Unless you have been off in a cave somewhere or are one those people who automatically opens the back of the newspaper to read the sports section and never gets around to the front of the paper, you probably have heard about the newly discovered vulnerability in online security. The reports have been featured in most major newspapers and so I decided to do a bit of research and find out whether our industry needed to be worried.
The Original Report
First of all, for those who enjoy reading technobabble, here is the original report as provided by the Cryptology ePrint archive (they provide access to reports on cryptology issues). Now, as best as I understand it, the report indicates that there is a problem, but it’s not one which has been reported as being exploited as of yet.
This reminds me of the episode of Friends where Rachel finds out that she’s pregnant. I’ll let interested readers look up the reference, but the point is that the researchers found that online encryption methods are a little more than 98% effective, meaning that in the vast majority of cases, your customers will never have to worry. To put this in perspective, they tested six million keys and found serious flaws in 12,270 of them and more minor flaws in another 27,000 of them.
Reassuring Your Customers
Unfortunately, as an eCommerce website owner, there is likely precious little you can do to ensure that your customer’s data isn’t hacked along the way. Since the problem appears to crop up randomly rather than with a specific pattern, it’s a bit of a crap shoot to figure out when it will strike. The good news is that you can reassure your customers in several ways:
- Double Check Orders – If you want to be sure about things, then send out e-mails automatically to customers asking them to double check their orders, making sure that what they ordered really is listed there.
This is good practice anyway for any ecommerce site just to make sure your customers are happy and get what they asked for. Be sure to be ready to change orders or cancel them if the customer indicates they didn’t place the order or there is another problem. However, I’d suggest simply sending out an e-mail asking customers to double check their order rather than mentioning this issue.
- Answer Only When Asked – My feeling on this is as follows: don’t go making a public spectacle out of this. Unfortunately, until researchers find a way to plug this hole, it’s not something than any eCommerce site owner can do something about. Therefore, I suggest that you don’t address this issue to customers unless they ask. If they do ask, tell them you are working with your security experts to try to ensure that nothing will happen.
Be Sure to Install Updates Right Away
Finally, I suggest that as soon as your eCommerce provider (whoever it may be) has finished taking care of fixing any problems (if indeed your service is affected at all), you immediately install the updates as necessary. This way, you protect yourself and your customers.
The bottom line here though is that I really don’t think there is much need to be concerned. Since this is a random flaw anyway, it’s very hard for a hacker to take advantage and the odds are good that your eCommerce provider will fix any security problems due to the encryption vulnerability shortly in any event.