CAll Us: +1 888-999-8231 Submit Ticket

eCommerce Login Attempts Are Almost Always Fraudulent

Nine out of ten eCommerce login attempts are fraudulent. That is the key finding of an investigation of credential stuffing by Shape Security, a provider of online fraud prevention. Credential stuffing involves the use of stolen credentials to log in to customer accounts to buy products and take advantage of credit arrangements.

Online retailers are more likely to be targeted by credential stuffing because it is common for shoppers to reuse the same credentials on different sites and because automating the eCommerce login process is straightforward compared to banks and other potential targets.

Credential stuffing starts with leaked usernames and passwords. Last year, over 2.3 billion username and password pairs were leaked by online services. Most of the leaked credentials came from Yahoo, which repeatedly exposed the credentials of billions of users. Tens of millions of credentials were leaked from poorly secured forums, databases, and servers. Millions more were leaked in phishing and malware attacks against users.

The usernames and passwords are gathered by criminals and used to make login attempts on eCommerce stores, banks, and social media accounts. The most sophisticated credential stuffing operations create bespoke login scripts that operate from dozens of locations.

The scripts make millions of login attempts with the leaked credentials on tens of thousands of stores. Shoppers use the same email address and password combination on multiple sites, so the leaked credentials can be used to successfully authenticate on many sites and eCommerce stores.

The criminals’ “conversion rates” are quite low: the best credential stuffers successfully authenticate on less than one percent of accounts, but credential stuffing generates significant revenue because credential stuffing is a high-volume, low-cost operation.

Once they have access, the criminals can steal user data, consume gift card balances, and place large fraudulent orders using stored or stolen credit card numbers. It is estimated that credential stuffing costs the US economy in excess of $5 billion per year.

Preventing Credential Stuffing

It is relatively easy to stop credential stuffing from a technological perspective. Implementing two-factor authentication on shopper accounts would be completely effective. Increasing the complexity of the login process would make it more difficult for criminals to automate attacks.

But neither of those methods appeal to eCommerce merchants because they have the unwanted side effect of reducing conversions. The eCommerce industry is incentivized to make it easier for shoppers to authenticate, not more difficult.

Alternatives include IP blacklists, which can be successful against less sophisticated attackers that don’t have access to large networks of proxy servers. Blacklisting is less effective against more sophisticated operations that use paid proxying services and botnets.

Credential stuffing is likely to remain a problem for as long as we use username and password combinations for authentication. Advanced authentication systems such as FIDO 2 are the most likely long-term solution because they provide simple and secure logins without shared secrets.

Posted in:
Security

Source link

Google Chrome Displays Insecure Warning On All HTTP Pages

Google AnalyticsOn July 24th, Google released Chrome 68, which will mark insecure any page loaded over an HTTP connection. The long-planned move means that any site that doesn’t have an SSL certificate that enables it to use HTTPS will be prominently marked as insecure in the browser’s search bar.

HTTP Security Setting

HTTPS is a secure version of HTTP, the protocol used to send data over the internet. With HTTP, data is sent in the clear: it can be intercepted and read by third parties in what is known as a man-in-the-middle attack.

HTTPS connections use SSL certificates to encrypt the data and validate the identity of the server sending it. Data traveling over an HTTPS connection can’t be intercepted and read by a man in the middle.

Historically, HTTPS was used on eCommerce stores and other sites that receive or transmit sensitive data. In the last few years, Google and security experts have encouraged much wider adoption, arguing that every site should be protected by HTTPS.

Chrome will now display warnings for every page that is not loaded over an HTTPS connection. That’s important for sites that don’t use HTTPS because most users are unlikely to understand exactly what is insecure about them.

The History Of Google’s Push For HTTPS Everywhere

Google has been gradually moving Chrome in this direction for the last several years. Pages were once marked as secure if they used HTTPS. Pages that didn’t were displayed with no message. Last year, Chrome began to display warnings on HTTP sites when the browser was in incognito mode or when the user was asked to enter information. From this month, Chrome will display a “secure” notice for HTTPS pages and an “insecure” notice for HTTP pages.

