Half of U.K. shopping websites 'open to attack'

Powered by SC Magazine
 

Security flaws in half of U.K. retailers' websites leave them open to attack, new research found.

The vulnerability centres on the "forgotten password" feature on the log-in pages that email shoppers their passwords. According to penetration testing company SecureTest, many of these websites can be subjected to a "brute force" or enumeration attack. It found that of the 107 retailers' sites visited, 54 of the sites, 50.5 per cent, could be vulnerable to this type of attack.

Enumeration is the process of looking for differences in the response from an application when submitting valid and invalid user accounts. On a retailer's website, the username or registered email address can be inserted correctly and incorrectly on the "forgotten password" page in order to look for these differences.

If a valid username is entered, the application will respond stating that a password will be sent to the user by email. If an invalid username is entered, the application may respond with "invalid account name." Using this information, scripts can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process, over time a list of valid accounts can be compiled.

With this list of valid email addresses hackers can use brute force techniques to attack the application and crack account passwords. Both the username and password can then be used to successfully log-in to user accounts, allowing hackers to purchase goods or extract confidential data, such as postal addresses and credit card details.

Some retailers have put in place a "lock-out" on user accounts after a fixed number of failed password attempts to combat this type of attack. But SecureTest said that while this appeared a good idea, it left the retailer open to other forms of abuse. It said there was also a risk that an attacker would bombard valid accounts with bad passwords, locking out customers, creating in effect a denial of service (DoS) attack with the application blocking legitimate users through an aggressive lock-out policy.

Ken Munro, managing director for SecureTest, said that the research on retailer websites "repeatedly found that enumeration is possible."

"There's nothing more serious than gaining access to user accounts, particularly when users credit card details are stored within, and the potential cost to the retailer in terms of loss of consumer confidence could be catastrophic." said Munro. "Alarmingly, this problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks."

Munro urged retailers to put in place security features such as 'time out' feature on the log-in forms, no permanent lock-out on the log-in form and to keep error messages on log-in forms generic to prevent attackers from gaining clues of users' details.

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 834

Vote