Ecommerce sites panned for lack of security testing

Despite a series of high-profile online security blunders at leading retailers such as Argos and B&Q in recent years, companies selling online are still failing to train staff to look for bugs and glitches which could betray customer details or give rise to fraud.

While sophisticated hackers might always find a way into a system, many companies, such as the two mentioned above, are guilty of some basic failings which would have been discovered within minutes of penetration testing, according to a leading expert.

Dan Newman has been running one of the most popular certified ethical hacking courses for three years at the UK-based Training Camp and says he's not seen a single student from an ecommerce company put forward to attend, while financial institutions, government departments and the military are well up on the need for penetration testing.

"We had one guy who worked for a retailer but he funded it himself because he was actually looking to move into a new job in a different sector," said Newman.

While this doesn't mean ecommerce sites have never honed their penetration-testing skills, Newman is confident he'd have seen some of them through his classroom at least, or heard of their efforts if such skills were commonly used in the online retail sector.

Newman walked silicon.com through a very basic 'hack' which simply involves changing cookies to access any number of customers' details on one ecommerce website. By doing so a hacker would be able to download paid-for documents from other users' accounts with one keystroke.

Newman blames a lot of the failings on the pressures of the retail environment and on developers charged with getting functionality online in time to meet demand, rather than when it is ready.

"I used to be a developer and I used to make the same mistakes they do," said Newman.

Newman said a lot of the time "they're getting things out there as quickly as they can" without regard for security.

"Some websites are just bulging at the seams," said Newman, referring to the multitude of security weaknesses just waiting to be exploited in the ecommerce sector.

Firebox.com is one online retailer happy to talk about its penetration testing. A spokeswoman for the firm confirmed it continually tests its perimeters and is pleased with the results of such vigilance.

"Our IT team regularly check all of our security and always start with anywhere there could be a potential problem and thankfully they have always been pleasantly surprised but you still have to test," said the spokeswoman. "This is our business and if shoppers are going to feel confident shopping online then security is our bread and butter."

But others aren't so responsible and put too much faith in partners and third parties, said Newman.

"I feel bad for a lot of companies who buy products from vendors who know nothing of security," added Newman. But just because e-tailers deal with a third party vendor doesn't abdicate responsibility for carrying out their own thorough penetration testing.

Ecommerce sites are facing stricter regulation in the wake of serious security failings.