The savvy Internet attacker can capture customer data, billing information, and even credit card numbers. Today, it is not at all difficult to imagine a situation in which such an offender is able to intercept online ecommerce transactions in real-time and to dynamically replace account number to which customers are paying for goods purchased.
The principle of Internet attacks has remained the same for years. The only changes have been in the context and in the hacking tools used.
Weak access points in website infrastructure can expose company information and trade secrets.
This article does not intend to single out osCommerce. Although in the end a malicious computer worm named ‘Willysy’ was found to have been used by some perpetrator to cause the damage, the true fault really lies with those site and server owners and administrators who had failed to implement proper configuration management practices. That is, they did not routinely acquire, test, and then implement fixes and security updates which had periodically been released for these products and platforms, let alone for the osCommerce software itself. This is a responsibility not to be shrugged off, but a great many Web sites in existence today are maintained by amateur administrators with little experience in the protocols necessary to ensure the security and integrity of business-critical infrastructure, software, databases, and data.
More recent events of Web site break-ins, arson, and general disruption related to the very unpopular Anti-Counterfeiting Trade Agreement (ACTA) initiative have demonstrated that all systems linked to the Web (and the overall Internet) are potentially as full of holes as a brick of Swiss cheese! Each day, large organizations in such industries as banking and public administration, and even countries themselves fall victim to criminals constantly working to exploit weaknesses in the various technologies with which the overall World Wide Web is comprised. Their crimes are wide-ranging: everything from cracking passwords to stealing credit card numbers from PlayStation users to attacking a country’s industrial facilities (remember the Stuxnet virus attack on Iran?).
Remember that although you may be selling goods, more importantly you are selling trust. As an ecommerce site owner or administrator, you should be in the habit of regularly verifying the overall process of ordering from your website, including checking just how client contact details and account numbers are being displayed on the website.