If it ain’t broke, don’t fix it, right? Wrong. This is the belief system of inexperienced software developers and businesses owners who are, in some cases rightfully so, worried about what problems any changes may cause. The reality though is that as a business owners, development manager or other, you need to make sure every aspect of software you are running is up to date at all times. Any outdated technologies in use can cause problems, likely have known vulnerabilities and security issues and will ultimately result in a situation whereby you are afraid of making any changes for fear of the entire system imploding on itself.
Ok, now I’ve got that out of the way, I assume you are now also of the belief system that all software needs to be kept up to date at all times without exception. If you are not convinced, then as a developer you need to come to terms with this quickly, or as a business owner you have not been in a situation yet which has resulted in a laissez-faire attitude to software updates costing you tens of thousands of pounds to remedy, much more expensive than pro-active updates and regular maintenance.
The biggest challenge software developers face at the coal face of the build process is the inherent unpredictability of software development. As a business owner or user of a software application, whether that is an online portal of some form, a web application, a mobile app, a website or something in between, what you see as a user is the absolute tip of the iceberg, the icing on the cake and this can paint completely false pictures about the underlying technology.
Anyone who has heard me speak on software development and technologies in the past will have no doubt heard my usual passionate exchange of words along the lines of using the right technology, investing seriously and stop trying to scrimp on costs. The reason I am always talking to businesses about this is not as part of a sales process designed to fleece someone of their hard earned money. No. The reason I talk passionately about this is because when businesses take on board the advice, this saves them a significant amount of money in the long run.
To build leading software products that your business relies on for revenue you need to be using the best underlying technology possible. And here lies the challenge. Any software product or online platform is built using a plethora of individual technologies that are working together seamlessly – at least in well-built systems. Below is just a very small sample of the individual technologies, frameworks, methodologies and systems that are often working together in the background to make a software product function as you experience as the end user.
What this means though is that when something goes wrong, this often starts a chain reaction which impacts the entire system. This is the point when a user often likes to point out that “It doesn’t work” or “This {insert feature here} is broke”. And the reason something doesn’t work is often related to either a poor choice of technology in the first place or some form of incompatibility or conflict between different technologies.
To put this into a metaphor that is easier to digest, imagine an Olympic relay team. Now instead of having 4 people in this team, there were 30-50 people in this team. The team in this analogy is the software with the individual people being the pieces of software and technologies that make the software work. Now picture this. An outdated piece of technology as part of the team is the equivalent of having an athlete from 20 years ago who was once top of their game, but hasn’t trained in the last 20 years. They have put on a lot of weight, their fitness level is virtually zero and they can’t integrate as part of the team and generally have no idea what they should be doing. This is the same thing that happens with technologies. Ask yourself the question, would you really want this person as part of the team if you were relying on them to make your team the winning team at the Olympics? The answer is no. The same applies with software development.
Now to take the analogy one step further. Imagine that every member of the relay team is at a completely different level of fitness and experience. Each member of the team is interacting with different parts of the system, but often not all of the system at once. What this means is that when one of the athletes decides to seriously up their game and improve their performance, i.e. a piece of technology gets updated as part of the system, then this impacts other parts of the system in different ways. The reality of software development is that nothing is as linear as a relay team where person 1 passes the baton to person 2 and so on. The reality of software development is that often various pieces of technology will impact on many other pieces of technology and vice versa and often in a way that you cannot predict until an issue crops up.
So bringing this analogy back to software development in the real world. What this means is that when a new update comes out, for example, an update to the core Apple iOS operating system, for which all mobile applications rely on, then this update can cause problems if a key piece of technology is no longer supported for whatever reason. This seemingly small update from version 9.0 to 9.2 for example could actually result in a catastrophic failure which needs to be rectified for the mobile application to continue to work.