In September, Google will go a step further and remove the “secure” notification for HTTPS sites. And in October the warning on HTTP pages will change from a neutral color to a noticeable red.

In addition to encouraging sites by warning users in the browser, Google also gives sites with HTTPS a boost in search engine results. All else being equal, a page delivered over an HTTPS connection will rank higher than an HTTP page.

The State Of HTTPS

HTTPS adoption has skyrocketed in recent years. Eighty-four percent of sites loaded by Google Chrome use HTTPS. So do 83 of the top-100 sites. But a large number of smaller sites do not have an SSL certificate and they are likely to be hardest hit by the new warnings.

HTTPS is a good thing. It keeps users and hosting clients safe. Adding an SSL certificate to a site was once complex and expensive. That’s no longer the case. At Hostdedi, many of our WordPress, WooCommerce, and Magento hosting accounts include a free standard SSL certificate and we’re happy to help eCommerce retailers and site owners add a premium or extended validation SSL certificate to their site.

It’s likely that SSL will become ubiquitous in the near future. HTTPS is required by modern web technology like HTTP2 and Service Workers, which are the foundation of Progressive Web Apps. Magento is working on PWA solutions for eCommerce and developers have just started work on a feature plugin that will make WordPress and WooCommerce PWA-friendly.

If you would like more information about implementing SSL on your website or eCommerce store, our support team is waiting to hear from you.

Posted in:
Security

Source link

What Can We Do About IoT’s Security Problems?

what-can-we-do-about-iots-security-problemsBy the end of this year, there will be billions of connected endpoints. The world has never seen a larger digital threat surface. And it has never seen one that is so poorly-secured.

“The ease with which hackers can exploit security vulnerabilities in these cheap and plentiful [IoT] devices is disturbing,” writes PivotNine Chief Analyst Justin Warren. “It threatens the reliability of the Internet upon which millions of people have come to depend…the flood of new Internet-connected devices only increases each year, as the hype train gathers speed and those with dreams of striking it rich join in with this latest gold rush.”

These vendors are not interested in security. They are not interested in the expenses involved in protecting data – whether business or consumer. They are interested in ease-of-use, cost of distribution, and time-to-market.

And they are largely interested in consumers, who do not have the same security concerns as businesses. Yet a smart thermostat or connected coffee maker can see use in an office just as easily as a home. Once such a device is patched into a corporate network, it is essentially an invitation to hackers.

Until the regulatory climate surrounding IoT devices matures, this will not change. There is currently no liability for vendors and manufacturers. There is no reason for most of them to care about cybersecurity.

It is therefore up to us – all of us – to take IoT security into our own hands:

 

  • Pursue a new mindset. The onus of corporate data security is still largely in the hands of employees – but they cannot be expected to secure the coming flood of endpoints. Your business must pursue new security practices and processes, such as automation and intelligent threat mitigation.
  • Train your staff. Cybersecurity training is more critical than ever. Update your awareness programs to incorporate the importance of IoT security, and include advice on how workers can protect their own smart hardware at home.
  • Understand your endpoints. Use an endpoint management solution that allows you to directly manage and monitor smart endpoints. You need more than EMM or MDM.
  • Segment nonessential devices. Your office coffee machine and thermostat do not need to be on your core network. Configure a guest network for non-essential endpoints, and isolate it from your business’s main network.
  • Automate your updates. In addition to working with vendors who pledge to take security seriously, ensure that IoT updates are applied automatically – there is no other way to keep all your endpoints up to date.
  • Configure every IoT device.  This includes changing the default username and password and testing each new device for vulnerabilities.  

 

From a cybersecurity perspective, the Internet of Things is a mess. But it also represents one of the best evolutions for both our personal and professional lives. That’s why there is no slowing the growth of IoT – the best you can do is prepare yourself for the risks it brings with it.

And now you know how to do exactly that.

