Categories
Articles Marketing News Social Media Social Media Technology Web Security

Exposing SnapDeal.com: India’s largest Online Shopping platform is unsafe and vulnerable to theft

Indian e-commerce is growing at an incredibly frantic pace. There are tons of new e-commerce sites mushrooming in variety of verticals spanning electronics, books, gift items, vitamin supplements, foreign importers etc.

Unfortunately the awareness among Indian customers and e-commerce site owners regarding the risks of online scam, phishing and what not remains concerningly low.

SSL Security is one basic step that every e-commerce site must take at the very minimum. Doing so will at least ensure that transactions between an e-commerce site and its customers remain private. This is critically important in India, especially because a large portion of the population there uses shared internet (i.e. cyber cafes).

It has come to our attention that a very famous site known as SnapDeal.com which is essentially India’s Amazon, has not been using SSL properly at all. Just imagine one of the largest shopping sites in the entire country with over 1.2 billion customers transferring confidential details such as address, email, phone number, credit card, and online banking details in just plain text! To say that we were shocked would be a vast understatement. Just take a look at the screenshots to follow as proof :

Why is SnapDeal.com non-trusted with their security?

  • They don’t have “HTTPS” or a “SSL Certificate” installed on their website.

SnapDeal does not have HTTP” or a SSL Certificate installed on their website.

  • They use a text to gain trust of security, “100% secure shopping guarantee”. A website simply cannot be secured without any “HTTPS” or “SSL certificate” security installed, anything else is an indication of an online scam or fraud.

Online shopping Platform SnapDeal is not secure.

  • Even visitors know they should only enter credit card information on a secure page, something that can easily be identified by the LOCK Symbol located with the frame, status or address bar of a trusted browser. Just by gathering user credit card information on their unsecure payment processing pages, SnapDeal.com is putting their users’ private information at extreme risk. How could they say they are secure and don’t store credit card details without using ““HTTPS” or “SSL Certificate” security?

Credit Card information is not safe on SnapDeal.com

Finally, we confirm without a single doubt that Snapdeal.com, one of India’s largest e-commerce platforms, simply doesn’t care about user safety on the web. They have been displaying a logo of Trust Pay everywhere on their website, however, Trust Pay is not a Security Authority. It’s actually what is known as a Financial Conduct Authority which only deals with payment processing and has no responsibility whatsoever for web page security.

As you can see this is one giant disaster waiting to happen. Just imagine what could happen if a fraudulent site called “SnopDeal.com” pops up, perfectly imitating the website design and all their products in order to lure customers into a huge phishing SCAM!

How they can secure their business and users information with SSL Certificate security?

Conclusion:

In today’s world where sensitive information so routinely traverses what is known as the internet superhighway, SSL Certificates have become an increasingly crucial part of e-commerce. It is for that very reason that one should never hesitate to make the online business experience a much safer and secure one for users on the web with an SSL certificate.

Update: This write-up has been edited following SnapDeal’s official response, which goes as:

We totally understand the concern that a customer would have in making a purchase online. As we promise, we ensure secure shopping for all our customers. No financial data is gathered without a secure layer transaction. The iframe that gathers financial data is completely secure and is posted through a HTTPS url as you can notice in the screenshot here: http://bit.ly/Secureshopping

Also, please note that Trustpay has always been a promise to protect customers with 100% moneyback guarantee if there is an issue with product quality, size or delivery.

Once again, we would like to highlight that 100% secure shopping is being ensured through secure payment gateways implementing SSL for all financial transactions. Hope this clarifies your concern and we would be glad to answer any further queries you might have.

Update 2: Mr. Jim Armstrong, Founder and CEO, RapidSSLonline responds:

Snapdeal: Certainly, if you gather data through HTTPS iframe within a page served over HTTP, then it will not assure users that they are dealing with secure page. The following iframe can be hijacked or altered in a simple attack such as an iframe injection. And the following attacks can be implementing through a virus, a Trojan, visiting a malicious websites.

here is the conversions report from http://security.stackexchange.com/questions/894/are-there-security-issues-with-embedding-an-https-iframe-on-an-http-page

Disclaimer: The views expressed, and any inferences drawn herein are those of the author alone, and do not necessarily represent the policies, positions, strategies or opinions of DailyHostNews.

Categories
Articles Hosting Infographics News Technology Web Security Website Development Wordpress

An Infographic: How Secure is Your Website When Compared to Your PC?

Internet usage and web security go hand in hand. With the exponential growth of Internet traffic over the last decade, online security threats have grown by leaps and bounds too, and the recent flurry of WordPress attacks is a testament to it.

The number of online accounts that get compromised on a daily basis clearly indicate that a great majority of website owners isn’t particularly cautious about their website’s security.

Web Hosting provider HeartInternet recently conducted a research among small business website owners and home PC users to determine whether people take their website security as seriously as their PC security.

Predictably, the answer is no! The survey reveals that only 65% small business website owners have anti-virus software installed on their computers; a stark contrast to 96% of home PC users who have proper security set-ups in place.

