After Penetrating Your Website, a Hacker Can Do Business as You
Nonprofit Let’s Encrypt helps reduce the cost of the conversion to the secure https protocol.
“Unfortunately, website security is becoming a prominent issue,” said Evy Hanson, owner of Leap Online Marketing (www.leaponlinemarketing.com). Hanson added that she personally knows of two businesses whose websites have been hacked in the past year.
While any sort of website identity theft is alarming, the version that results in a hacker taking command and control of your website—and ultimately of your business dealings—is especially brutal. Under that scenario, hackers find a way to break into your website and then take over all of the interfaces your business uses to operate that website.
Simultaneously, the hacker also gets access to your business’ accounts payable and receivables software as well as its email correspondence software.
With all the tools to do business as you in hand, the hacker begins cutting deals with your customers via your website, instructing them to wire payments for goods and services to a new bank account—an account that is owned and operated by the hacker. After a few quick deals and lots of laughs, the hacker vanishes, along with all the cash that has been wired to his or her bank account. Ultimately, the victimized business finds out about the scam only weeks or months later, when hordes of angry customers start calling, demanding goods and services that were never delivered.
Perhaps most unsettling about this new spin on cybercrime is that even the most strongly secured websites—properties that are maintained by technologically sophisticated, multibillion-dollar global corporations—are vulnerable. Indeed, IT security researcher Arun Sureshkuma proved that reality with chilling clarity last summer when he demonstrated how he could hack any Facebook page and take it over as administrator in less than 10 seconds (http://tinyurl.com/arunsureshkumar-me-index).
Once established as administrator, Sureshkuma could have easily set up payment processing on the hijacked page for any sort of deals he felt like making, using popular payment processors such as PayPal and Stripe (www.facebook.com/business/help/1672007083043120). Fortunately for all the businesses that use Facebook to sell goods and services, Sureshkuma alerted the social-media goliath to the security weakness, and it was immediately patched by Facebook.
But the ruse underscored a hard reality: No business—no matter how seemingly powerful and mighty—is immune to website identity theft.
In fact, more than 75% of popular sites on the web have unpatched vulnerabilities, according to an April 2016 study from IT security firm Symantec (www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf). All told, online fraud—including website identity theft—is rapidly escalating and is expected to reach $25.6 billion by 2020, up $10.7 billion from 2015, according to a 2016 study by Juniper Research.
As Sureshkuma so disturbingly demonstrated, while few websites are completely impenetrable against a determined hacker, every business at least needs to give itself a fighting chance against criminals looking to hijack its web identity. Here’s what web security experts say you should do to ensure that your business is not seen by thieves as low-hanging fruit:
Bulletproof Your Website’s Dashboard: Your site’s dashboard—the place where you enter your website authoring software with an ID and password to make changes and updates—needs to be extra secure. Start with a super-strong ID and password by creating both at Random.org’s Random Password Generator (www.random.org/passwords). There, you can create passwords and IDs up to 24 characters long that are extremely tough to crack. And you can also add two passwords together, if you’re looking for even greater security.
Meanwhile, be sure to have your web designer add a double-authentication requirement for entry into your website’s dashboard. Many banking customers already have double authentication on their online checking accounts. They initially enter an ID and password for their checking account. But before they can log in, they need to retrieve and enter a special numerical code that the bank sends to their email account.
You can also harden your website dashboard by limiting access to it from predetermined IP addresses only. (Every computerized device can be assigned a specific IP address by your web designer for identification purposes.) You can also have your designer program your website so that it will freeze and can only be accessed with intervention by a human from your IT department after three or so wrong log-in attempts.
Get a Free Google Webmaster Account From Google (www.google.com/webmasters): Offering a plethora of free tools for site owners, Google Webmaster can also often detect when your website has been hacked and will inform you of the hack via your account, according to Leap’s Hanson.
Secure Your Website Folders: While all website files and folders should have proper permissions and ownership, this basic step is often overlooked. Ask your web designer to apply these controls. The move can deny attackers the ability to upload malicious files and execute code that can compromise not only your site but also your server.
Keep All of Your Website Software Up-to-Date: One of the primary reasons web software companies continually update their software is to plug security holes. Unfortunately, those companies generally inform the public about the specific security holes they’re plugging. So if you don’t make the fix, a hacker knows where to look on your site for an easy way in, according to Leap’s Hanson.
Be Doubly Careful If Your Website Runs on Wordpress: When it comes to security, Wordpress is unfortunately a victim of its own success. The web-authoring system is so popular that it has become a favorite target of hackers. One of the major benefits of Wordpress’ popularity for criminals is that if a hacker finds a security hole in one Wordpress site, he/she knows that there are probably thousands—if not millions—of websites that are also sporting the same security hole.
Install a Firewall on Your Website: “A firewall routes web traffic through a separate server, determining whether it’s safe traffic or not before allowing it to go to your website,” Hanson said. “This does not cause a delay for the end user.” Most modern web firewalls are cloud-based and are provided as a plug-and-play service for a modest monthly subscription fee.
Install a Security Plugin: For Wordpress users, there are a number of free security plugins, including iThemes Security (www.wordpress.org/plugins/better-wp-security) and Bulletproof Security (www.wordpress.org/plugins/bulletproof-security). Similar software exists for websites that use other types of website content-management systems.
Get Your Designer to Use https Protocol: Technically speaking, https guarantees to users that they’re talking to the server that’s hosting the website they’re trying to reach. And it guarantees that no one can intercept or change the content coming from the website or the transactions between the website and a website visitor. Nonprofit organization Let’s Encrypt helps businesses reduce the cost of the conversion to https protocol (https://letsencrypt.org/about).
Auto-Scan All Devices You’re Plugging Into Your Business Computer Network: Have your IT department secure your system with software that automatically scans any device—such as a flash drive, external hard drive, etc.—for malware any time such a device is attached to your network.
Back Up Frequently: Just in case the worst happens, be sure to keep everything backed up. The rule of thumb is to backup at your business, back up off-site and keep a third “cold back up” off your network (a backup that is disconnected from your computer network as soon as it’s made) on a daily basis.
Use a Monitoring Service: Services such as SiteLock (www.sitelock.com) will monitor your website every day for malware, viruses, suspicious code, attempted break-ins and out-of-date software.
Have a Major Security Talk With Your Web Designer: Knowing about the safeguards above will enable you to talk intelligently with your web designer about your website’s security. He or she needs to know that you consider website security ultra-critical to your business.
Joe Dysart is an internet speaker and business consultant based in Manhattan.