More websites stored unencrypted credit card payment information than ever this year, according to a recent report. I thought we had this figured out? Obviously this is a direct violation of Payment Card Industry Data Security Standard (PCI DSS) requirements. But seriously, this stuff is simple for the developers to fix, so why don’t they?
Also, if an estimated 71% of the websites in the study were found to store unencrypted payment information this year, up 8%, they are also strong candidates for things like SQL injection attacks from improper form security, which could then handily exploit the plain text credit card information.
This year ESET security researchers are compiling observations from our “crystal ball” about what might hit the threatscape in 2012. But this report indicates we haven’t fixed some of the things we already know about. This threat has nothing to do with new, innovative, or particularly interesting attack vectors, it’s just plain obvious, and easily fixed. And the developers of the offending websites probably already know there is a problem.
A few years ago I was asked to review the code on the website of one of the more popular brick-and-mortar stores near where I live – a store in business since 1976 – and the owners are personal friends. After poking around a bit at their request, I let them know that they were in violation of their merchant account providers Terms of Service, along with PCI DSS, not to mention their customers’ expectation of safekeeping of their online order information. That, after a cursory review that showed plain text credit card information dating back years stored in a simple database. They responded by saying they were too busy to do anything right away but would get around to it.
Just for grins, I asked about the situation almost a year later – no change. Of course, we understand that if they had a breach, the modestly-sized shop would be vastly under-gunned defending itself amidst the ensuing scrutiny. A security breach would have very real and long-lasting impact, damage the bottom line, and possibly result in staff layoffs during tough economic times.
Still they do nothing. And they’re not alone. I’ll ask them again in the coming months, even offer to help, despite them not showing an interest in help previously. It can’t happen to them right?
Polite dinner conversation this year at non-geek events seems to focus on cybersecurity more and more. People want to know how safe their information is online, given all the headlines about criminal hacking, and what they can do about it. They want to know which websites are to be trusted, and how can they be sure. While the usual advice is to shop with familiar vendors with a long track record without security breaches, my friend’s store would meet both of those tests, and they even use a valid SSL to encrypt traffic to the site. Does this mean they’re secure?
So before you spend the whole IT budget on the latest packet-sniffing security gadgets, it might be wise to look at the lower hanging fruit where big reductions in risk might cost you very little to implement. Encrypting credit card details is easy to do. Breaches are not easy to undo. So for the New Year, first focus on the simple. The price is right and we’ll all sleep better, including your customers if they're better protected.
Author Cameron Camp, ESET