Sunday, September 13, 2009

Charity Websites Not Secure and a Gift to You!

Sector is not up to date with security risks, says NTA Monitor report

Charities are more likely to have poor website security than other organizations, according to the results of an annual survey published this week.

The Web Application Annual Security Report 2009, produced by security-testing company NTA Monitor, found the average charity and not-for-profit website contained 15 'security vulnerabilities', compared with five the previous year.

This was the highest number of breaches found among organizations from eight sectors, including finance, government and manufacturing.

The most common charity flaws included not having account lockout mechanisms in place, which stop hackers with valid usernames from repeatedly guessing passwords. Charities were also guilty of allowing users to choose insecure passwords, which increases the chances of unauthorized access to accounts.

Editor's Note:  Again, the problem is NOT so much Password, but how these Passwords are Entered. How are they entered? They are TYPED. Here's my "gift to you:"

If you type, the hackers will swipe...

Hackers can get around SSL, they can get around EV SSL, they can get around whatever is introduced in the future.

If you use the web browser to "enter" (type) information, that very same information is available to whomever wants to see it.

Unfortunately, when it comes to financial information, such as credit/debit card numbers or Username's and Passwords, it's the "bad guys" who want to see it. It really is as basic as that...

I know, I know...there are some who may think I'm "overstating this risk" based on the fact that HomeATM eliminates typing and eliminates card not present eliminating the use of browser when conducting log-in or eCommerce transactions.

I am sure that there are some who believe I'm making a "mountain out of a mole-hill," but I believe the exact opposite is true.   The reality of the situation is that those who continue to instruct their customers to "type" or "enter" are making a mole-hill out of the mounting evidence that it is not safe to do so. 

IBM's 2009 X-Force 2009 Mid-Year Trend and Risk Report:

There is no such thing as safe browsing today and it is no longer the case that only the red light district sites are responsible for malware. We’ve reached a tipping point where every Web site should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity,” says X-Force Director Kris Lamb.

Those who continue to tell you it's safe to type your card information into a box on a website, or a username: password: for online banking sessions are either turning a "blind-eye or not quite "seeing" the problem as succinctly as they will in a year or two.   Until they do, they are making a mole-hill out of a mountain.

     Making a Mole-hill out of the Mountain    
There is only ONE 2FA 3DES DUKPT E2EE PCI 2.x Certified Solution in two hemispheres 

Exclusively from HomeATM ePayment Solutions

Reblog this post [with Zemanta]

Disqus for ePayment News