Posted in:
Security

Source link

Three Signs Your Staff Don’t Take Security Seriously

Cybersecurity is a constant balancing act between convenience and data protection. The former always wins, no matter how much IT professionals might wish otherwise. The consumerization of IT is at the heart of this issue.

Modern workers demand that the tools and applications they are provided in the workplace offer a user experience in-line with what they use in their personal life. When that demand is ignored, they are remarkably skilled at circumventing security protocols. They are interested in doing their jobs – not in adhering to IT’s expectations on how to protect their data.

Worse, even if you do manage to somehow strike a balance, security is not certain. Workers may still have a lax attitude towards protecting corporate data. Learning to recognize such an attitude is essential.

They Dislike Your IT Department

Your IT department should be seen by others within the organization as valuable members of the team. If workers consider them an impediment or roadblock to doing their jobs, that’s a sure sign something needs to change – both culturally and with your security processes. The divide between IT professionals and regular workers is a relic of the past.

Let’s leave it there.

They Overuse Consumer Apps And Devices

There is nothing wrong with the regulated use of consumer tools in the workplace. Some of them can actually be secure under the right conditions. But if every single worker in your business uses consumer apps instead of corporate ones, this signifies two things.

First, your corporate tools are inadequate. Second, your workers don’t understand the reason you mandate their usage. The first can only be solved by revisiting the toolkit you provide your employees – the second will require security awareness training.

They’re Careless

Do your workers still use old, insecure passwords? Do they even bother changing their default login information when given a new account? Do they use consumer file-sharing services and thumb drives for sharing sensitive data?

Most employees are well-intentioned, but ignorant. They might accidentally forward a document to the wrong recipient, or open a phishing email without realizing it’s not actually from their boss. Security awareness training is necessary to mitigate this carelessness.

Cybersecurity Is Serious Business

Your employees are your most valuable resource – but they are also your biggest cybersecurity headache. It is your job to teach them about the importance of good security practices. Show them how to properly use software, talk to them about the importance of a password manager, and inform them of how to recognize phishing scams and malicious emails (to name a few examples).

Because while many of them may be ignorant now, that doesn’t mean they should remain so. Do your part to help them take cybersecurity more seriously. Your customers and stakeholders will thank you for it – and you’ll be glad you made the effort.

Posted in:
Security

Source link

Are Your Admins Fed Up With Your Bad Security Protocols?

How well-equipped is your IT department? Do your administrators have everything they need to do their jobs effectively? If you don’t know the answers to those questions, you need to learn them.

These are the men and women who, at the end of the day, are your best (perhaps only) defense against the array of cyberthreats facing your business and its data. Treat them well and provide them with what they need, and they will keep your business secure. Mistreat them and expect them to spin gold from twine?

You may as well hand your files to a hacker yourself.

But how exactly can you tell if your administrators are frustrated and put-upon? What are the warning signs your IT department is under-resourced or understaffed? And more importantly, what can you do about it?

Your first step is to examine both workplace culture and the status of your own software and hardware:

  • You regularly hear employees talking about how difficult an administrator (or the entire department) is to deal with. Such a hostile relationship could indicate serious frustrations on both sides.
  • IT workers seem apathetic or disconnected when you interact with them – as though they don’t care about your organization.
  • Your IT systems have not been updated or improved in years.
  • Security updates and device provisioning are not automated – everything must be done manually.
  • Your executive board constantly pushes for new technology or functionality, simply because they can – not because they need it.
  • You find yourself regularly disregarding or ignoring the advice of your administrators (or notice colleagues doing the same).
  • If your organization is struck by a data breach, your administrators seem unsurprised by it.
  • You do not have security awareness or risk management training at your organization. Employees are simply left to their own devices.

When In Doubt, Communicate

It was once a common misconception that cybersecurity is solely the domain of IT. This idea is toxic. There needs to be an open dialogue between IT and every other department and executive within your organization.

