff, let alone one that continuously monitors the security of their e-commerce Website. For smaller businesses, it’s more likely that customers will notice security breaches before anyone inside the business does, and because of that businesses need to have a system in place that will bring security breaches reported by customers to the attention of the right people. Setting up a process for this is actually fairly easy.

Many of the companies used as bait by phishing attacks, like PayPal and Washington Mutual, have dedicated email address for customers to report phishing attacks to. Phishing attacks send out email asking consumers to update their ID or account information and threaten consumers with suspension of their account if they don’t provide the information. A few of the millions of people who receive these phishing attempts fall for it, but the correct response is to forward the email to the security section of the company being used as bait. Usually it’s spoof@something.com or some variation, like fraud@something.com.

This approach costs little if anything to implement, and it could save your company a lot of heartache and expense. If you have an e-commerce Website, you need to make your customers aware of where they should send email in case they see anything suspicious, and you need to designate a person, or team, to constantly monitor that email’s mailbox.

Another thing your online business needs to do is understand and comply with the growing number and complexity of state and federal laws regarding what companies are required to do in case of a known security breach. In California, businesses are subject to the following law:

1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c), or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law. In effect, even if a business was not responsible for the security breach in the first place, it is still liable for any cost to the consumer if it doesn’t immediately notify the consumer about the security breach.

With identity theft becoming one of the most common and expensive crimes consumers may be subjected to, we can expect many states to follow California’s lead, and possibly go even further. This means every business should have a process in place to notify customers when their account information has been compromised. It can be done by phone, email or certified letter, just so it is done immediately. It will not be a good idea to wait until a security breach happens to set up the notification process.

It may be impossible to prevent security breaches, but it is definitely possible to minimize the damage they can cause businesses and their customers, and the sooner your business prepares for the worst, the better off you and your customers will be.


Glen Emerson Morris has worked as a technology consultant for Network Associates, Yahoo!, Ariba, WebMD, Inktomi, Adobe, Apple and Radius, and is the developer of the Advertising & Marketing Review Data CD.





Copyright © 1994 - 2010 by Glen Emerson Morris All Rights Reserved


' keywords: Internet advertising, Internet marketing, business, advertising, Internet, marketing.
Share
For more advertising and marketing help, news, resources and information visit our Home Page.

Back to top

Economic Indicators
Census 2010
Census Bureau
BEA   NTIA
Health   Labor
Commerce Dept.
More...






Drug Policy Alliance