Practical Ecommerce

Hacked off

All ecommerce sites are vulnerable to being hacked. No matter how large you are, no matter how much you invest in security and infrastructure, you remain vulnerable. If hackers can penetrate major U.S. government systems, backed, presumably, by millions of dollars of security, they can likely penetrate any commercial system. The trick is not to make it worth their while.

To start, for a hacker, it’s not a challenge or great achievement to penetrate your site’s security. Second, so long as you do not store any customer credit card or banking details on your server or network, the point of any hack is greatly diminished.

Nevertheless, to run your business you will almost certainly have stored some credentials to your company’s online banking, credit card and PayPal accounts, and similar. These are natural targets. To reduce the vulnerability that hackers will gain access, consider the following.

  • Transfer money out of PayPal frequently; keep only a small working amount there.
  • Use a designated credit card for Internet purchases; keep only a limited available balance on it.
  • Have a current bank account that you use for day-to-day transactions, but don’t keep much money in it and have no overdraft facility on it. Transfer money from a secure account when needed.
  • Don’t rely on a single payment method like PayPal.
  • Do not keep your customers’ details unencrypted.
  • Do not hold personal customer information unless you really need it. For example, whilst you clearly need their name and address, do you need customers’ date of birth and mother’s maiden name?

There may be other simple changes to the way you keep and use money that would protect you, for your unique circumstances. But, even with protections in place, you may still be hacked.

If you have been hacked, the first thing to do is contact your bank, card company, and any other relevant company. Computer wise, your first instincts may be to change all passwords. Whilst this is worth doing — it will slow a hacker down a bit — you have a lot more to do and you will almost certainly have to change the passwords again.

Seriously consider getting help from a qualified developer or security firm. It would be money well spent.

First, find out how the hackers got in. What vulnerability did they expose? For my company, it was an old version of TeamViewer (software for remote access) that was left running on an outdated computer by an overly keen developer.

Once the vulnerability has been closed, get clean versions of antivirus and malware detectors and scan all your computers. It is likely that the hackers, once they were in your systems, would have left something behind that would let them back in again.

When you are 100 percent sure that your systems are secure, go back and change all passwords. Then go through all your websites and banking portals to ensure that someone has not changed the destination bank or card details to syphon off your money.

Then call your bank and replace all your credit cards. You do not know when you were actually hacked. You do not really know how long your computers have been compromised. Everything you have accessed or typed in to the Internet in the last few weeks may have been copied.

Once the immediate danger is resolved, you may well have the tedious task of having to prove to the likes of PayPal who you are. This would be easier if the original details you provided to PayPal and similar were accurate. So why not check them now, before you get hacked?

Make sure that your name and address are 100 percent accurate. Make sure you have photo identification that reflects, exactly, your name and address. Make sure that the name on the account and the name on the credit card linked to the account are identical. Whilst it is perfectly possible to have one name on the account and a different name on the credit card, this kind of discrepancy could cause a nightmare if PayPal thinks your account has been hacked. Check similar potential discrepancies on other sites, like Amazon and Ebay. Time spent on making everything 100 percent accurate now could save your business later on.

Above all, remember that employees at PayPal, or Ebay, or Amazon who vet you have a set of boxes to check. Do not rely on original thought and initiative from them. Give them clear documents and clear answers, so they can quickly tick the boxes and move on. Anything that makes their life easy will certainly make yours easy, too.

I have a friend whose name on her bank account was one character different to the name held by the tax office. The bank refused to cash a tax refund check. The tax office refused to re-issue the check in the corrected name for six weeks “to ensure that the other check was canceled.” A tiny typo resulted in a six-week wait for much needed cash. Don’t let a similar, silly hiccup stop you from reestablishing control of your accounts.

In short, it’s not the end of the world if your ecommerce site is hacked. The key is careful preparation, to minimize any bad effects.

email-news-env

Sign up for our email newsletter

Comments ( 3 )

  1. Carlos Rivera May 19, 2016 Reply

    Wow! Incredible advice. This is super important information for serious businesses which I myself am a victim of (TeamViewer, as well). Don’t leave yourself vulnerable. Thank you!

    • richard stubbings May 20, 2016 Reply

      It is a good idea to review your security and tighten up your procedures. Once you have been hacked, then there is an incentive for the hacker to return a few days afterwards. You would have queried credit card and paypal transactions and a hacker, once re-gaining access, may then confirm the transactions and you could loose the money with no further recourse.

      • Carlos Rivera May 24, 2016 Reply

        Thank you, Richard. I take your advice seriously. Cheers!