Online businesses need to protect their websites against a technique known as “data scraping”, which allows competitors to gain pricing and customer details through simple software, a security expert warns.
The issues are set out in a new KPMG report, which recommends businesses introduce stringent security policies in order to protect price information that, if stolen, could present a serious threat.
KPMG forensic director Rod McKemmish says many businesses are unaware they are under attack from individual computer programmers and software designed to harvest information.
In some cases, data scraping could even change customer information in an attempt to change a company’s marketing focus. Other methods can see “click rate” figures changed, potentially affecting advertising data.
“Anecdotally, we are seeing an increase in the number of websites being attacked through data scraping methods.”
“The most prevalent attacks are experienced by websites with pricing information for products and services or an online quoting system, such as travel or insurance companies’ websites where data is inputted by the customer.”
McKemmish says the attacks happen in two different ways. The first is where hackers will actively go into a site’s database and change customer information, or even create fake customers, to actively hurt a business’s marketing efforts.
An example he gives is that a business may think it has a large number of customers from Tasmania, and direct significant amounts of advertising there, but those customers may just be fakes created by hackers.
The second, and most dangerous method, is where hackers will use software to obtain a list of products, prices, and possibly any other detailed information regarding margins and supplier activity.
“Any data you have exposed to the internet, any user interface you have, is liable. If I have an online retail business, and have goods for a sale, a hacker could scrape that data, compile prices and then give it to competitors or use them himself.”
“There are other methods where hackers can even generate fake customers. There’s a lot of activity around these methods now and they are becoming more popular.”
McKemmish says while any user might be able to produce a list of products and prices over time if they dig hard enough into a site’s security system, the difference in “scraping” is that users create software to compile this data at extremely fast speeds.
“It’s the speed of the process that makes this effort much different. While any user could potentially do this if they had enough time, it would be an extremely long process. This makes it fast, accessible and a very dangerous process.”
The only solution, McKemmish says, is that businesses develop strict, comprehensive and future-proof security plans so customer and pricing data remains private and secure.
“One thing that businesses should be doing is creating a profile of these attacks. If you are able to see where these attacks are coming from, you can analyse patterns and conclude some possible origins.”
He says businesses shouldn’t jump to extreme methods like blocking individual members, but should instead use sophisticated security techniques, such as comprehensive firewalls.
“The complexity of defence depends on your IT environment and the underlying business model. We don’t want to slow down the user experience but there are certain steps that should be put in place such as filtering or analysing online traffic, user verification through email addresses or using pictures or ‘captchas’ to confirm a person, rather than a computer program, is accessing the site.”
Patrick Stafford is a freelance journalist and a former deputy editor of SmartCompany.
Comments