At SecurityFocus.com, Internet programmers can post the details of various software bugs to assist other professionals. These software bugs could include shopping carts, payment gateways, Unix code and more. The helpful programmers always supply, by name, the software manufacturer and the name of the program.
“Credit card thieves continually monitor sites like SecurityFocus.com,” says Dan Clements, CEO of CardCops.com, a Los Angeles-based security firm that consults with banks and other firms on credit-card fraud. “Once a programmer posts a vulnerable piece of software there, the hackers add it to their scanning programs and then search for ecommerce sites that use the flawed software.”
Find vulnerable code
For example, say a programmer discovers XYZ Shopping Cart contains code that is vulnerable to hackers. He might post that code onto a site like SecurityFocus.com. A thief could then copy that code, add it to his scanning program and search the Internet for sites that use XYZ Shopping Cart. Having located those ecommerce sites, the thief can then run his scanning program containing a list of flawed code (called, technically, a SQL Injection List) against the sites’ servers to detect if a particular line of code is in use. If it is, the thief can frequently penetrate the server and steal customers’ names, credit-card numbers, billing addresses and so forth.
“Once they’ve found a vulnerable site,” says Clements “the hackers will mine it day after day. The ecommerce owners don’t know their websites are exposed. We’ve seen consumers of such sites cancel and reissue credit cards multiple times, not knowing which site is causing the problem.”
According to Clements, the number of major ecommerce software providers that have had, at one time or the other, vulnerable programming code is long and prominent. “I can tell you prominent ecommercerelated companies that have had flawed code,” says Clements. “When it happens, the programming flaws usually pop up on sites like SecurityFocus.com.”
The lists of flawed computer code used by hackers can contain thousands of entries. “These lists float around the Internet,” says Clements. “They aren’t really that hard to find.”
Keep software updated
“Each piece of software is a potential vulnerability,” says Clements. “But the good news is that software providers, including hosting companies, will usually fix a flaw immediately. So the hackers typically have just a couple of weeks to exploit it before it’s corrected.”
So, how do operators of ecommerce sites protect themselves from unwittingly using flawed software?
“The key is to keep the latest, most up-to-date version of each and every piece of software,” says Clements. “That’s the best way for ecommerce owners to protect their customers’ data.”