The statistics are equally embarrassing when it comes to use of secure passwords, revealing that only half of small business websites protect their sensitive data with strong passwords, compared to 75% of the home users.

Now you don’t like to go through boring statistics, do you? Presented in this good old 90s gaming theme inspired infographic are other key findings of the said security research, wrapped up with helpful tips to help you protect yourself against hacking and online fraud.

Categories
Articles Domain Legal News Web Security Web Security Website Development

What is a Multi Domain EV SSL Certificate?

Maintaining a  high level of online trust and security in compliance with industry-wide security regulations can be a daunting task for organizations  as it requires timely updates to the IT security infrastructure which are sometimes very expensive. To keep a sense of trust and security intact in the minds of website visitors and at the same time keeping expenditure within manageable limits is thus a very herculian task. This is where a  Multi Domain EV SSL security certificate comes in.

 Multi Domain EV SSL security certificateis a ‘best of both worlds’ product in a way that it provides stringent and tough authentication at par with  industry standard EV SSL (Extended Validation) certificate, and has the ability to package multiple domains , thereby effectively cutting down the costs for the buyer. For example, a single EV SSL MDC can secure- domainA.com, domainB.com, secure.domainA.com, login.domainB.com and anydomainunderthesky.any-tld. The most important thing to note here is that a EV Multi Domain SSL certificate covering all these five domains will cost significantly lesser than the cost for five separate security certificates for the same five domains.

A  Multi Domain EV SSL certificate also saves a lot of time as even though it requires each domain to  go through the domain authentication process separately, the identity of the website owner has to be authenticated only once. This makes it the perfect security solution for small and medium scale business  looking to secure their online transactions.

How do I choose the best  Multi Domain EV SSL certificate for me?
Like every other security solution, the selection of a  Multi Domain EV SSL certificate best suitable for you also depends on a number of factors, such as  price, the number of domains needed initially and flexibility in adding new ones during the time period covered by the certificate. For example, you plan to secure only 5 domains now under the Multiple Domain EV SSL, but anticipate a healthy growth of your business in future and hope to secure 10 domains in an year or so, then you must go for a provider who is flexible in adding new domains under a single certificate and has sales representatives/support available for live chat 24*7. You must also do a proper research on the provider and look for online reviews of their products online.

A detailed article to choose the best SSL provider is here, but these are  some vital features one must surely check while buying a Multi Domain EV SSL security certificate:

  • Security Level: Complete Business or Organization Validation.
  • Encryption Level: The Toughest 256 Bit SSL Encryption.
  • Serve License: Unlimited Server Licenses. (Without Any Extra Charges)
  • Issuance Speed: Within 1 to 10 working days.
  • Compatibility: 99.99% the latest web browsers and mobile device compatibility.
  • Assortment: SAN / Multi-Domain / UCC option obtainable.
  • Additional Plus: Order www.domain.com & additional plus secure.domain.com.

The multiple domain packages offered by SSL security certificate authorities differ considerably. For Example, GeoTrust offers five additional multiple domains with its starting package and provides an option to  add additional domains in increments of five, up to a total of 25. This is completely different from Comodo, while offers only three additional multiple domains with its starting package but gives an option to  add up to 100 total domains, one at a time. Every Multi Domain EV SSL certificate package thus has it’s own pluses and minuses depending on their price, difficulty of installation etc., the key lies in choosing one which best suits your needs.

Categories
News

Security Vulnerability Found in the RubyonRails framework, Heroku Applications Affected

A serious security vulnerability was  found today in the Ruby on Rails framework. This exploit affected nearly all applications running Rails including  Heroku’s.

Ruby on Rails issued prompt warning  and announced  that the releases 3.2.11, 3.1.10, 3.0.19, and 2.3.15 contained  two extremely critical security fixes.

The aforementioned  Rails versions were immediately  patched and deemed safe from this exploit. The users were advised to upgrade their version promptly, failing which an attacker could potentially gain access to their application, its data, and run arbitrary code or commands. If you’re one of the concerned users, please check the patched versions below (deemed safe from exploit)  and upgrade immediately.

Heroku was also prompt in taking action and asked its customers to get a full list of their affected Heroku applications by running this script.  If the customer found any affected application, he was advised to upgrade immediately and install the patched versions.  If you’re a Heroku customer, below are the steps to upgrade:

You can read more about the security fixes by following these links:

Heroku recently  resolved  a security vulnerability it was alerted to in December that would allow an attacker to change the password of a pre-existing user account and thus gain control of it. Web security has been a vital issue for the industry as recently EdgeWebHosting partnered with DuoSecutiry to secure remote access by enabling two-factor authentication and SingleHop launched an automated security service for dedicated cloud servers.

About RubyOnRails:
Rails was created in 2003 by David Heinemeier Hansson and has since been extended by the Rails core teammore than 2,100 contributors, and supported by a vibrant ecosystem. To know more, please visit, rubyonrails.org .

Categories
News

Heroku Fixes Password Security Issue

Heroku has resolved  a security vulnerability it was alerted to in December that would allow an attacker to change the password of a pre-existing user account and thus gain control of it. Web security has been a vital issue for the industry as recently EdgeWebHosting partnered with DuoSecutiry to secure remote access by enabling two-factor authentication and SingleHop launched an automated security service for dedicated cloud servers.