In other words, the best way you can determine whether or not your administrators are happy with your business’s security practices is to simply talk to them. Ask them about what they need to better do their jobs. Ask them how they might improve organizational security posture.

Remember that you’re all in this together – and that by working together, you can achieve far more than you ever could divided.

Posted in:
Security

Source link

What Is Cryptomining Malware?

what-is-cryptomining-malwareCryptomining malware is a new form of malware that uses the resources of compromised servers and hosting accounts to generate cryptocurrencies like Bitcoin and Litecoin. Before a coin can be created, miners have to demonstrate “proof of work,” which involves computationally intensive mathematical operations. Legitimate miners buy powerful computers to do the hard work, but criminals use malware-infected machines.

Over the last few weeks the value of cryptocurrencies, particularly Bitcoin, has increased quickly. By using compromised machines to generate coins, criminals create a digital asset that can be converted into hard currency. Because the value of cryptocurrencies is rising, we can expect to see more frequent and sophisticated attacks through 2018.

Cryptocurrencies are based on blockchain technology. A blockchain is a distributed ledger, a data structure that records transactions and is shared, modified, and verified by many different network nodes. The ledger records transactions like transfers of coins between users, but also the creation of new coins. You can read more about how new coins are created here, but, in a nutshell, to create a coin a miner has to prove to the network that they have done an amount of work. Without the proof of work, it would be easy for anyone to make coins and individual coins wouldn’t be worth much.

In the early days of cryptocurrencies, creating coins was easy: they could be generated quickly on low-powered hardware. Over time, the amount of work needed increases, and today serious miners use clusters of machines with powerful GPUs. But the alternative to a few high-powered specialized machines is many low-powered machines like laptops and smartphones.

Cryptomining malware — code injected into websites via known vulnerabilities or installed along with pirate themes and plugins — allows its authors to run the proof-of-work calculations on large networks of compromised machines, generating coins with minimal investment.

One of the most popular pieces of cryptomining malware for WordPress sites is called Cloudflare.solutions, which has nothing to do with the real Cloudflare. Discovered earlier this year, cloudflare.solutions loads malicious cryptomining code. When a user opens a page on a compromised site, the malicious code runs and uses the device’s resources to perform mining operations. Hijacking the processor can degrade browser and device performance and diminish battery life.

In an unpleasant twist, cloudflare.solutions has recently been modified to include a keylogger that sends text entered into WordPress text entry fields, including password fields, to the criminals’ servers.

It should be mentioned that some “legitimate” publishers are taking advantage of cryptomining to generate revenue for their sites. I’ll avoid debating the ethics here, but it’s undeniable that a large number of cryptomining scripts found on the web are the result of exploited sites and are funneling money to criminal organizations.

The best way to avoid being infected by cryptomining malware is to follow standard WordPress security best practices: use two-factor authentication, update your WordPress site when new versions are released, and only install themes and plugins from trusted sources.

Posted in:
Security

Source link

Is Your WordPress Site As Secure As You Think?

WordPress is — as content management systems go — very secure. It’s the most targeted web application in the world, but it’s also the best protected. It is in the interest of many thousands of developers and users to seek and destroy any vulnerabilities that may find their way into the code of WordPress Core, themes, and plugins.

If a WordPress hosting client follows a few basic security best practices, the likelihood of a successful attack is slim. Security best practices include:

  • Updating WordPress, themes, and plugins as soon as new versions are released.
  • Getting themes and plugins from trustworthy sources.
  • Using long, random passwords. Or, even better, using two-factor authentication.
  • Not sharing passwords with third-parties.

But everyone who manages a website has to face the reality that their site may be targeted, and if it is targeted, it may be compromised. It’s not enough to follow security best practices. You also have to keep an eye out for signs of compromise. But what does a compromised site look like?

Criminals don’t want you to know when your site has been compromised. The longer they remain hidden, the longer they can use a site to distribute malware, send spam, and inject their SEO links. A site that looks perfectly fine to you might, in fact, be spewing spam and infecting your visitors.

