Archive for January, 2017

Tokenization: Benefits For Securing Transaction Data

30 January, 2017

Tokenization is one of the most advanced technologies to strengthen digital payment security for customers and e-commerce business owners. It involves replacing the sensitive credit card information with randomly generated unusable symbols or tokens. As a result, the hackers are not able to decode the data as it passes from the user’s network to the payment gateway.

Businesses that deal in online financial transactions are required to provide a secure payment processing system to protect the customers’ data. Right from the pre-authorization stage to the processing and final payment, information should be transmitted only through secure channels. With the advancement in technology, hackers have started to use more sophisticated tools and techniques to steal online transaction data. Tokenization offers an additional layer of protection that goes a step ahead of what is achieved through PCI compliance.

How Does Tokenization Work?

When an ecommerce business employs tokenization during processing online payments, the sensitive information of the customer such as username, password, card number etc. is sent to a secure server, known as vault. Here, all the data is converted into a random string of numbers, which is completely different from the original card number. It is then passed through a validation test to make sure that the token, in any way, is not similar to the account number.

With tokenization, even if cybercriminals are able to decode the card information, they cannot gain any monetary value as the data does not reveal any information about the customer’s account.

Benefits Of Using Tokenization For Online Transactions

  • Reduces liability for customer data protection
    Tokenization does not require the customers’ card details to be stored in the computer system or network. It only consists of the random string of numbers. This minimizes a business’ liability towards protecting financial data because the information stored is not related to the customers’ primary account numbers.
  • Significant saving of time and money associated with PCI compliance
    Ensuing PCI compliance often requires the online retailers to make expensive hardware and software upgrades in their payment processing systems. Non-compliance, on the other hand, can be costlier. As tokenization does not require the merchants to hold sensitive data in the back end, PCI compliance can be made much more cost efficient.
  • Reduces the scope of PCI compliance
    Using unique tokens in place of encrypted card holder data can reduce the scope of the systems for which PCI compliance is required. Thus, you can eliminate the need of penetration testing and regular vulnerability as well as PCI scans.

We, at Centex Technologies, offer IT security solutions to business firms in Central Texas. For more information, you can call us at (855) 375 – 9654.

,

No Comments

Pharming Attacks: What Are They And How To Protect Yourself

23 January, 2017

Pharming attacks are network based intrusions whereby visitors of the target website are redirected to a hacker controlled web server. It may occur when a user clicks on a link or types the website URL in the browser’s address bar, which takes him to a fake portal that looks similar to the one that he intended to visit. The attack may involve compelling the user to enter his username, password or other personal information in the fake website. At times, simply visiting the website may compromise the security of the system.

How Are Pharming Attacks Carried Out?

The hackers mainly use the following two methods for carrying out a pharming attack:

DNS Cache Poisoning

In this type of pharming attack, the hacker breaches the DNS server to change the IP address of the legitimate website. With this, if the user types in the URL ‘www.abc.com’, the computer sends a query to the DNS server, which returns the IP address of the bogus website ‘www.abc1.com’. The user believes the website to be original and continues browsing.

In order to facilitate faster access, the server automatically caches the web documents to reduce page load time when the website is accessed later. As a result, the user will be repeatedly routed to the fake website even if he types the correct URL.

Hosts File Modification

The hosts file is a plain text file stored in the computer’s operating system and comprises of different IP addresses as well as hostnames. A pharming attack may involve changing the local host files on a user’s computer through a malicious code sent in an email. With this, the user gets redirected to a fake website when he types in a URL or clicks on an affected bookmark entry.

Tips To Prevent Pharming Attacks

  • Make sure you do not delay updating the operating system and software applications installed on your computer. This will fix any security vulnerabilities and prevent hackers from gaining unauthorized access.
  • When visiting a website, cross check to detect any spelling mistake in the domain name. The hackers may redirect you to a fake website that has a similar URL. For instance, web traffic to ‘www.abc-xyz.com’ may be routed to ‘www.abc_xyz.com’ or ‘www.abc.xyz.com’
  • If you are required to enter your personal or sensitive information in a website, the URL should change from ‘http’ to ‘https’. You should also verify the certificate of the website. Check if it carries a secure certificate and uses encryption for all transactions.

