Interview • 01.03.2013
Online Shops: Secure Shopping Satisfies Customers
Interview with Sebastian Spooren, Project Leader at it-sicherheit.de
Whether it’s food, books or electrical appliances – online shops offer a very large assortment of products. At this point, Internet users in Germany are making 25 percent of purchases online. But is online shopping always secure? Online businesses and users should observe several rules when it comes to security.
Sebastian Spooren, Project Leader at it-sicherheit.de, reveals some useful tips at iXtenso about data protection and conveying trustworthiness of online shops to online customers.
Mr. Spooren, to ensure the protection of customer and company information, online businesses have to observe several safety regulations. Which of these are most important?
What is important is that sensitive customer data such as login data or account information is safely stored and adequately protected from third-party access. To prevent this, the online shop has to be regularly audited by independent IT safety experts during security audits. During these audits so-called Web penetration and intrusion detection tests are performed, which check the Web application for weak spots and bottlenecks. This may sometimes uncover several weak spots, starting with SQL injections all the way to critical weak spots in the applied services of the Web application due to outdated versions. Due to insufficient security measures, time and again customer and user information, respectively, are unintentionally made public. To limit the damage potential for the affected party, online businesses should never save user passwords in clear text, but should use so-called hash functions in conjunction with a private key (salted passwords) instead.
In addition, you need to make sure that sensitive data such as order details and payment information are exchanged securely and therefore encrypted between customer and shop owner. Otherwise, outside parties could read sensitive data. Online shoppers should therefore always make sure that sensitive information is exchanged with SSL. The online shopper is able to detect this by the “https” instead of the “http” in the Web browser’s address bar. These days, most online businesses use “https“ for secure communication, but unfortunately encryption is switched on too late in many businesses. The “https” has to be in the browser’s address bar already when you enter sensitive information such as login or registration form for example.
What criteria can convince customers about purchase security?
A customer is not able to discern whether an online shop has put adequate safety measures in place. The layperson can only look after a few security features. Outwardly visible characteristics such as the exchange of sensitive data via “https“ are easy to spot and should be met in any case. There are other options for the experienced user to examine the security of an online shop more closely by calling up the current version of the used Web service, if possible. However, whether the business has internally made adequate provisions to protect account information from third-party access for example is not clear to the user. Many online shops use seals of approval in this case to suggest enough security attention to the user. Generally, the user is not able to assess the authenticity and quality of such seals. To get a better idea of the online store, he/she should refer to experiences and reviews by other users.
What role do certifications by inspection agencies such as Trusted Shops or TÜV (Technical Inspection Authority) play?
Certifications such as Trusted Shops or the TÜV quality seal are the right way to achieve standardized and appropriate security for online shops. There is no such thing as 100% security, and the issuers of such seals can also not attest it. Oftentimes only spot checks are made before the seal of approval is being issued. Proper security is therefore not always guaranteed. In addition, one should keep in mind that the certification authority deemed the shop secure at the time of the inspection. Yet online shops usually continue to work on improvements, input updates and in doing so also possibly and unknowingly weaken the security level of the store as is shown by the example of online bookstore Libri.de. Despite the TÜV seal, after a later software update, approximately 500,000 online customer invoices could be viewed.
Online shops are often at risk from external hacker attacks. How can you protect yourself?
Aside from regular penetration tests where impartial IT security experts rate the security, regular security updates are important. The Institute for Internet Security has developed the free “securityNews“ app for this purpose, which automatically suggests security updates. Above all, the development team as well as the service staff of the online shop should be regularly sensitized on the subject of IT security. This can be implemented with presentations, pamphlets or graphic live hackings. In the latter case, company employees are shown how hackers proceed and how you can protect yourself against it. Find more information on the subject of live hacking at www.internet-sicherheit.de.
Interview conducted by Michalina Chrzanowska; iXtenso.com
First publication on EuroCIS.com