With the holiday shopping season in full swing, we thought it was a good time to take a look at one of industries with the biggest impact on consumers. Over the past several years we’ve seen an increase in the number of retail and eCommerce companies embracing the crowdsourced model. In this year’s State of Bug Bounty we reported that 9 percent of programs launched in 2018 were ecommerce and retail — three times more than the year before.
In fact, the retail and ecommerce companies embracing crowdsourced security are some of the most security-conscious out there. In the context of a growing consumer awareness when it comes to security and the stringent regulations resulting from the rising tide of breaches over the last several years, adoption of crowdsourced security, especially vulnerability disclosure programs, makes a lot of sense.
Of the vulnerabilities Bugcrowd researchers submitted on retail and ecommerce programs in 2018, 29 percent were critical. But what qualifies as a critical vulnerability?
In 2018 the top three vulnerabilities in this industry (though certainly not limited to it) were
- Server Security Misconfiguration (using default credentials)
- Broken Authentication and Session Management (authentication bypass)
- Sensitive data exposure / sensitive data or password disclosure
If you’re wondering what these vulnerabilities are and what they mean for the everyday consumer, read on.
Server Security Misconfiguration (using default credentials)
Number 6 on OWASP’s 2017 Top 10, Security Misconfigurations are incredibly common and equally dangerous. Improper configurations lead to a number of issues, giving attackers unauthorized access to system data or functionality and sometimes resulting in complete system compromise. One of the biggest culprits of this flaw is failing to change default passwords. There is a very easy fix for this potentially very big problem: turn everything off by default. Disable admin interfaces, debugging and use of default accounts and passwords.
These are the easiest vulnerabilities to find that have the largest impact on organizations. Having a healthy asset management plan is key to keeping this under control.
Broken Authentication and Session Management (authentication bypass)
Next up and ranked third on OWASP’s 2013 Top 10: Broken Authentication and Session Management. Essentially if authentication and session management are not implemented correctly, attackers can compromise passwords, keys, or session tokens. In other words, attackers look for vulnerabilities in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. As common as they are difficult to spot, broken authentication can result in full account takeover, granting an attacker full access and control of the system.
Session management is a notoriously hard problem for most organizations. Retailers must remain vigilant due to the nature of how and what kind of customer data retailers store. Any compromise of data could spell disaster as seen with recent data breaches and could have long lasting negative effects on the brand. Let’s not forget that GDPR will have even larger effects on EU retailers.
Retailers should tighten their authentication mechanisms this holiday season as this is when shoppers are going to be spending a lot of money. Any compromise of accounts or passwords are likely to set shoppers looking at other retailers with a better security track record.
Sensitive data exposure / sensitive data or password disclosure
Coming in number 3 in OWASP’s 2017 Top 10 is Sensitive Data Exposure. Sensitive Data Exposure is exactly what it sounds like: exposure of sensitive data such as banking, health, PII (social security number, data of birth) or user accounts, email addresses or passwords. How is this data exposed? There are a few ways: lack of encryption, failure to prevent browser caching, or even a forgotten or mistaken data upload. Even if the data is encrypted, weak keys or password hashing techniques can still give attackers access… and access to this data usually requires a manual attack: man-in-the-middle, stolen keys, or directly from a server while in transit.
What can consumers do? While most consumers will not know how to identify these issues, there are things to look for such as whether or not the vendor has a vulnerability disclosure program. Given the frequency this type of issue is found in our programs, it’s likely that if a vendor is running a crowdsourced security program the issue has already been found…and fixed.
On a practical level, there are a few things consumers can do the keep themselves secure. The first is two-factor authentication (2FA). Most services (including ecommerce sites) support 2FA. Activate it wherever you can, especially on your personal email and social media accounts (i.e. the ones which, if accessed, can be used to reset all your other passwords and gain access to your accounts).
Minimizing password reuse on important services such as financial accounts (and those with critical PII data) is an important step. A password manager is the perfect tool for this. All of these tools such as 1Password, LastPass, and Keeper Security) have password reuse detection tools. Take advantage of these and give your internet identity review before the new year.