Online shopping is quick and easy but customer confidence was rocked recently when website and content management software giant Drupal admitted a bug in the system.
About a million websites using Drupal 7 software were potentially compromised leaving consumers wondering how safe their data really is. High profile names including US Dickies Workwear, UK cosmetics company Lush and iconic fashion house Kenzo are just a few of the big brands using Drupal 7.
Website vulnerability gives hackers an open door
Drupal’s security alert on October 15 admitted a weakness in the application program interface (API) which hackers could exploit. Although companies taking online payments must comply with the payment industry’s data security standards (PCI-DSS), even this is not safe on a compromised site. Former New York Stock Exchange chief digital officer Bob Kerner, warns once hackers enter a website they can take over secure payment systems such as PayPal creating a realistic fake one. “If you are in the commerce space you need to know about security. It’s your responsibility to set up updates with whatever security platform you are using. The most important thing is your brand and your image and if there is a compromise then people will know about it.”
Making the system watertight
He advises subscribing to security newsletters bringing vendors up to date on what they should be doing. Kerner, who runs 9Doors Commerce security consultancy advocates verifying the web system and design with cyber security providers such as Trustwave. He recommends hiring a consultant to check payment systems are industry compliant. “Security isn’t difficult, it’s not hard, it’s just there are so many things you have to do. You can’t get one thing wrong. If you design your system so that you can recover from an attack you will be in a much better position.” He urges making sure the site is properly hosted, behind a firewall and any open ports on the machine should be locked down, in other words, only letting in traffic necessary to serve the website. But Kerner adds because Drupal software is open source there is greater transparency with users able to see everything from operating systems to web servers. Experts claim, for example, that a closed source system such as Microsoft, means you might not know if there’s a security problem and you don’t have the flexibility to change the codes.
Retailers using Drupal 7 were reluctant to comment on the issue, however, some were more forthcoming. Dickies Workwear, www.dickies.com, spokeswoman Jamie Dammrich, said the issue was under control. “The site’s website development company informed us of the Drupal security issue as soon as it occurred and confirmed that the issue was resolved immediately with no vulnerability or security breach attempts to the site.” Another Drupal 7 user, UK lingerie retailer French Affairs also said they’d looked into the issue but were confident their site was safe. Director and founder Lynne Parkinson said: “The web developers have assured me that the French Affairs site was always safe as modules cannot be installed without going through their code repository (git) and that the site had already been patched.”
Drupal said the majority of the 52,000 merchants using Drupal 7 should be safe. Product director of Drupal’s Commerce Guys enterprise to help online merchants Robert Douglass, said: “People who host their sites on Drupal-specific solutions, such as www.platform.sh, were protected immediately from potential attacks.” He added sites with dedicated maintenance providers would be alright but generic sites with no maintenance could be “likely to be in trouble”.
The incident follows a wake of high-profile scandals such as Target’s problems last year where up to 40 million customer payment-card numbers were taken and more recently when Russian hackers mined JP Morgan Chase’s databanks in June.
Customers need to feel safe
British Independent Retailers Association deputy chief executive Michael Weedon, believes consumers need to be reassured they are safe especially in the lead up to Christmas. “In many cases the person looking after the mechanics of the site is external.
They need to ask whoever is responsible, are we using this software and act accordingly. We need to be aware that there are security issues all around us. You can be in a shop and your details can be compromised in just the same way as online. It’s a big bad world out there.” He added that smaller retailers tend to be more conservative when it comes to choosing a website content management system preferring software such as MyHigh.st or Shopcreator rather than an open source system. Drupal software grew out of a message board system created by Antwerp University computer undergraduates Dries Buytaert and Hans Snijder back in 2000. Buytaert developed the system to create a small news site with built-in web board and released the software in 2001. Drupal claims up to 2% of the world’s websites use its software. In 2012, Buytaert was awarded enterpreneur of the year for New England by management consultancy Ernst & Young.