As companies rush to take advantage of the increasing amount of time users spend on the Web to sell them everything from cars to carpeting, malicious hackers are likewise rushing to take advantage of the flawed Web applications that deliver these online services.
Web site hacks are on the rise and pose a greater threat than the broad-based network attacks that have been giving IT departments fits. Whereas attacks against networks disrupt Internet service and negatively impact companies trying to do business over the Web or private networks, attacks against Web applications threaten to steal critical customer, employee, and business partner information stored in applications and databases linked to the Web.
Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.
Why is this happening? Several reasons. One is the prevalence of hacking tools online that can be found simply by using the Google search engine. Another reason is that Web applications aren't typically designed with security in mind, which leaves them open to SQL injections and cross-site scripting attacks that manipulate input entered into an application field in order to get the application to cough up more information than the user has the right to see.
Generally, "people who build Web applications are optimistic people," says Gary McGraw, chief technology officer with Cigital Inc., a maker of risk management software. "They don't consider that someone would try to break their programs."
This trend is particularly disturbing to financial services companies, which are looking to make online banking and investing less expensive and more convenient. Bank of America reported on Tuesday that sales of products via the bank's Web site totaled 3.8 million accounts in 2005, an increase of 69% over the previous year. This included 2.3 million online activations, 380,000 new savings accounts, 375,000 new credit card accounts, and 298,000 new checking accounts. Of course, Bank of America, Washington Mutual, Wells Fargo, and some smaller banks and credit unions earlier this year were forced to shut down PIN-based transactions and reissue debit cards after customer PIN information stored in a retailer's point-of-sale application was stolen.
And don't count on banking customers to fend for themselves. A TD Canada Trust survey of more than 700 consumers found that less than 30% of Web banking users were aware of the terms "phishing" and "Web site spoofing." Most customers believe their bank should be primarily responsible for security measures with respect to online banking.
HSBC Bank will address the increasing threat of fraud caused by stolen data in May when it issues 180,000 strong authentication tokens to UK Business Internet Banking customers. These Digipass GO3 tokens, from Vasco Data Security International Inc., generate a unique one-time password when users log on to their banking accounts via the Web.
No one needs to tell online brokerage firm Scottrade about the value of Web security. The company in November had to notify a number of its clients that their personal information may have been exposed thanks to a data breach found in a partner company's data processing system. The system was running Troy Group Inc.'s eCheck Secure online checking application, which lets users submit data from their checking accounts and have transactions automatically debited without using credit or debit cards.
Scottrade's investigation into the breach is ongoing, but it recently bolstered the security of its Web-based trading systems by placing them behind an Imperva Inc. SecureSphere Web Application Firewall. Imperva's Web application firewall, which is an additional layer of security that can be used along with network and desktop firewalls, reinforces a company's application security policies, which specify the amount and type of data that can be put into any field. While a firewall isn't likely to be as secure as an airtight application, it's quicker than reviewing all of a company's software for security bugs.
Whether through more secure application programming practices, authentication devices, or firewalls, or all three, Web applications are going to have to become more secure. Otherwise 2006 is likely to be just as bad a year for customer data as 2005 was.