eBay, the world’s largest and most used eCommerce platform, has suffered a major security breach. More than 100 million users have been affected in what has become this year’s biggest cybercrime so far. It’s still not clear how the intruders gained access to the eBay databases, but this is definitely the right time to bolster application security.
Identity/data theft has become serious problem in recent years. The aforementioned eBay breach is still creating waves as millions of usernames, passwords, phone numbers and physical addresses have been stolen.
“Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” eBay recently commented. “The company is aggressively investigating the matter.”
What’s really going on at eBay?
The hacking, which is still being examined by security experts, happened a couple of months ago. It is believed that the access was created after hacking into an eBay employee’s computer. The technique used to execute the cybercrime has not yet been revealed, but the criminals have also managed to steal hashed passwords that are not exactly “uncrackable”.
The exact number of compromised accounts is still unknown, but even eBay’s “humble” estimate of 145 million stolen accounts makes this a hacking of mammoth proportions. The fact that the hacking was detected so late has also enabled the hackers to check for cross-platform log-in opportunities and also sell the stolen information online.
“It’s not surprising that eBay’s site was breached. Attacks like this can definitely be considered the new norm,” Checkmarx founder and CTO Maty Siman explained. “Organizations need to take more security measures to protect their digital assets from the outset by examining their source code for vulnerabilities and eliminating them in advance.”
The state of today’s leading eCommerce and financial companies..
PayPal – While the hacking method used for infiltrating the eBay worker’s computer and the databases is still unclear, there have been many instances of application layer hackings in the eBay-owned PayPal payment system. A leading money transfer medium today, PayPal has become a “hot target” for hackers, fraudsters and commercial concerns.
The latest vulnerability in PayPal was exposed by security expert Mark Litchfield, who was successful in manipulating the PayPal Manager interface. This control panel is a crucial part of the system that helps thousands of online vendors and merchants in managing their PayFlow accounts. This POC is not the first one dealing with this platform’s vulnerabilities.
Target – The largest retail security breach of 2013 happened on US soil where millions of Target customers lost their credit card information. The hackers bypassed the traditional anti-spyware and firewalls Target had in place, streaming out all the information to a remote server without being detected. Over 110 million Target customers were affected.
Access to Target’s databases and POS Terminals was achieved via a third-party vendor who didn’t comply with today’s common security standards. Target also failed to store the customer information in dedicated secure areas, making data-harvesting easy for the hackers. The stolen information was then sold on online black markets (“card shops”).
LivingSocial – The daily deals website’s databases were successfully raided in mid-2013, leading to serious identity and data theft. Over 50 million people’s names, email IDs, birth dates and encrypted passwords were compromised. While details are still vague, the evidence made available points towards the well-known SQL Injection hacking technique.
Mobile Banking Apps – Strong passwords and BYOD policies can’t guarantee safe usage. Reverse Engineering is a common tool used by developers to locate code errors, but it’s being used by hackers with huge success. Man in the Middle (MitM) attacks are also gaining popularity due to the lack of end-to-end encryption in many popular apps.
How can eCommerce and finance enterprises avoid such hackings?
All CISOs, CSOs and security officers should enforce strict internet browsing rules to successfully evade Phishing Attacks. This should involve blocking of social networking websites, usage of strict email protocols and employment of a fool-proof BYOD policy to ensure that nobody can access the network and harvest sensitive data.
American retailers have also created a Cyber Info-Sharing Center, which will help them combat cyber crime by raising the security standards of the eCommerce industry. This will include the standardizing of security protocols, sharing of cyber-threat information and coordinating actions with relevant law enforcement authorities.
SQL Injections and Cross Site Scripting (XSS) attacks are the most common ways of causing damage today. Implementing proper application-layer security solutions is the best way to combat these threats, as the conventional methods mentioned above are quite outdated and provide very limited safety.
SQLi involve the malicious use of SQL characters to gain unauthorized access to unprotected databases, which simply can’t recognize unsanitized input. XSS is another common application-layer vulnerability that involves the hacking of well-known websites and apps across the world, which eventually leads to mass contamination of computers worldwide.
There are many ways of securing applications – Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) and Penetration (Pen) Testing. All methodologies have their own advantages and provide good application-layer security. But the real way to safeguard software is with the help of scanning and testing automation.
A secure Software Development Life-Cycle (sSDLC) can be created with the implementing of Static Code Scanning, especially Source Code Analysis (SCA). This helps in locating vulnerabilities early and also enables the integration of the testing into the development process. Safe coding practices and fully automated testing are hence achieved.