Half of all Websites are vulnerable to database attacks, according to security data collected from 27,000 ScanAlert customers for a recently published report. Forty-five percent of Websites had a serious database vulnerability such as SQL injection, while 50% had cross-site scripting (XSS) vulnerabilities (before we helped the sites correct the problems, of course).
Without question, it is a gloomy portrait of the security of software applications used by online merchants. When you apply these percentages to the millions of Websites that sell products and services online, the big picture gets very scary very quickly.
The scary stuff starts with SQL injection. Categorized as a critical security risk, this class of software vulnerability enables hackers to penetrate databases to steal confidential information needed for fraud and identity theft. SQL injection holes have been the entry point for many of the most devastating Website attacks in recent years and may also have been used in the recent T.J. Maxx theft in which millions of credit-card numbers were stolen. Indeed, the presence of database vulnerabilities does not appear influenced by the size of a Website’s operations. Although SQL injection is more prevalent on smaller sites, we often find these vulnerabilities on sites belonging to well-known brands.
Although they do not provide access to the database, we also see XSS vulnerabilities as a growing threat. Hackers typically combine XSS holes with e-mail and phishing links to trick unsuspecting people into visiting hacker-owned sites where they will unknowingly provide personal information such as credit-card numbers. Although we have yet to see XSS vulnerabilities exploited to the same degree as database holes, they do carry risks that will only increase as hackers become more adept at getting consumers to click on links.
Microsoft, whose Internet Explorer Web browser is a favorite target for hackers, was again in the crosshairs. Websites using Microsoft’s IIS server software were twice as likely to have serious database vulnerabilities as those using the Apache open-source server software. Cross-site scripting, however, was slightly more prevalent on sites running Apache than IIS.
Looking at other e-commerce security trends, we expect the wildly popular PHP programming language to continue to provide a bounty of opportunities for hackers. PHP has been used to create every type of software program needed to operate an online store, including shopping carts, payment systems, and newsletter applications. Unfortunately, PHP developers appear to sometimes emphasize functionality over security; for instance, our researchers recently uncovered critical security in several PHP programs.
Visa, MasterCard, and American Express may have the greatest role in forcing change due to the Payment Card Industry Data Security Standard (PCI DSS). The payment-card industry, which introduced strict security standards three years ago, is finally showing that it is serious about mandating PCI DSS compliance.
The PCI DSS, which applies to almost every merchant that accepts credit-card payments, makes it almost impossible for hackers to steal credit-card numbers from an online store. With the T.J. Maxx theft fresh in the minds of consumers, the payment industry will likely turn up the heat on banks to force merchants to become certified to the standard. One of the required steps, for example, is having Websites scanned for vulnerabilities by outside security services providers. If retailers fail to carry out this step and the other PCI DSS requirements, the alternative could be a wave of new federal and state legislation.
State and federal lawmakers, tired of waiting for the payment-card and online retailing industries to take security seriously enough, have readied dozens of data protection and consumer data-breach notification proposals. With the threat of this legislation casting a shadow over online stores, the payment-card industry might be the catalyst this year of a greater industry-wide emphasis on security.
Brett Oliphant is vice president of security services for ScanAlert, a provider of PCI compliance and online security and certification services based in Napa, CA.