Elastica Chief Technology Officer Zulfikar Ramzan has worked with companies that have experienced a security breach and faced the exact same situation eBay is now facing. In a three-part interview, he shares important information with EcommerceBytes that every online seller should read.
In Part 1, Dr. Ramzan talked about what’s going on at eBay right now, and in Part 2, he talked about the challenges eBay and other companies face in protecting sensitive data such as physical addresses and birth dates. He also spoke about the role law enforcement plays in an investigation after a breach like the one that occurred at eBay.
Part 3 covers companies’ reluctance in disclosing security practices and what questions online sellers should be asking ecommerce and payments companies about their practices around data security.
EcommerceBytes: What types of questions should we be asking other ecommerce and payments companies about their practices around encryption?
Zulfikar Ramzan: Knowing how they store passwords is very important. Hopefully they should, at the very least, be hashing and salting passwords. It’s also important to know how they store other sensitive data. For example, credit card numbers and bank account numbers, and so on. Given the extreme sensitivity, this data should be encrypted.
It is also useful to know about their broader data handling processes. For example, who can access customer data? How is that access governed? Where does the data reside and can that easily change? There’s no point in encrypting your database if an employee can throw unencrypted data into a USB drive that can be pilfered after they leave it in their car (and this has happened)!
EcommerceBytes: Often companies won’t answer questions about security, saying they don’t want to give scammers any information. Is that a valid response?
Zulfikar Ramzan: That’s a fantastic question, and I think the answer is that it depends. I believe that in many cases, an organization can disclose security practices without giving an edge to the attacker. For example, if they state publicly that passwords are salted and hashed, an attacker does not benefit much by knowing this information.
If, on the other hand, they disclose specifically that use a particular vendor’s anti-virus product to scan their files, then attackers can leverage that information. In particular, attackers could configure their own lab that mimics the organization’s environment and develop threats that circumvent that exact setup.
Many attackers already do this sort of thing. In fact, many of the higher attackers know exactly what defenses they are up against, and they develop techniques specifically to circumvent those defenses. I think that’s why it becomes a question of when, not if, a breach will happen. Having said that, there is useful information you can disclose, without saying too much, such as the fact that files are indeed scanned for threats and redacting any specific vendor name.
EcommerceBytes: Don’t users have a right to know if the companies they’re using are protecting their data?
Zulfikar Ramzan: I personally think that users do have a right to know, but I think only a small number will understand the implications. Interestingly enough, in enterprise settings the situation is starkly different. Oftentimes vendors put together detailed security whitepapers that their (enterprise) customers will scrutinize. These whitepapers contain details on how data is protected. It would be great if a commensurate degree of detail were provided to individual consumers as well.
Perhaps as more data breaches come to light, we will start to see more demand for disclosures on how customer data is being protected.
I do think your question also raises a fascinating point about a fundamental misalignment of incentives. If a company stores my credit card number and fails do so in a safe manner, then I’m the one who has to suffer the consequences should that data become compromised. In other words, even though I’m trusting a company to protect my data, their incentives for doing so are not the same as my incentives.
If consumers start to demand more transparency and follow through by switching who they do business with as a result, then we may see organizations respond appropriately. However, this situation is quite idealistic. We may not get there any time soon, but hopefully we can start in the right direction.
EcommerceBytes: What should users look for to help them determine if a company is protecting sensitive and financial data?
Zulfikar Ramzan: A good rule of thumb is to stick with sites that are reputable and that have either been around for a while or appear to be security savvy, with few prior incidents.
Also, try to mitigate the risks associated with data compromise. For example, try to use different passwords for different sites. Or at the very least, don’t use a password at a smaller site that is identical to the password you use with your bank or credit card company.
Another point to consider is that credit card companies limit your liabilities. So, I would be less concerned about providing an organization with my credit card number than I would my debit card information since the latter might have fewer protections.
Learning to mitigate your own risks is extremely important. If large security savvy organizations like eBay can get compromised, then most organizations are at significant risk.
EcommerceBytes: You said “eBay has a number of strong people in their internal security and incident response teams,” Can you speak to Amazon and Etsy’s security team or their reputation in the security industry?
Zulfikar Ramzan: I’ve never personally interacted with anyone from the security teams at Etsy, but have interacted with some of the folks at Amazon. From what I can gather, they both take security very seriously and have staffed up teams in this area. Both have incident response teams and offer bug bounty programs to proactively seek out vulnerabilities to their respective sites.
Dr. Ramzan also appears on a video on Elstica.net speaking about the attack on eBay and explaining the salting and hashing paradigm employed by eBay (and other companies) to protect passwords in databases against breaches.
As Chief Technology Officer of Elastica, Inc., he drives its efforts in leveraging data science and machine learning techniques towards improving the security of cloud services. Prior to joining Elastica, Zulfikar was Chief Scientist at Sourcefire (acquired by Cisco), within their cloud technology group. At Sourcefire/Cisco, he was responsible for the technical vision as well as the in-field efficacy of the company’s core advanced malware protection offerings. Prior to joining Sourcefire via its acquisition of Immunet in 2010, Zulfikar was Technical Director of Symantec’s Security Technology and Response division.
In all of these roles, Zulfikar used expertise in machine learning, large-scale data mining, and information security to protect customers from threats to their data.