I've had a few conversations with some friends in the industry around something that's been troubling me lately. Nothing annoys me more than a web site or eCommerce application giving its users a false sense of security. Caleb Sima (founder of SPIDynamics and noted Web App security expert) and I had this very same conversation around GameFly.com a few months ago, and I finally decided to write about it after some more research to get my facts straight.
When you hit an ecommerce site, one that wants to sell you something and take your persona/credit information you will see at least one of the following two logos -
It's a bold claim to say that a site is "Hacker Safe", especially when a recent hack proves that some of these sites are anything but hacker safe. Maybe ScanAlert should change the logo to say "Hacker Resistant" - and quit flat-out lying to people? Here is the latest proof, from InformationWeek that "Hacker Safe" is obviously not. How exactly are they claiming that the site is Hacker Safe? Or does it mean that the site is "safe for hackers"? Take a look over at ScanAlert's "How it Works" page. It disturbs me that the only claim on this page isn't that your site will be secure - but that this little logo will get people to spend money on your site. It's not until you start to dig a little bit into their site (starting with this page) that you get a sense for what this logo really means. From the literature, it's an over-glorified automated scanning engine. I wonder if they use their own tools, or simply "re-used" something like WebInspect, or AppScan. As just about anyone with some experience in the Application Security sector can tell you, finding web vulnerabilities is a much deeper and more arduous task than simply running some automated crawler/scanner. I will go on record as saying if the "Hacker Safe" scanning tool is the only security a web site uses - they are in a world of trouble. If you read ScanAlert's marketing page on the guts of their "Hacker Safe" service (this page) you can basically get the following points:
- You comply with an alphabet-soup of standards put out by VISA, AMEX, and others
- Some automated scanning tool will scan your IP blocks and 'discover' your vulnerabilities
- Some measure of 'manual testing' is involved to detect your vulnerabilities
- Your logo ("Hacker Safe") is served up by Akamai, the fastest content network on the planet
Does any of this mean you're actually "Hacker Safe"? Of course not. I would argue that this service is obviously weak at best, and at worst puts a false sense of security into the minds of the unknowning end-users who go to these sites. Making an outrageous claim like "Hacker Safe" is akin to saying "Yes, your system is secure" when we all know the only way that can happen is with all cables (network, power) cut and data destroyed with an atom-smasher. I am really annoyed with ScanAlert making these outrageous claims and vendors effectively jumping on this bandwagon to flat-out lie to people who hit these sites. At very least ScanAlert should change that logo and program to say "Hacker Resistant" - if they have any integrity whatsoever.
Verisign, on the other hand - has a proven track record and doesn't make these idiotic claims that they protect your site from hackers. Verisign is indeed, as far as research and investigation can tell me, one of those rare companies that has not been infiltrated or hacked. In fact, Verisign's entire business model revolves around certificates, and trust. Basically VeriSign sells trust, much like ScanAlert but doesn't go to any outrageous (and obviously false) lengths to make these claims. One reason may be that Verisign is an established, long-time veteran of the IT space, and is as old as eCommerce itself. I would guess (and I'm no marketing genius here) that a good product, with a good reputation speaks for itself with a subtle logo and a grounded claim. While I have my issues with the whole claim that the little gold lock in your browser secures you from any real threat, at least it's a proven technology that does not make the media when it gets proven obviously weak.
Allow me to elaborate on my claim that that "gold lock" in the bottom-right corner of your browser, that tells you you're using SSL, actually protects you from "hackers". While "on-the-wire" encryption prevents someone from doing a packet capture of your data stream and decoding it to reveal all your information it does nothing on either end of the conversation. Further, this only addresses data in motion, which can be (as has been proven over and over) effectively broken with man-in-the-middle attacks against users not skilled in information security awareness. The VeriSign secured logo doesn't give me the warm and fuzzies either when I am about to buy something on a website - but at least I can have a degree of trust in the claim being made (even if it is a stretch) because of the proven track record.
So what's the bottom-line here? I give my friends and family advice as follows:
If you see the "Hacker Safe" logo - avoid the site as they are most-likely security lackeys, and are using the logo as a marketing ploy more than a security posture. The "VeriSign Secured" logo is a staple in eCommerce, if you don't see it somewhere, or at least see the nice gold lock in the corner of your browser - leave the site quick and don't give it any personal information. True security is a track record of proven hacker-resistant eCommerce applications and no flashy marketing gimmicks, in my humble opinion.
As a final thought - there are few things worse and less excusable than companies without an adequate and proven security strategy - but putting a false-sense of security as the front-page marketing logo on your site is definitely one of them. Shame on you ScanAlert for your blatant marketeering. Maybe I could respect the service if the website was less marketing crap and more actual substance and security information. Furthermore - shame on anyone, or any company that uses marketing fluff in place of actual strong security to "extort" your customers.
Read more on the latest "HackerSafe" hack -