"Dear Mr Smith. We are pleased to announce that from Monday 13 August 2000, Safeway will be increasing prices on all our goods by 25 per cent. If this doesn't sound good to you, then you can p*** off to another supermarket chain such as Tesco or Sainsbury's. Regards, The Safeway Team."
This was the email which ended up in the mailboxes of more than a thousand Safeway online shoppers on Saturday 12 August. An investigation by the supermarket chain subsequently revealed that hackers had penetrated one of its web servers holding details of more than 25,000 customers.
The fiasco was the latest in a series of security breaches over the summer that have seriously undermined consumers' already shaky confidence in the security of business-to-consumer websites. With the UK's second 'e-Christmas' just over four months away, IT managers running consumer sites need to learn some quick lessons from these breaches, or risk irrevocable damage to their company's reputation.
A lot of the problems are down to retailers rolling out their sites too quickly - sometimes at the expense of proper configuration.
Succumbing to e-pressure
"These lapses are more related to IT in general and are questions of badly-designed systems and poor testing," claimed Tony Copley, server engineer at corporate web design agency Organic. "The pressure to deliver within a finite period may have made it tempting to cut corners."
He suggested that the pressure on web designers to deliver systems prematurely is immense, because companies are stuck in the mindset that if they don't get onto the web quickly, they will lose out to rivals who have.
On 11 August, Woolworths had to shut down its www.woolies.co.uk ecommerce site after a customer found he could read other shoppers' credit card details and telephone numbers while shopping.
The highest-profile security lapse befell Barclays, however, when its online service was disrupted on 29 July after customers checking their details over the web were able to see those of other clients. According to Barclays, this occurred after an Oracle upgrade.
On 7 July, a PowerGen customer accessed the utility's website to pay his bill, only to discover three files with the names, addresses and credit card details of more than 7000 home and business users.
Luckily for the companies, none of the incidents resulted in any reported theft. Worryingly, however, the firms were unaware of any problems before being contacted by customers.
The National Consumer Council already sees the internet as the riskiest method of shopping. In a recent survey, it claimed that only three per cent of the UK population shops on the web, precisely because of worries regarding the release of credit card details.
"The security lapses could have set the development of ebusiness back by about six months," said Michael Dean, head of marketing at the National Computing Centre. "It's all about trust. Once the trust has been blown away, it's difficult to get it back."
While these security breaches may have occurred across different sectors, there are similarities between the cases. The most striking is the fact that all the exposed data was found on the web server, rather than on another platform at a safe distance from the user interface.
"To store customers' details on the web server - that's dumb. The web server is like a teller in a bank. It shouldn't be a repository for that data. One that's there to be accessed by the whole world is wrong," said Douglas Hurd, business development manager at security firm Network Associates.
Growing pains
So was it a case of teething problems for a growing industry, negligence on the part of the electronic retailers, or a combination of both?
"Elements of it are to do with negligence," said Dean. "Many parts of these systems operate on a secure basis. It's just that existing procedures are not rigorous enough."
Hurd likens the situation to the early days of the automobile industry. "Not until people started impaling themselves on sharp objects did they start to take the issue of safety seriously and introduce seat belts," he said. "Not until security problems cost them money do people consider spending for it."
While most industry observers agree that incompetence played a large part in the latest crop of security breaches, they have been quick to insist that the problem is not internet-specific. It is more general, they say, relating to shortfalls in systems and indeed corporate management. But since the breaches are internet-related they have been given a high profile in the media.
Security isn't just about the web interface, of course. While tight integration between front and back ends is vital, it needs to be accompanied by appropriate levels of security, because as the number of remote systems across the organisation rises, so does the risk of security breaches.
"Multiple sites leave holes for this kind of event," said Tony Caine, European managing director at security specialist Netegrity. "Historical solutions are simply not scaling up to the needs of today's web interface. Some sites are being swamped with volumes of accounts - victims of their own success."
So will the situation turn into an open season for hackers? Caine thinks not, as long as security levels across the corporate system can be vouched for. "Hackers are looking for misconfigurations on the web server most of the time. They are not going to use brute force attempting to break passwords," he said.
Wherever the blame lies, security is an issue that must be taken a lot more seriously. If users can stumble across highly confidential information without even trying, what kind of havoc could a professional hacker cause in a poorly-configured ebusiness site?
del.icio.us
Digg this
reddit!