On December 19, 2012, security researcher Stephen Sclafani notified Heroku of an issue in their  account creation system. Using a maliciously-crafted HTTP request, an attacker could change the password of a pre-existing Heroku user account, and thus gain control of it. This attack would not disclose the pre-existing password to the attacker.

Instead of persecuting Mr Sclafani, the person who uncovered the vulnerability, as most companies do, Heroku’s engineering and security staff engaged with Mr. Sclafani and worked in a  a  a collaborative way  to find a solution. They developed and deployed a preliminary patch to production on December 20. While  deploying the patch, Mr. Sclafani also discovered a related issue in the password reset flow that could be used to reset the passwords of a certain subset of users at random. A preliminary patch for this was also developed and deployed on December 20.

This was followed by a  thorough and comprehensive audit of  internal logs. No evidence that these vulnerabilities were exploited prior to Mr. Sclafani’s research on December 19, either by him or any other third parties was found. Due to the nature of the vulnerability, any customer whose account was compromised would have found both their existing password and API key invalidated, and would have had to initiate a password reset.

While both Mr. Sclafani and Heroku endeavoured to use test accounts exclusively, a very small number of customer account passwords were reset during the incident. Heroku  contacted the impacted customers and advised them to reset their passwords and credentials.

“We are confident in the steps we have taken to protect our customers from this vulnerability and will continue to improve our internal processes in order to provide our customers with a trusted cloud platform,” said Oren Teich, Chief Operating Officer, Heroku.  “We would also like to reaffirm our commitment to the security and integrity of our customers’ data and code. Nothing is more important to us.”

On Christmas eve, Heroku was also affected by Amazon Cloud Computing  Service Outage.

Categories
Hosting News

Edgewebhosting Partners with Duo Security to Secure Remote Access

Edgewebhosting Inc., a leading provider of mission-critical managed hosting services, announced it’s partnership with Duo Security on Wednesday to provide two-factor authentication service.  This authentication service provides highly secure and remote access to Edge’s managed hosting solutions.

Two-factor authentication is an approach to authentication which requires the presentation of two or more authentication factors: a knowledge factor (something the user knows), a possession factor (something the user has), and an inherence factor (something the user is).  For example, when you visit a local automated teller machine (ATM), one authentication factor is the physical ATM card that you  insert into the machine (something the user has). The second factor is the PIN you enter through the keypad (something the user knows).  This scenario illustrates the basic concept of most two-factor authentication systems: the combination of a knowledge factor and a possession factor.

Vlad Friedman, CEO of Edgewebhosting Inc, said, “In today’s ever changing threat landscape, security continues to be one of the primary considerations for every managed hosting environment we implement for our mission critical customers. As attackers have extended their attack vectors beyond the servers to include client machines, dual factor identity management is critical tool to ensure the intended individuals are gaining access to sensitive data.  In partnering with Duo, we found a solution that was both effective and easy to use.

This upgraded security isn’t the only reason behind the partnership. Duo security also provides enhanced ease of access to clients. It integrates seamlessly with customers Cisco VPN solutions and  users’ mobile phone. The Duo Mobile smartphone application lets users generate passcodes without age-old hassles of software and hardware tokens. iPhone and Android users can use Duo Push which ‘pushes’ login details into the phone, allowing for immediate, single-click  approvals.  However, having smart phones isn’t a pre-requisite . Users with older devices can get passcodes via text message or Duo can also place a telephone call allowing the users to just press a button on their keypad to authenticate.

“Duo is proud to partner with Edge to help protect its customers and, in turn, their customers and employees with strong, usable, and affordable two-factor authentication. Our goal is to make two-factor authentication ubiquitous and available to businesses of all sizes and Edge is leading the way by making two-factor authentication an integrated part of their service to their customers.” said Dug Song, Co-Founder & CEO of Duo Security.

Two-factor authentication is not a new concept and has been used throughout history.  Very recently, DropBox,  a file sharing service, also employed two-factor authentication as  a security feature after it faced a security breach.  So how its implementation in the hosting industry unfolds will be very interesting to watch.

About Edge Web Hosting
An innovative provider specializing managed hosting solutions, Edge Web Hosting delivers customers 100% uptime with a staff dedicated to 24/7 monitoring. Among the company’s services are cloud, dedicated and cluster hosting, collocation and more. Edge Web Hosting exceeds customer expectations by providing no surprise pricing, ensuring that monthly bills stay free of unexpected charges. Hosting from the company is compliant with industry standards in the areas of PCI, SSAE 16, SAS70, HIPAA and FISMA. For more information, visit  Edge Web Hosting.

About Duo Security
Duo Security makes two-factor authentication radically easy to deploy, use, and manage. Duo empowers any web, IT, or network administrator to easily protect accounts by leveraging their users’ mobile phones for secondary authentication. Every day, over 500 organizations with users in over 80 countries rely on Duo to secure their logins and transactions. For more information, visit  Duosecurity.