The solution is automated vulnerability and malware scanning. Vulnerability and malware scanners are capable of monitoring a site for signs of malicious software or known software vulnerabilities and alerting you to them.

For occasional scans, there are several excellent online tools that you should be aware of.

  • GravityScan is an online vulnerability and malware scanner from the team behind the Wordfence security plugin. It will check a site for both malware and software vulnerabilities.
  • Sucuri SiteCheck is similar to GravityScan, providing much the same malware and vulnerability checking.

An external web-based scanner is a good option to have, but they aren’t as capable as dedicated security plugins which have greater access to a site and its files.

Wordfence Security is the most popular WordPress security plugin, and it includes a host of features to keep WordPress sites secure, including malware, vulnerability, and backdoor scanning, and a Web Application Firewall capable of repelling known attacks. The premium version of this plugin adds real-time updating of firewall rules, more frequent scans, and two-factor authentication.

Wordfence’s main competitor is the Sucuri Security plugin. Sucuri includes file integrity monitoring, remote malware scanning, and security hardening. The premium version includes a website firewall that can protect a WordPress site against the exploitation of software vulnerabilities, brute force attacks and denial of service attacks.

For most sites, a plugin is probably a better solution than a web service. The plugins we’ve discussed automatically alert site owners when they discover a problem. Relying on your memory to prompt you to regularly use the web scanning tools is probably not the most effective approach.

Posted in:
Security, WordPress

Source link

Ransomware Could Soon Hold Your Data Hostage

In 2017, global ransomware attacks like WannaCry and NotPetya rocked the world, devastating both businesses and government organizations. Troublesome though they were, they were only the beginning. Ransomware is on the rise, and it’s only going to get worse from here.

Criminals have realized that ransomware can act as both a data exfiltration method and as a distraction for a larger attack. They’ve realized that holding information for ransom can be just as lucrative as stealing and selling it. And they’ve realized that in all cases, ransomware requires almost no effort on their end.

In short, you need to do everything in your power to protect yourself – here’s where you can start.

Back Everything Up

The best defense against a ransomware attack is and always will be an air-gapped backup. By maintaining several copies of your data and images of your system both in an online repository and in an isolated, on-site backup server, you can ensure that any systems compromised by ransomware can simply be deleted. At that point, it’s just a matter of restoring your systems to working order.

Now, there’s a reason I recommend multiple backups – and that you keep multiple copies. Truth is, ransomware developers know that backup data is their main weakness. As such, they’ve started to target backups.

Educate Your Employees

Believe it or not, your employees are actually a bigger threat to your data than any external bad actors. Phishing scams, for example, are one of the chief delivery vessels for malware and ransomware. What that means is that if you don’t train your employees to recognize scams and socially-engineered attacks, there’s a good chance you’ll be dealing with ransomware sooner rather than later.

Host regular training sessions and establish a knowledge base your staff can draw on to help them stay secure.

Ransom-Proof Your Systems

The most troubling fact about WannaCry is the fact that it exploited a vulnerability that was several years old. Many of the victims that were targeted by the ransomware could have prevented infection if they’d simply kept their systems up to date. To that end, you need to apply security patches and updates the moment they become available – and wherever possible, avoid using outdated operating systems.

Additionally, it’s important that you ensure all systems on your network can be air-gapped on demand. That way, if ransomware does hit your network, you can isolate it before it causes widespread damage.

Don’t Let Hackers Hold You For Ransom

Ransomware isn’t going to stop being a problem. If anything, it’s only going to get worse – more advanced and sophisticated, and available as an attack method for more hackers than ever before. Defend yourself now, instead of wishing you did something later.

Posted in:
Security

Source link

Google Has Issued the Official Warning—Encrypt by July or Else

The move by browsers to warn visitors of web pages served via HTTP as “Not Secure” has been in the works for a while. Preparing for the inevitable has also probably been dead last on your to-do list. Unfortunately, pretending there’s no fire doesn’t mean you won’t eventually get burned.

