PayPal – with billions of dollars in online and real-life goods and services being bought through it every day, one might easily believe that this company has a veritable fortress of security protocols in place to protect its customers’ financial information.
And while it’s true that PayPal does take security seriously, the fact is that no company is immune from every potential threat or exploit.
Hackers go out of their way to plant false cookies, send spoofed emails, and install “sniffers” in the background that actively look for security holes to exploit
For PayPal to Be Secure, Its Users Need to Be Secure
Even if PayPal’s own infrastructure is secure, they can’t always count on their users being as savvy.
“PEBKAC Error: Problem Exists Between Keyboard and Chair”
Many of us know someone – a relative or a friend perhaps – who received an honest-looking PayPal email telling them their account had been hacked, their password had been changed, or they had purchased something they know they didn’t buy.
Of course, when faced with this kind of message, many people instinctively insist “That wasn’t me!” and login to a near-perfectly crafted PayPal.com replica, divulging their username and password which are promptly shuttled into the eager hands of hackers and then sold to the underbelly of the digital black market.
Not surprisingly, these opportunists take no prisoners, draining bank accounts, making mass-purchases on credit cards and debit cards, and leaving the bewildered victim picking up the pieces of their shattered financial lives.
PayPal does its part to remind consumers about not clicking on any emails from unrecognized links or senders, and to check their address bar for the common “https://” that denotes a secure site, but no method is 100% foolproof, especially when dealing with less tech-savvy users who choose guessable passwords like “love” and “123”.
The Defencely Difference
Defencely was recently honored on PayPal’s Wall of Fame for bringing a security issue to their attention that PayPal’s own engineers had failed to spot. The Wall of Fame is an honor that few online security firms can claim – another testament which supports Defencely’s mission to make the web a safer place for everyone.
Not surprisingly, hackers are always trying to stay one step ahead of the antivirus, spyware and penetration testing companies. But companies like Defencely are starting to beat them at their own game, putting up formidable digital walls that even the most sophisticated ‘script kiddies’ can’t break through. Like modern-day burglars, hackers are only interested in easy access by any means possible.
And while PayPal must always stay active and prepared for new threats, it’s nice to know that there are companies like Defencely who are working alongside them, bringing new vulnerabilities to light and helping to squash exploits before they get a stranglehold on the server.
Pop quiz: what does Microsoft, Twitter, Facebook, NBC, ZenDesk, and Drupal all have in common?
They’ve all been recently hacked.
Yes, hacking is a growing threat for every business both large and small.
Whether it’s stealing private data, taking control of your computer, or shutting down your website, hackers can seriously impact any business, at any time. Defencely have been running analysis since it’s existence on different possible attack vectors and hence has been proven with a record for web application security in India and is currently going global. There are specifics onto which Defencely had been working it’s way onto making a name on the CIO portfolio for it’s immense success with Information Technology Security as a service provider. To an amazement, Defencely has not only stood up to it’s client in the past, but now it has been providing ground-breaking research for all of it’s client with special deliverables given services from Defencely has been opted. But there is a side, which Defencely has chosen to opt for the betterment of the web world, and it’s WHITE HATE ETHICAL HACKING which makes it’s way through corporate business world and provides in-depth security services for an overall web security protection to it’s valued clients. Apart from each of the services provided by Defencely, it has maintained a wise standard onto Bug Hunting and hence a proven excellence for it’s quality deliverables which the Red Team Security Experts. The red team has taken it’s responsibility to represent Defencely in various gratitudes, whether it is on spreading information security concerns, attending information security conferences to providing free of cost industrial hands on penetration test for an initial approach and this alone had resulted in a wise deduction of how security could just be an illusion to the corporate world and how businesses could be ruined over-night.
Hackers can attack in so many ways, but here’s the ten most popular ways they can threaten the security of your site, and your business:
10. Injection Attacks
Injection Attacking occurs when there are flaws in your SQL Database, SQL libraries, or even the operating system itself. Employees open seemingly credible files with hidden commands, or “injections”, unknowingly.
In doing so, they’ve allowed hackers to gain unauthorized access to private data such as social security numbers, credit card number or other financial data.
