Web App Hack Incidents Are Up As Businesses Take Cover - InformationWeek
IoT
IoT
Software // Information Management
News
4/12/2006
04:19 PM
50%
50%

Web App Hack Incidents Are Up As Businesses Take Cover

The trend is especially troublesome for financial services companies trying to expand online banking and investing.

As companies rush to take advantage of the increasing amount of time users spend on the Web to sell them everything from cars to carpeting, malicious hackers are likewise rushing to take advantage of the flawed Web applications that deliver these online services.

Web site hacks are on the rise and pose a greater threat than the broad-based network attacks that have been giving IT departments fits. Whereas attacks against networks disrupt Internet service and negatively impact companies trying to do business over the Web or private networks, attacks against Web applications threaten to steal critical customer, employee, and business partner information stored in applications and databases linked to the Web.

Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.

Why is this happening? Several reasons. One is the prevalence of hacking tools online that can be found simply by using the Google search engine. Another reason is that Web applications aren't typically designed with security in mind, which leaves them open to SQL injections and cross-site scripting attacks that manipulate input entered into an application field in order to get the application to cough up more information than the user has the right to see.

Generally, "People who build Web applications are optimistic people," says Gary McGraw, chief technology officer with Cigital Inc., a maker of risk management software. "They don't consider that someone would try to break their programs."

This trend is particularly disturbing to financial services companies looking to make online banking and investing less expensive and more convenient. Bank of America reported on Tuesday that sales of products via the bank's Web site totaled 3.8 million accounts in 2005, an increase of 69% over the previous year. This included 2.3 million online activations, 380,000 new savings accounts, 375,000 new credit card accounts, and 298,000 new checking accounts. Of course, Bank of America, Washington Mutual, Wells Fargo, and some smaller banks and credit unions earlier this year were forced to shut down PIN-based transactions and reissue debit cards after customer PIN information stored in a retailer's point-of-sale application was stolen.

And don't count on banking customers to fend for themselves. A TD Canada Trust survey of more than 700 consumers found that less than 30% of Web banking users were aware of the terms "phishing" and "Web site spoofing." Most customers believe their bank should be primarily responsible for security measures with respect to online banking.

HSBC Bank will address the increasing threat of fraud caused by stolen data in May when it issues 180,000 strong authentication tokens to UK Business Internet Banking customers. These Digipass GO3 tokens, from Vasco Data Security International Inc., generate a unique one-time password when users log on to their banking accounts via the Web.

No one needs to tell online brokerage firm Scottrade about the value of Web security. The company in November had to notify a number of its clients that their personal information may have been exposed thanks to a data breach found in a partner company's data processing system. The system was running Troy Group Inc.'s eCheck Secure online checking application, which lets users submit data from their checking accounts and have transactions automatically debited without using credit or debit cards.

Scottrade's investigation into the breach is ongoing, but it recently bolstered the security of its Web-based trading systems by placing them behind an Imperva Inc. SecureSphere Web Application Firewall. Imperva's Web application firewall, which is an additional layer of security that can be used along with network and desktop firewalls, reinforces a company's application security policies, which specify the amount and type of data that can be put into any field. While a firewall isn't likely to be as secure as an airtight application, it's quicker than reviewing all of a company's software for security bugs.

Whether through more secure application programming practices, authentication devices, or firewalls, or all three, Web applications are going to have to become more secure. Otherwise 2006 is likely to be just as bad a year for customer data as 2005 was.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll