This is page 2 of:
Attacks On E-Tail Sites Over Public Wi-Fi: Just A Click Away
Meanwhile, Firesheep has spawned imitators. One, called Idiocy, is much simpler. It’s a 130-line script that just looks for people using Twitter on public Wi-Fi and automatically sends (for them) a tweet that says “I browsed Twitter insecurely on a public network and all I got was this lousy tweet.” That’s really all it does. It’s pretty innocuous.
But in practice, it’s also a template for any moderately capable programmer who wants to automatically hijack connections to any other online site—including that of a retailer.
No, that threat isn’t at the level of someone capturing payment card data. But suppose someone automatically hijacks a customer’s session and causes your E-tail site to behave erratically—say, searching for nonsense terms or constantly returning to your homepage. Who will the customer blame? It won’t be the guy across the room at Starbucks. To the customer, it’s the site that’s broken.
As a prank by one programmer, that’s annoying. But what happens if that prank goes viral? Remember, the number of people who have downloaded Firesheep is headed toward a million. And the number of customers who shop online using public Wi-Fi keeps growing, especially among smartphone users who either can’t get a 3G signal or would just rather use the free signal.
Yes, it may be illegal. It’s certainly obnoxious. But the only real defense against this kind of session hijacking is for E-tail sites to make every session completely secure.
That won’t be cheap. Creating a fully secure session for each user requires more memory and more processor power to encrypt and decrypt everything that happens, and it also generates more network traffic. (Google claims it has cut the cost down to practically nothing, but most E-tailers can’t use all of Google’s tricks.) That’s why most E-Commerce sites wait until a customer is ready to check out before switching on the security. And in the past, spending for the continuous security hasn’t been seen as a necessity.
But cost isn’t the only problem. Security isn’t just expensive; it also makes things more complicated. For example, Microsoft warned Hotmail users that if they choose full-session security, they won’t be able to use the Outlook Hotmail Connector or Windows Live Mail. Retail sites that are fed from multiple domains may have troubles of their own. And working out those kinks will take time, talent and money.
Still, the price of that improved security will soon have to be balanced against the risk of a damaged reputation and lost revenue. Both of those are likely results of E-Commerce that is hijacked or disrupted by anyone who can encourage users to download and install a relatively simple program.
That’s no longer a question of if, but when. And if Firesheep is any guide, it’s a risk that is really only going to get worse.
-Marc
November 22nd, 2010 at 6:01 am
Sorry but its a risk to be using wireless that is not secured properly and does not undergo some sort of modulation of the password scheme.
Then to be in a public area you are at risk of anything happening to your data transmitted over the open air waves.
People willing to spend the time to get your data will.
Same for even being on a land line, it really depends how determined someone is to take your information.
Open thought and information is good to providing a gifted society that respects each other.
Ask the founders.
November 22nd, 2010 at 3:27 pm
Secondly, When I saw this on the news page of my tech sites I immediately downloaded it for safe keeping.
Because yes I want to prove a point to some people that their wireless is junk and that it needs to be disabled or better secured.
I also have Backtrack4 and have used it to prove that the neighbors are unsecured.
November 28th, 2010 at 6:43 am
But isn’t the point of the article that it’s the e-tailers that are potentially going to be targeted by this kind of attack? And they can’t really control what sort of internet connection their customers are using…