Here lies the challenge. As a business owner, IT manager or software developer, you have a choice. To update or not to update. To update leads you down the path of short term pain and costs to enhance the application with the long term benefits of a completely up to date piece of software. To hold off on updating leads you down the path of short term gain of not having to update anything with the long term implications being that over time as more and more technologies are updated your application is getting left in the digital dark ages, meaning that what would have been a simple upgrade previously has now resulted in a situation whereby a full or major rebuild of the application is the only way to go forward to bring the application back into the modern world. Remember the film Demolition Man with Wesley Snipes and Sylvester Stallone, when they stayed frozen in time for 36 years and how much the world had changed around them? If you haven’t seen the film, go and watch the 1993 classic, it will be a well spent 1 hr 55 mins of your time.
The number of interconnecting pieces powering any software product in the background is enormous and without serious planned maintenance and improvements things will start to go wrong, seemingly randomly, but in fact being caused by some form of automatic update somewhere along the lines. Just imagine a children’s playground at school if this was left unattended for 12 months with no form of teacher around to keep everything under control. The results would be utter chaos within no time. This is your software project. As a business owner, IT manager or software developer you need a conductor behind your software projects to ensure they are continually maintained and continue to function as you expect. It is a system and just like all systems of nature, they tend to prefer to eventually lead towards a system of chaos rather than order. There is a special branch of mathematics called Chaos Theory which talks about this in great depth should you wish to read into the topic.
As a final summary about the inherent unpredictability of software development. Everything needs to be kept up to date and a continual improvement process and development plan is essential that your software doesn’t get left behind. A stagnant software product in an ever changing digital world soon becomes out of date and needs a significant overhaul. What this does also lead to is the highly unpredictable topic of timelines and deliverables when dealing with so many unknown, unplanned and unpredictable changes that will be required as a continual series of improvements are worked through. What I can say is that any form of continual improvement is always far better than sitting back and leaving a system to work away. For any business owner who is reading this, when a software project is delayed, this is generally why. The world of software development is an ever moving and unpredictable goal post which requires your understanding. Good things come to those who wait.
Did you know that Google is tracking your every single move? No? Most people don’t, yet they are;
The above is where I have personally been recently while out and about on the road visiting businesses which is naturally a large part of the work that I do. This isn’t some feature that I have personally set up. No, this is something which Google has enabled by default and means that they are tracking my every move, and yours too. I’m sure there will be some small print in the terms of use somewhere but this isn’t the point.
Google is not alone in this activity. Back in 2012, Apple were found out to be tracking users without permission. With the rise of smart technology such as phones and tablets, which have many sensing devices built in, there needs to be a much easier way for users to understand what data is being tracked and how this is being used.
To see what Google knows about where you have been recently, click the above link and sign into the (or one of the..) Google Accounts that you are signed into on your mobile phone. You’ll be surprised at what you can see!
Clear Permissions and User Control
Currently it is not clear for users what data is being tracked by the majority of software and apps that you are using on your mobile devices. The industry as a whole needs to take more responsibility for privacy and security related issues. Google has recently launched Google My Account which is designed to take this a step closer to where we need to be, although I’m not sure this going far enough;
If you are concerned about what information Google is tracking about you, it would be recommended to check through the settings for all of your Google Accounts within the My Account feature that has recently launched. Specifically where you can turn off the feature for how Google is tracking your every move if you feel this is a little too invasive into your life. Simply navigate to the Personal Info & Privacy page, then scroll down to the Places You Go section to turn this off;
Privacy
The amount of data that is being collected about everyone on a daily basis isenormous. Data that can ultimately be used for advertising purposes, sold to other companies or even stolen by cyber criminals. There are already rules in place around data security including the Data Protection Act which states that any information stored must be;
used fairly and lawfully
used for limited, specifically stated purposes
used in a way that is adequate, relevant and not excessive
accurate
kept for no longer than is absolutely necessary
handled according to people’s data protection rights
kept safe and secure
not transferred outside the UK without adequate protection
There is stronger legal protection for more sensitive information, such as:
ethnic background
political opinions
religious beliefs
health
sexual health
criminal records
What is interesting when comparing the above with what is actually happening in the world, it takes no legal expert to raise a few eyebrows at the disparity between the rules and reality. What is clear though is that there needs to be a much more thorough and clear process in place for all data stored about people by large organisations. When comparing this to a real world context, if you were being followed around all day, every day, by a private investigator how would you feel?
A Short Story About… series, sharing stories about epic fails related to digital marketing, web design, technology choices and more. All designed to make you aware of what can happen when you work with the wrong people and an inexperienced digital agency. Remember the importance of working with the right digital agency.
Sharing these real life stories with you allows you to review your own setup to make sure you aren’t making the same rookie mistakes. Sharing is caring and it also makes our life easier when you speak with us about increasing your revenue through digital marketing and technology.
Look at our new shiny website!
The story starts here…. We received an email from a business owner who mentioned that they had passed on our details to another business owner related to some work that they needed support with. Nothing too strange here, we get this all the time.
Naturally, when we receive requests such as this, we have a quick nosey around to get a feel for the website, digital marketing channels, technologies in use and more. Based on this quick analysis we soon get a feel for where the business is at when it comes to how digitally advanced they are, or aren’t, as the case may be.
Having already heard of the business that had been referred to us, we already knew that the website was in development with another agency (sorry, we’re not going to name and shame here, but we shall say that they are local to us…). Based on this, we had a quick look around the new website;
Website X
Initial Investigations
One of the key areas we investigate is to see what technology the website has been built with and ultimately decide if we even want to get involved with helping the business. Depending on the technology used and other factors, we often turn down work that is just too far gone to help and there is no budget for a complete rebuild. Often bad decisions in the past can lead to costly solutions in the future, often which businesses don’t have budgets for re-doing something. Thankfully though, there is generally something we can help with in one way shape or form.
We always recommend the right solutions for businesses, it’s unfortunate that this ethos isn’t the same for all agencies, with many often using poorly configured technology, custom built technology and everything in between. Hence, why businesses come to us when things have gone wrong elsewhere and they are looking for a good solution that is truly suitable for their long term needs. As a caveat, there are a lot of good agencies around alongside ourselves and we can quite happily point you to them. It is also true, as many businesses are painfully aware, that there are a lot of charlatans around too.
So, while investigating what technology was powering the website, we soon noticed a login button on the website;
So we had a quick look at the login page to see if this resembled any of the common content management systems around;
And what do we see here, a nice “Register” button, so we investigated a little further;
Ooohh, that looks like a nice easy registration form, so we tested a little further…;
Username: test
Password: test123
Confirm password: test123
Surely any content management system or website worth it’s weight in salt would handle guest registrations in a graceful and secure way? Well, no, and this is where we were really shocked to see how bad this system has actually been built in terms of security. After registering a user using the form available on the website for anyone to see, we went back to the login page from earlier and tested these details;
And here we are, straight into the administration area where we can edit the content of the website as we choose. Adding content, deleting content, uploading images in the gallery, addling links to websites of our choosing and more. To test that we do indeed have the right privileges, we added (and then immediately removed) a piece of content to the website which was visible once we updated this;
(Click for larger view)
The above isn’t the actual content that was added to the website for obvious reasons. It was simply a number “1” which was added to one of the sentences then removed immediately. The above image is purely for illustrative purposes and to emphasise the point.
It is extremely worrying that a website can be built with no security in place at all. This process took no more than 5 minutes to investigate, test and access the admin area. Imagine what we could do in 10 minutes…
Now if someone came along who had an axe to grind or was looking to infect websites with malware and other code, this would be extremely easy thing to do. Not only could this result in the website being blacklisted from Google, your own website visitors and customers could be infected with viruses or your website could be (unknowing to you) part of a bot net that is hacking many websites around the world.
This blog post is not designed to show how good we are when it comes to identifying security issues related to websites (although we aren’t too bad at that…), this blog post is designed to highlight how easy security issues can occur when you are using either the wrong technology, incorrectly configured technology, sloppy web developers or an agency who clearly has no idea what they are doing.
For any website or web application, security should be embedded from the start of the project and clear testing throughout to ensure that only those who have access to the administration area do have access to it. Security is not an added extra, this is your own business and website that we are talking about. An area that you have clearly worked hard on and one that will no doubt have been a reasonable investment. Don’t get caught out with rookie mistakes.
Imaging if the administration area contained a list of all of your customers who had registered with your website? Or if this contained personal sensitive information in unencrypted form, names, email addresses, phone numbers or heavens forbid credit card details? Such a simple mistake can turn into an enormous problem. All preventable when you are working with the right people who have the skills, knowledge and experience to do the job properly.
Technology
For reference, the technology behind the website in this case study was running the following;
IIS 8 Web Server
Net / ASP.Net MVC Framework (this is where the problem and solution lie, allowing anyone to view the user registration page and allowing the default user to be created as an Administrator)
Google Hosted Libraries
jQuery
Fancybox
Incorrectly configuring technology is one of the most common pitfalls related to website security. It is so important that you are working with a well-respected company who have staff with a wealth ofexperience and capable of preventing issues like this occurring.
The Solution
Throughout this blog post, the company has remained masked and is not identifiable in any way for obvious reasons. The company has also been notified and their agency is working on a solution as a priority. We believe in responsible disclosure, which is why we have published these findings, to avoid others falling into the same trap.
For reference for the developers working on this solution, if any pointers are needed, a quick Google search for the solution came up which may be quite useful;
Please also have some form of robust security processes in place within your business to prevent this happening again in the future. Please also check all of your other clients who you have built websites for in this same fashion, as this could also need fixing on their website too. Again, it is extremely simply to gather a list of websites built by the same agency where this problem could also exist;
For anyone looking to do harm, this could turn into a reputational nightmare for the agency involved along with causing all of the businesses involved an awful lot of lost revenue if this was exploited fully by a hacker before a solution was implemented. Staff training, for both technical and non-technical users is key in this area to ensure that problems are identified before other people find them and exploit them.
Summary
As mentioned at the start, it is essential that you are working with the right digital agency who is capable of delivering projects in a secure fashion. Simply working with the cheapest company, the company who can talk the best talk or the company who manages to convince you that their solution is the best one over all of the others just isn’t going to cut it. As a business owner or decision maker, it is ultimately your responsibility that you are working with well-respected agencies who know what they are doing.
If you are concerned by the contents of this blog post, if you are questioning your current supplier or are generally concerned about the security of your digital assets, then get in touch. Cyber security is a hot topic for a reason, it is hugely important to protect the future of your online presence and more.
The learning point: Ensure your website registration process doesn’t allow new users to access parts of the website they shouldn’t. In this example, using a well-respected content management system would have prevented this issue altogether. Many website builds do not require any fancy custom built content management system solution, popular platforms such as WordPress or Magento are often perfect for the job.
Being part of Manchester Digital, we get access to exclusive events talking about the serious changes in digital and current trends. We recently attended an event talking about online fraud and cybercrime, and honestly, this is much more serious threat that most businesses even realise.
At the event we heard from DC David Stott from Cheshire Police force and Raoul Charlett, a Complex Fraud and Corruption Investigator. Talking about cybercrime and fraud proofing your ecommerce business. Also speaking was Gareth Williams from Metapack who covered various tips and advice about how businesses can protect their-self online.
Traditional Business Fraud
Some of the more common business related fraud relate to long term frauds within organisations, invoice diversions and even internal fraud related to BACS, accounting and false invoices being processed. These clearly have serious consequences for businesses beyond the obvious monetary costs. From data loss, disruption within your business, the branding and PR nightmare if this information gets released and more.
What is more worrying is around the lack of capability for a lot of digital fraud to be investigated. As you know, the UK has borders and so does the capabilities of the law enforcement organisations who can pursuit such fraud. Typically speaking, a lot of digital fraud is instigated overseas which means that the efforts involved in bringing criminals to justice required a lot of work and often never actually happen. This is a huge issue for businesses, particularly those running ecommerce websites as you can lose a lot of money in the process with little chance of getting this back.
Data Commissioners Office
One point reiterated at the event was about how all organisations storing personal information that is used for specific purposes must register at the Information Commissioners Office. If you aren’t sure if you need to register, then it is recommended to complete the self-assessment on the website, and if you do need to register this is only a nominal fee of £35 per year.
With data breaches on the rise, it is essential that businesses treat data security seriously as it is a criminal offence if you don’t do this and are required to do so. Over recent years we have seen literally billions of customer details stolen from only a small handful of companies storing personal information for their customers.
Digital Fraud and Cybercrime
Moving onto some of the more modern frauds that happen, it is often the ones you may not even have thought about, yet are a serious problem for businesses. We are increasingly speaking with clients and other businesses about how to mitigate the risk for their businesses related to cybercrime and we are able to provide key recommendations on this topic.
Intellectual Property Theft
How secure is your intellectual property within your business? As a digital organisation, your intellectual property isn’t likely to be in the form of manufacturing processes, secret recipes, physical designs or some of the other traditional areas that you would generally relate to intellectual property theft.
When looking at digital businesses, how secure is your data, your databases, your software code and other sensitive information about your business, your customers, products and services? In our experience, for many small to medium sized businesses, there is often quite a significant opportunity for fraudulent activities and cybercrime to take place due to lack of procedures, understanding and internal training.
Hardware Security
This is way beyond our level of expertise at Contrado Digital, although we like to keep our ears open to the news related to hardware security. Specifically around open source and freely available software called Reaver which is designed specifically to hack into WiFi routers using WPS, WPA and WPA2 passwords using a brute force style attack.
To keep this into perspective, once someone accesses your internal network, they often have access to a wide range of other data within your business if your data isn’t locked down and secured well. This is beyond simply having a more secure password on your router, this comes down to how you and your staff access the files, data and systems within your organisation. To the point that you not only have the internal security of only allowing access to data from an internal IP address, but also only allowing access to data for staff who have the authority to view this data, regardless if they are within the internal office IP or not.
Systems Prevention
There are a lot of technical ways and some common sense methods which you can use to protect your business from cybercrime and online fraud. Have a think about some of these questions to see how they relate to your own business;
What is your fraud policy?
How are individual members of staff managed in terms of the data they can access?
Do your staff understand how Trojans, malware and phishing scams work, specifically related to clicking links and opening emails from unknown sources?
How do you mitigate risks from updating your accounts, specifically related to invoice fraud?
How do you investigate new customers to check that they are genuine? A note on this topic is that you can be legally responsible and open to jail time if you have not performed detailed enough checks and your customer ends up being identified as part of a criminal organisation. This could have serious implications for your business
How do you thoroughly vet new and existing members of staff? This sounds obvious, but have you spoken to their references?
A note on background checks related to companies is rather interesting, as the data that you will often be researching on freely available company check websites and companies house is only as accurate as the data that is entered by the company. This is really important to understand because this data does not state that the data is accurate, the information you see on these services states that this is what the company has said is accurate. This can be significantly different, particularly when online fraud and cybercrime is taken into account. Do you honestly believe a companies that is not legitimate would submit legitimate data? The same applies when another company could be created with a very similar name to your business which could confuse people trading with you, or you viewing another company.
An interesting service that was recommended included WebFiling Protected Online Fraud (PROOF) which helps companies, i.e. yourself, safeguard your information and protect against corporate identity theft and fraudulent filings. The short video below explains this in more detail;
Another check point discussed was The Gazette which allows you to check company information from an official source. When checking details of a company you are either working with currently or about to work with, it is essential to check through as many sources as possible to get a good understanding of who you are working with.
Hackers for Hire
Thinking hacking and cybercrime isn’t that much of a threat? Think again. There are services popping up such as HackersList which allows you to actually rent hackers for a specific project and pay for their services. And this is just the public face of what is happening. Within the underground there is an awful lot more happening that most people simply aren’t aware of.
Hacking is always seen as this big bad term, yet often hacking isn’t that difficult. Hacking can be extremely simple, particularly when companies employ sloppy web developers and leave their customer details wide open for anyone to access. This isn’t difficult for anyone to access with half a brain cell and a small bit of technical knowledge. This isn’t cyber criminals working away, this can be simply equated to finding a hidden link on a page that happens to be the same colour as the background. The technicalities behind this aren’t much more complex than that.
London Met Fraud Advice
The London Metropolitan Police are very much leading the way when it comes to cybercrime and security prevention in an official sense and have a very valuable website on the topic to help individuals and companies protect their-self. If you aren’t too familiar with some of the basics of protecting yourself and your business, I’d suggest you spend a bit of time researching this and understand what you can do within your own business.
MetaPack
MetaPack is a service designed to track ecommerce deliveries from end to end while looking to reduce fraud at every step of the process by using smart technology. Interestingly, 80 of the top 100 online UK retailers use MetaPack which managed around 50% of the online orders in 2014 (excluding Amazon).
Another interesting fact is that between 1-3% of sales are classified as Goods Lost in Transit (GLIT) which is actually an extremely high amount when you think about the scale of online orders within the UK, some of the highest per capita in the world. Some of the common problems related to this simply comes down to different departments within larger organisations simply not talking to each other, whether this is people or systems, think sales, website, warehouse all using different spreadsheets, databases and platforms with no centralised system.
A prime example of this is for items with a higher value which is often simply not worth the ecommerce retailer collecting the item from the customers. Imagine, as a fraudster, ordering a bathroom suite, 5 items, from 5 companies (bath, toilet, bidet, tiles and basin). When each arrives, calling each company to inform them that the item has arrived damaged. Then when they ask if you would like another item delivering, you say no and they simply issue a refund without ever collecting the apparently damaged item from you because it is too expensive to collect or verify. This is clearly an issue if you don’t have the correct procedures in place for your business and happens more than you could imagine.
Officials
While I hate to say this, the authorities are too slow to adapt to the changes within digital to keep up with the ever changing technologies, threats, knowledge and information with an ever decreasing budget for public services. When you compare the resources and knowledge the official sources have on cyber security and online fraud in comparison to what is actually happening, this is worrying. To the point whereby Stuxnet managed to go unnoticed for quite some time. If you haven’t heard about this, read up on it if you don’t want to sleep at night.
This is going to change over time within the authorities, although as a business you need to take responsibility and protect yourself to avoid any serious issues within your business.
Website Security
Online fraud and cybersecurity covers a lot of topics from user behaviour, training, IT hardware, physical security and more. This blog post isn’t designed to be a resource covering all of these topics, instead more of a warning to companies to take online fraud, cybercrime and security seriously.
We do our part related to website security which is why we offer services designed specifically to help businesses manage their online security through our WordPress Security and Maintenance packages along with providing industry leading web hosting solutions for small to medium sized businesses.
Summary
Online fraud, cybercrime and security needs to be taken seriously by businesses within the small to medium sized range. Do not take the threat lightly and assume that it will not happen to you. Cyber criminals will be targeting non-corporate businesses as these are the businesses who often have the least security policies in places throughout their website and internal procedures.
If you would like to talk through how business could be impacted, get in touch to discuss your specific business needs and how we can help protect your business.
Awesome, then next time you're looking to procure digital services, keep us in mind. We provide these blog posts to help people and companies like yourself with common problems and challenges.
Better yet, subscribe to our monthly newsletter below so you'll always be updated with the latest digital news that is relevant for yourself.