Basic flaws in e-commerce systems are putting customer details and sensitive company information at risk, according to new research.
Web server flaws, poor authentication mechanisms and faulty log-out facilities are the most widespread problems.
Roy Hills, technical director at NTA Monitor, which conducted the research, said: "Simple faults are worryingly common and on a level that can be exploited even by the most unsophisticated hackers.
"Given that security issues are the biggest inhibitor for online buyers, we were surprised to find that companies are not sealing their defences more thoroughly."
The list of basic mistakes includes:
- Lack of security exposing root access web servers.
- Logout facility not working, so that anyone using the PC directly afterwards can continue the session with full access to their account.
- Predictable authentication tokens which can be guessed to access other accounts on the system.
- Web servers that allow unencrypted access to secure areas, allowing information to be sent in the clear across the internet and sniffed in transit.
- Authentication token cookies cached on disk, so that anyone using the PC directly afterwards can log back into the session with full access to the account.
- Authentication fields not obscured during entry, so that people looking over a user's shoulder can see access details.
- Account lock mechanisms that do not work, leaving data unprotected from malicious brute force attacks.
- No protection against keystroke loggers allowing an attacker to log confidential information entered by the user.
- Weak password mechanisms where the system permits the user to choose insecure passwords, or no facility to change passwords.
Yeah, sorry about all that, simpers Zuckerberg
Vivaldi promotes DuckDuckGo search engine over Google over privacy concerns
Scientists say that strontium titanate could transform electronics
The wheels of justice grind surprisingly slowly