For more information on pharming attacks, you can contact Centex Technologies at (855) 375 – 9654.

,

No Comments

Application Security Testing Checklist

16 January, 2017

Web applications have provided a convenient way for businesses to offer better services to the customers. However, security is one of the biggest concerns while developing an app as even a minute vulnerability can provide a backdoor for the hackers to initiate a malicious attack. It is important to have a strategic testing procedure throughout the app development process. The process involves an in-depth analysis to identify the technical flaws or security vulnerabilities in the app and subsequently repair them. It ensures that the app can adequately protect important data and serve its intended functionality.

Given below is a complete checklist for application security testing:

Threat Modeling

Threat modeling is the first and most crucial step in testing a web application’s security. It involves analyzing the application bit-by-bit to map down the entry points, data flow and identify the exact location of the existing vulnerabilities. Thread modeling also includes ranking the vulnerabilities in order of severity and devising suitable countermeasures for the same.

User Authentication

Proper authentication mechanism is important to eliminate the risk of a brute force attack, making sure that only the authorized users and servers can have access. It should be verified that account suspension mechanism is working accurately and triggers a lock-out after repeated failed login attempts. Testing can be done by entering wrong combinations of username password till the account gets locked.

Access To Application

After the user’s login credentials have been authenticated by the application, the next thing to determine is the type of data he can or cannot access. Superfluous elevated rights can pose a risk of data breach. You can create multiple user accounts and set different access rights for each of them. After this, login with all the accounts and try to access the modules, screens, forms as well as menus. If any security issue is found, it needs to be corrected immediately.

Session Management

Session hijacking attacks are quite common in web applications. Hackers may attempt to steal the cookies of an already authenticated session to get control of the user’s access rights. In another form of session hijacking, the hacker may also passively capture the login credentials of the user. In order to protect the app users’ information, make sure that the cookies do not contain any sensitive information. Also, the session IDs should be unique and generated randomly after authenticating the user’s identity.

Contact Centex Technologies for more information on application security testing. We can be reached at (855) 375 – 9654.

,

No Comments

Security Risks Of Typosquatting

10 January, 2017

Typosquatting, also referred as URL hijacking, is a type of cybersquatting attack in which the hacker takes advantage of commonly misspelled alphabets in a website’s URL. When a user makes a typographical mistake, such as entering ‘g’ instead of ‘h’ due to the proximity of both keys on the keyboard, he may get redirected to a spam website controlled by the hacker.

Cybercriminals often create bogus websites that have similar design and layout as the target website. This is done to ensure that the visitors do not realize that they have landed on another website. At times, typosquatting attempts may be intended to promote a competitors’ product or service but, in most cases, they are initiated to serve a malicious purpose.

Typosquatting attacks may be aimed at:

  • Deceiving unsuspecting victims to reveal their personal identifiable information, such as username, password, social security number, bank account and credit card details. This may be done by compelling users to click on a pop-up advertizement that offers some sort of discount or giveaway.
  • Tricking users into downloading spyware, malware or other malicious program on the computer system. Once you install the application, it may breach your network security, steal important data or record the keystrokes.
  • Redirecting web traffic to a dating portal or competitor’s website.
  • Freezing the user’s web browser for fake tech support scams to extract money in exchange of fixing the problem.
  • Earning revenue by making users click on advertizements posted on the typosquat website.

How To Protect Against Typosquatting?

  • Be very careful while typing a website’s URL in the browser’s address bar. If you are not sure about the spelling of the website, cross check it on Google or any other search engine to avoid inadvertently landing on a fake website.
  • Do not open links sent in emails, particularly from unknown senders.
  • Bookmark the most frequently visited websites so you can easily visit them whenever required.
  • Get a comprehensive security software to protect against phishing attempts, spyware and malware attacks.
  • Do not register with the same password on all websites. This way, if you accidently reveal your credentials on one website, it won’t affect the security of other online accounts.
  • Business owners can consider purchasing multiple domain names similar to their primary URL to avoid being a victim of typosquatting.

For more details about the security risks of typosquatting and how to guard against them, feel free to contact Centex Technologies at (855) 375 – 9654.

,

No Comments