Technical Injection Attack Example:
An Injection Attack could have this command line:
String query = “SELECT * FROM accounts WHERE custID='” + request.getParameter(“id”) +”‘”;
The hacker modifies the ‘id’ parameter in their browser to send: ‘ or ‘1’=’1. This changes the meaning of the query to return all the records from the accounts database to the hacker, instead of only the intended customers.
9. Cross Site Scripting Attacks
Cross Site Scripting, also known as an XSS attack, occurs when an application, url “get request”, or file packet is sent to the web browser window and bypassing the validation process. Once an XSS script is triggered, it’s deceptive property makes users believe that the compromised page of a specific website is legitimate.
For example, if www.example.com/abcd.html has XSS script in it, the user might see a popup window asking for their credit card info and other sensitive info.
This causes the user’s session ID to be sent to the attacker’s website, allowing the hacker to hijack the user’s current session. That means the hacker has access to the website admin credentials and can take complete control over it. In other words, hack it.
8. Broken Authentication and Session Management Attacks
If the user authentication system of your website is weak, hackers can take full advantage.
Authentication systems involve passwords, key management, session IDs, and cookies that can allow a hacker to access your account from any computer (as long as they are valid).
If a hacker exploits the authentication and session management system, they can assume the user’s identity.
Ask yourself these questions to find out if your website is vulnerable to a broken authentication and session management attack:
Are user credentials weak (e.g. stored using hashing or encryption)?
Can credentials be guessed or overwritten through weak account management functions (e.g. account creation, change password, recover password, weak session IDs)?
Are session IDs exposed in the URL (e.g. URL rewriting)?
Are session IDs vulnerable to session fixation attacks?
Do session IDs timeout and can users log out?
If you answered “yes” to any of these questions, your site could be vulnerable to a hacker.
7. Clickjacking Attacks
Clickjacking, also called a UI Redress Attack, is when a hacker uses multiple opaque layers to trick a user into clicking the top layer without them knowing.
Thus the attacker is “hijacking” clicks that are not meant for the actual page, but for a page where the attacker wants you to be.
For example, using a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password for their bank account, but are actually typing into an invisible frame controlled by the attacker.
Here’s a live, but safe example of how clickjacking works:
A symlink is basically a special file that “points to” a hard link on a mounted file system. A symlinking attack occurs when a hacker positions the symlink in such a way that the user or application that access the endpoint thinks they’re accessing the right file when they’re really not.
If the endpoint file is an output, the consequence of the symlink attack is that it could be modified instead of the file at the intended location. Modifications to the endpoint file could include appending, overwriting, corrupting, or even changing permissions.
In different variations of a symlinking attack a hacker may be able to control the changes to a file, grant themselves advanced access, insert false information, expose sensitive information or corrupt or destroy vital system or application files.
3. Cross Site Request Forgery Attacks
A Cross Site Request Forgery Attack happens when a user is logged into a session (or account) and a hacker uses this opportunity to send them a forged HTTP request to collect their cookie information.
In most cases, the cookie remains valid as long as the user or the attacker stays logged into the account. This is why websites ask you to log out of your account when you’re finished – it will expire the session immediately.
In other cases, once the user’s browser session is compromised, the hacker can generate requests to the application that will not be able to differentiate between a valid user and a hacker.
In this case the hacker creates a request that will transfer money from a user’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.
2. Remote Code Execution Attacks
A Remote Code Execution attack is a result of either server side or client side security weaknesses.
Vulnerable components may include libraries, remote directories on a server that haven’t been monitored, frameworks, and other software modules that run on the basis of authenticated user access. Applications that use these components are always under attack through things like scripts, malware, and small command lines that extract information.
The following vulnerable components were downloaded 22 million times in 2011:
By failing to provide an identity token, attackers could invoke any web service with full permission.
1. DDoS Attack – Distributed Denial Of Service Attack
DDoS, or Distributed Denial of Services, is where a server or a machine’s services are made unavailable to its users.
And when the system is offline, the hacker proceeds to either compromise the entire website or a specific function of a website to their own advantage.
It’s kind of like having your car stolen when you really need to get somewhere fast.
The usual agenda of a DDoS campaign is to temporarily interrupt or completely take down a successfully running system.
The most common example of a DDoS attack could be sending tons of URL requests to a website or a webpage in a very small amount of time. This causes bottlenecking at the server side because the CPU just ran out of resources.
Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers.