In the News: Security and Social Commerce By Michelle Megna
February 27, 2007
Security issues and social commerce are making news this week, as one vendor issues a new report outlining vulnerable areas of e-commerce sites while another offers free secure-payment upgrades. Meanwhile, traffic studies and a partnership between IBM and Bazaarvoice show that the influence of networking sites on online sales continues to grow.
SQL Injection and Cross Site Scripting: Growing Threats Half of all Web sites are likely vulnerable to database attacks, according to a new report that paints a bleak picture of the security of software applications used by online retailers. ScanAlert, an Internet security company, analyzed vulnerability scans of 27,000 Web sites to produce "The Ecommerce Applications Security Trends" report, which covers all types and sizes of online merchants.
Key findings show that 45 percent of Web sites studied had a serious database vulnerability, such as SQL Injection, while 50 percent of Web sites had cross site scripting vulnerabilities. Categorized as critical by security experts, SQL Injection is a class of software vulnerability that enables hackers to penetrate databases to steal confidential information needed for fraud and identity theft. Cross site scripting vulnerabilities, which allow hackers to conduct phishing attacks, are even more prevalent than database vulnerabilities.
"When you apply the results of our research to the millions of Web sites that sell products and services online, it gets very scary very quickly," said ScanAlert's vice president of Security Services Brett Oliphant. "Surprisingly, we've found that these holes are just as likely to exist on sites run by big name retailers as on small 'Mom and Pop Shop' sites.
"Hackers can combine Cross Site Scripting holes with e-mail and phishing links to trick unsuspecting people into visiting hacker-owned sites where they will unknowingly provide personal info like credit cards. Although we have yet to see Cross Site Scripting vulnerabilities exploited to the same degree as database holes, they do carry risks, which will only increase as hackers become more devious at getting consumers to click on links."
PHP Seen as a Popular Hacker Target Looking at other e-commerce security trends for 2007, the report also expects the wildly popular PHP programming language to continue to provide a bounty of opportunities for hackers. PHP was invented more than a decade ago and has been used to create every type of software program needed to operate an online store, including shopping carts, payment systems, CRM and newsletter applications. Unfortunately, PHP developers to date have all too frequently emphasized functionality over security, according to ScanAlert, who reported that its security researchers had uncovered critical security flaws in several PHP programs.
Credit Card Industry Ready to Enforce Security Although e-commerce Web sites will continue to be a target for hackers in 2007, Visa, MasterCard and American Express are beginning to help address the problem. The payment card industry, which introduced a strict security compliance program three years ago, is finally showing that it is serious about enforcing the standard, according to ScanAlert.
The Payment Card Industry Data Security Standard, which applies to almost every merchant that accepts credit card payments, makes it almost impossible for hackers to steal credit card numbers from an online store. One of the required steps, for example, is having Web sites scanned for vulnerabilities by Internet security companies. If retailers fail to implement these types of security practices, the alternative could be a wave of new federal and state legislation, warns the report. With the threat of this legislation casting a shadow over online stores, the payment card industry might be the catalyst in 2007 of a greater industry-wide emphasis on security. You can find the entire Ecommerce Applications Security report here.
Safe Shopping Upgrades In other security developments, buySAFE Inc., just announced that it has partnered with 3dCart, allowing merchants that use 3dCart's shopping cart software to seamlessly integrate buySAFE into their Web sites. The company also announced that its buySAFE Certified Merchant program is now available, free of charge, to online merchants using MIVA Merchant 5 software.
buySAFE certifies and monitors online merchants, identifying qualified merchants with the buySAFE Seal, and uses surety bonds to guarantee merchant transactions for online shoppers.
The buySAFE trust software will be available to 3dCart merchants, free, as an integrated feature of the company's Basic, Standard and Standard Plus editions. Merchants using 3dCart need simply qualify for buySAFE and activate a control in their administrative dashboard in order to begin using buySAFE.
Consumers that make a bonded purchase from a buySAFE Merchant receive a surety bond backed by Travelers, ACE USA and Liberty Mutual that guarantees, up to $25,000, that all terms and conditions of the sale will be met. buySAFE will be available to 3dCart customers beginning in April 2007. Current 3dCart customers interested in being considered as beta testers for buySAFE should send an e-mail to 3dcart@buysafe.com.Time to Try YouTube? In other e-commerce news, a recent HitWise, USA study shows that exposure on social networking sites such as MySpace and YouTube are likely worth the effort, given the traffic.
LeeAnn Prescott, HitWise research director, posted the following at her blog: The market share of U.S. visits to YouTube increased by 13.9 percent in the two-week period ending Feb. 17, and its average weekly traffic increase since the start of the year was 7 percent. As of Feb. 20, YouTube ranked as the 12th most-visited Internet domain in the US. The sites that received more traffic than YouTube were MySpace domains, Google, Yahoo domains, Hotmail, MSN, eBay, Live Search and Facebook.
IBM and Bazaarvoice Joint Venture Finally, Bazaarvoice and IBM are also making headlines in the social-commerce sector. Bazaarvoice, recommended in reports by analysts such as Forrester Research Inc.'s Sucharita Mulpuru who study social commerce, offers on-demand ratings and reviews. This allow retailers to build a community of their most influential customers and use the "customer voice" to help shoppers make more informed purchasing decisions.
Bazaarvoice will work with online merchants to integrate its ratings and reviews into a new Web 2.0 store solution based on IBM's WebSphere Commerce. Brett Hurt, founder and CEO of Bazaarvoice said, "Word-of-mouth marketing is the most valuable asset available to retailers today, which is why we are seeing tremendous growth for online ratings and reviews. Our partnership with IBM will bring this strategic functionality to even more retailers as they deliver a more relevant and rewarding shopping experience."
Michelle Megna is managing editor of ECommerce-Guide.com.
Do you have a comment or question about this article or other e-commerce topics in general? Speak out in the SmallBusinessComputing.com E-Commerce Forum. Join the discussion today!
Tools:
Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
IE 7
Firefox 2.0
