Cloud, Mobile, Web Logs The Future Of Security Nightmares

Written by Evan Schuman
March 2nd, 2010

A funny thing happened here the other day. In reviewing the top sites linking to us, we often click on some of the referrals to see the context of the reference. But when we clicked on one such link, it seemed to bring us to our own E-mail newsletter in the subscriber’s Inbox. While trying to back out, the user’s complete Inbox was revealed—with full read, delete, modify and send privileges.

We immediately contacted the owner of that site and did some tests. Sure enough, we were able to send from his account and open his messages. After some frantic exploration on his end, he reported the hole that we suspected. We had continued access until the site manually logged out and then logged back in.

“What this exposed was a time-out failure on the E-mail site that needs to be corrected,” the site administrator told us. “I’m not sure what cycle we will adjust it to, but the E-mail address needs to log itself off and reset periodically—I’d like to see every 30 seconds or less—so that what I did manually would be done automatically, behind the scenes, without my having to actually log out and back in.”

This incident wouldn’t be so noteworthy if it had been the first time such a thing happened, but it wasn’t. A major publisher that links to us frequently—and which has a very robust IT operation—had an identical problem. When we clicked on the link back to the publisher, it would let us have full access to its site behind its firewall, as though we had logged in as admin/superuser.

This breach is similar to the search engine spider problem, in that few security managers think about it much. My favorite anecdote about that issue comes from an RFID privacy book published a few years back. The authors found a wide range of confidential documents about their target companies by doing Google searches for the word “confidential.”

In searches that we’ve conducted, we routinely stumble on confidential E-mail exchanges that were clearly found by a relentless spider. This problem is likely going to get much worse as the efficiencies of cloud computing tempt companies to place the contents of server after server on the cloud for faster and easier access. Easier access is certainly right, but for whom?

The Sears incident from last summer—where site visitors took advantage of Sears’ Akamai cache approach to change the name of a grill to “body parts roaster” and “grill to cook babies”—should have been a wake-up call. The cache method can certainly be made more secure through stricter techniques that perhaps cut into the page acceleration time—Sears’ certainly have—but how many retailers will think to insist on that approach?

But cloud computing is not the only new target for security holes. Mobile computing and especially M-Commerce have an even greater potential for issues. Beyond the inherent breach possibilities with anything wireless, retailers are going to feel the need to push more functionality onto these consumer devices.

Full disclosure: Yes, we’ve been one of those trying to increase that pressure. To make M-Commerce work, functionality is going to have to move overwhelmingly—if not entirely—to the handheld unit so that it can truly be standalone. That’s our strong belief. But that necessity doesn’t negate the fact that new security holes will almost certainly crop up as those moves are made, often before sufficiently creative testing to plug any gaps is completed.

We offer this comment as a call for enhanced vigilance from IT security folk. And, yes, such vigilance is going to mean that you’ll need to be unpopular with both the rank-and-file and senior management—rarely a good career advancement move—because you’ll force deployment to be slowed down. You will become the bottleneck, and your chain needs you to assume that role.

It will mean a lot of explanation to senior execs as to why this vigilance is critical to them. (Mention the Sears example a lot. Sears is a very sophisticated, world-class IT operation, which makes the baby-cooking example that much more persuasive.) It’s also probably not a bad idea for you to have team members assume the white hat role and get imaginative about ways to manipulate and get around firewalls.

This is a heads-up. Please take it seriously, or we may have to E-mail you about this situation—from your own Inbox.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.