The Digital Imposter

By Joe Dysart

In the latest twist on identity theft, hackers are clandestinely taking over business Web sites—and then brazenly billing the customers who visit those sites as if the sites are their own.

“Someone messing up your Web site is certainly going to give you a bad day,” says Bill Heffner, marketing director, FEA Industries.  Adds Jordan Lothes, president, Sutherlin Optical: “When it comes to web security, I think there is always more that can be done.”

While any sort of Web site identity theft is alarming, the version that results in a hacker taking command and control of your web site—and ultimately your business dealings—is especially troubling. Under this scenario, hackers find a way to break into your web site, and then take over all the interfaces your lab uses to operate that Web site.

Simultaneously, the hacker also gets access your lab’s accounts payable and receivables software, as well as its email correspondence software. With all the tools in hand to do business as you, the hacker can cut deals with your customers via your Web site, instructing them to wire payments for goods and services to a new bank account—one that is owned and operated by the hacker. 

After a few quick deals, hacker typically vanish—along with all the cash that has been wired to his or her bank account. Ultimately, the victimized business only finds out about the scam weeks or months later, when hordes of angry customers start calling, demanding goods and services that were never delivered.

Perhaps most unsettling about this new spin on cybercrime is that even the most strongly secured web sites—properties that are maintained by technologically sophisticated, multibillion global corporations—are vulnerable. Indeed, IT security researcher Arun Sureshkuma proved that reality with chilling clarity last summer, when he demonstrated how he could hack any Facebook page and take over that page as administrator in less than 10 seconds.

His exercise underscored a hard reality: No business, no matter how seemingly powerful and mighty, is immune to web site identity theft. In fact, more than 75 percent of popular sites on the Web have unpatched vulnerabilities, according to an April 2016 study from Symantec, an IT security firm. And, all told, online fraud (including web site identity theft) is rapidly escalating. Long term, total losses traced to these criminal acts are expected to reach $25.6 billion by 2020, up $10.7 billion from 2015, according to a 2016 study by Juniper Research.

Here’s what Web security experts say you should do to ensure your business is not perceived by thieves as low-hanging fruit:

Bullet-Proof Your Dashboard

Your site’s dashboard—the place where you enter your web site authoring software with an ID and password to make changes and updates—needs to be super secure.

Start with a super-strong ID and password by creating both at Random.org’s Random Password Generator (https://www.random.org/passwords). With this tool, you can create passwords and IDs up to 24 characters long that are extremely tough to crack. And you can add two passwords together if you’re looking for even greater security.

Meanwhile, be sure to have your web site designer add a double-authentication requirement for entry into your site’s dashboard. You can also harden your web site dashboard by limiting access to pre-determined IP addresses only (every computerized device can be assigned a specific IP address by your site designer for identification purposes).

Be Careful About What's Accessible

“I don’t build or manage any websites that contain data that is personal in nature or secretive to the point that its release could be materially harmful to the client,” says Dan Bailey, owner, DanBailey.com (www.danbailey.com), a web site services and marketing firm for wholesale optical businesses.

Get a Free Google Webmaster Account

Offering a plethora of free tools for site owners, Google Webmaster (https://www.google.com/webmasters) can also often detect when your web site has been hacked and will inform you of the hack via your account, according to says Evy Hanson, owner, Leap Online Marketing (http://www.leaponlinemarketing.com), who adds she personally knows of two businesses whose Web sites have been hacked in the past year.

Secure Your Folders

While all web site files and folders should have proper permissions and ownership, this basic step is often overlooked. Ask your web designer to apply these controls. The move can deny attackers the ability to upload malicious files and execute code that can compromise not only your site, but your server as well.

Install a Security Plugin

Fortunately for Wordpress users, there are number of free security plugins, including:

•          iThemes Security (https://wordpress.org/plugins/better-wp-security)

•          Bulletproof Security (https://wordpress.org/plugins/bulletproof-security)

Similar software exists for web sites that use other types of content management systems.

Plus, with Wordpress, users can easily update to the latest, most secured version of the platform. Wordpress has “made progress in allowing their installations to update themselves, or to do so with a single click process,” says Patrick C. Ho, CEO, Rochester Optical (www.rochesteroptical.com). “I hope other web platform vendors follow suit.”

Use HTTPS Protocol

Technically speaking, HTTPS guarantees to your visitors that they’re talking to the server that’s hosting the Web site they’re trying to each. And it guarantees that no one can intercept or change content coming from the web site or transactions between the site and site visitor. 

“Switching your site to HTTPS is also a very good idea,” says Keith Benjamin, director of marketing and Webmaster at Laramy-K Optical. He adds that HTTPS keeps all your data exchanges encrypted, making it much more difficult for hackers to “peek under the hood.”

Auto-scan All Devices

For all devices you’re plugging into your business computer network, have your IT department secure your system with software that automatically scans any devices—such as a flash drive, external hard drive, etc.—for malware any time those devices are attached to your network. And, just in case the worst happens, be sure to keep everything backed-up.

“We have an outside source do a quarterly security evaluation—customer information is important to protect,” notes Ryan Markey, CEO, My Friend’s Lab.■


CURRENT ISSUE


Lab Talk-February/March 2018