Implementation has been gradual and the end date has been moved out a few times. According to today’s announcement by Google you’ll need to get an SSL certificate for all your webpages, not just the ones with login requirements or forms, by the time Chrome 68 launches. Starting July 2018, Chrome will universally alert visitors landing on any HTTP webpage. What began as a nudge from Google and Mozilla has become a no-exceptions requirement. I’m guessing the “Your connection is not secure” message isn’t what you want your visitors to see.

Why HTTPS?

HTTP served internet users well for many years. Given today’s cybercrime-ridden web it has one crucial flaw. HTTP is just not secure. HTTP data in transit can be stolen or manipulated.

HTTPS is secure and shows visitors https:// in the browser bar indicating encryption is authenticating the server and protecting transmitted information. It’s easy to understand why web browsers are now requiring it as a standard.

HTTPS also helps you leverage the faster performance enabled by HTTP/2, gives you up to a 5% boost in search engine visibility, providers a more seamless user experience and unlocks popular mobile options.

How do I get HTTPS?

SSL certificates enable HTTPS. The sooner you install one on all your webpages the better. Remember, website security is about more than encrypting data. Ensuring who’s on the other end of the data transfer is equally, if not more, important . Having the right level of identity validation is crucial. Choosing the right SSL certificate can be confusing, but it doesn’t have to be. Hostdedi is here to help you sort through your options. Together we’ll find the most cost-effective way to meet the July 1 deadline, and boost your bottom line.

 

Posted in:
Security

Source link

Do eCommerce Stores Need An SSL Certificate?

SSL, SecurityWhen you see the address bar of your browser turn green, you know it’s safe to send sensitive data over the internet to that site. All eCommerce stores need an SSL certificate to keep shoppers safe, but what exactly does an SSL certificate do?

An SSL certificate has two jobs: to prove that a web page is controlled by the people who are supposed to control it and to encrypt all of the information sent from the shopper to the store and back again.

Identify Validation

When a shopper visits an eCommerce store and the address bar of their browser turns green or displays a lock, that means the browser trusts the site and its SSL certificate and that the data the shopper sends is protected. How does the browser know that it should trust the site? After all, anyone can make up a certificate.

SSL certificates are part of a system that includes certificate authorities, browsers, and websites.

SSL certificates are issued by certificate authorities, whose job it is to make sure that the person applying for a certificate is who they claim to be and that they really do own the website they want a certificate for. Certificate authorities have a root certificate that they use to sign the certificates that eCommerce retailers put in their stores.

The language might be a bit confusing here: how does one certificate sign another certificate? It’s because they aren’t physical certificates; they’re digital certificates made of numbers, and the act of “signing” uses some clever math to make a different number that could only come from the certificate authority’s root certificate.

There are hundreds of certificate authorities and they all have a root certificate, which they keep in a very secure place — it would be a disaster if a root certificate was leaked because criminals could use it to sign certificates for any website in the world.

Now we get to the browsers. Browsers know how to recognize SSL certificates that have been signed by one of the certificate authority’s root certificates. They trust that the certificate authority did its job and verified that the organization that applied for the certificate really is who they said they were.

If the browser sees that a store has a certificate signed by a certificate authority, it assumes that everything is copacetic. The shopper is connected to the right store: it is managed by decent folks who have proven their identity and not by some shady phishing operation that wants to steal credit card numbers. The browser turns its address bar green or shows a lock icon to let the shopper know it’s safe to proceed.

Encryption

The second job of an SSL certificate is encryption. Once again, this involves some pretty fancy math, but the result is that all the information sent by the user and the store — including credit card numbers and identifying data — is unreadable to anyone except the shopper and the store.

Without encryption, it would be easy for anyone to intercept sensitive data as it travels over Wifi networks and the internet. Because of SSL encryption, even if a nosy person could intercept the data, they wouldn’t be able to read what it says.

And that’s why eCommerce stores need an SSL certificate. SSL certificates help to keep shoppers and their information out of the hands of criminals.

Posted in:
Security

Source link