• Hackers Playing Grinch Could Dampen Your Holiday Sales

        May 18 2016, 6:57 PM

        by Russell Roering 1

        hackers grinch thomas hawk flickr.jpg

        As the holiday shopping season descends upon retailers and shoppers, storm clouds of apprehension from recent data breaches continue to darken the perception of safety among some consumers. A recent study conducted by and reported on by Huffington Post found that 45% of gift-grabbing respondents would “definitely not” or “probably not” shop at major retailers that suffered data breaches this year. The study also noted that 48% of shoppers said they would use cash instead of debit or credit cards, due to the high number of recent data breaches.

        Given that retailers depend on holiday sales to meet their annual goals, losing nearly half of its holiday customer base either online or at a brick-and-mortar store could have devastating financial implications for these outlets. Make no mistake: Trust drives sales. And as the data above shows, once that trust is shaken, it can be difficult to rebuild.

        Double check the security of transactions

        Organizations need to focus on both continuing to shore up their defenses and their customers’ trust, as today’s vulnerability could be tomorrow’s casualty. During the holiday season, the temptation for hackers is at its highest. Below are a few steps your organization’s IT department should consider putting in place to ensure security this holiday season:

        • On-site security. Online retailers should help consumers feel safe right away when visiting their site.This can be done by using the Extended Validation (EV) SSL green address bar, Always On SSL (AOSSL) throughout the entire shopping experience, and posting the Norton Secured Seal at any areas where the consumer needs to make a decision (e.g. login, order page, payments page)
        • Secure data transfer. Various studies have shown that 56% of all data breaches could be stopped by having encryption protecting network data. Use network security solutions (even between internal corporate networks) such as Symantec Endpoint Protection to harden endpoints, encrypt data, and provide layered protection against malware.
        • Train employees to spot social engineering. Remember, many attacks happen due to “social engineering”: Manipulation of people into performing actions or divulging confidential information. Hackers being able to attack one employee’s computer can leave the remainder of the internal network at risk of exposing critical data or protection between individual parts of the corporate network is just as important.
        • Integrate with the company’s crisis communication plan. IT can help the overall crisis communications plan by developing “dark pages” on the corporate website. Dark pages should include pertinent contact information and communication channels which could be pushed live in the wake of a breach. Pages should also include frequently asked questions and placeholders for answers to quickly get facts out ahead of third-party articles, opinions from experts and a spike in brand conversation on social media channels.

        Respond promptly to any issues

        Because of this loss of trust, IT security staff of breached retailers should be especially vigilant during the holiday season; becoming deeply involved in helping the organization repair besmirched trust with customers to reinforce the assurance of safe shopping will be critical to this process.  If your organization happens to experience a breach during the holidays, or even during the rest of the year, here are a few steps IT can take to help to restore trust:

        • Create an online support forum on the corporate website which is easily located and visible to provide customers with official information regarding the breach your organization suffered, a way to report fraudulent activity (some states even require this), and a way to notify the organization directly if they suspect another breach has taken place. Respond to all serious inquiries and assume any could be legitimate.
        • Anticipate questions and lend expertise to help guide restorative messaging to customers. IT is uniquely positioned on the front lines of a breach, which is important at the moment of breach, but we become important again in offering customers assurance post-breach.
        • Spread the word. Provide communications both on the corporate website as well as on the company social media channels to explain how the company took steps to manage security. Also note that this messaging should be Legal- and CISO-approved.
        • Be mindful of new threats from scammers looking to take advantage of potential vulnerabilities in the wake of a breach. IT can aid the investigation, reporting and communicating with the public and board members about damaging content.
        • Learn from a breach. In the days and weeks after a breach, share website referral traffic stats with the security response team to help guide a post-breach communication and monitoring strategy for the future. For example, finding that a great number of users clicked links to your website from a single news outlet or social network.

        The holidays are by far the most critical time for retailers to be thinking about security, but it shouldn’t be the only time. Breaches can happen out of the blue; use your position in IT to help keep grinches at bay and keep your customer’s information—and their trust in your business—secure. Breached organizations should follow these guidelines year-round, disclosing breaches quickly and transparently, and keeping the communication focus on protecting users in the future.

        • Products
        • Symantec Security Insights Blog
        • Data Breach
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL verification
        • Symantec Website Security
        • DigiCert Code Signing
        • Endpoint Protection
        • Trust Services
      • Within Authentication Services there are three types of SSL certificates. These SSL certificates each contain different features and authentication that are required in order to be issued. Understanding these differences can help you in knowing what you need to prepare for in order to get the certificate issued as fast as possible.

        The Three Types Are:

        Extended Validation (EV) SSL
        Examples: Secure Site with EV, Secure Site Pro with EV, True business ID with EV, SSL Web Server with EV, MPKI for SSL EV validated

        A premium business class SSL security product fully authenticated, visually confirming the highest level of authentication available among SSL certificates. It gives your customers two highly  visible ways to confirm that your web site is secure—the green address bar and the True Site Seal, while providing strong encryption to protect their confidential information.

        Organization Validation (OV) SSL
        Example: Secure Site SSL, Secure Site Pro, True business ID, SSL Web Server, SGC SuperCerts, CodeSigning, MPKI for SSL

        A fully authenticated certificate that let’s your customers know that your site is trustworthy from a validated company and that you take their security seriously enough to get your SSL from a security company. For an affordable price, you can secure your Websites domain and display standard information regarding your organization on the certificate and with the True Site Seal - while providing strong encryption to protect their confidential information

        Domain Validation (DV) SSL
        Examples: SSL 123, Quick SSL Premium

        It is the quickest way for you to get a certificate for your domain. It will not include any information about your company nor its location. With an automatic authentication and issuance process, it takes just minutes to get your certificate due to no Organization Validation. It is an inexpensive SSL that is fast and convenient.

        Compare SSL Certificates:

        NOTE: Regardless of the certificate type all SSL certificates require a Certificate Signing Request (CSR) to be submitted online during enrollment. CSR details for fully validated certificates must reflect the enrolling organization’s business information (i.e., the organization whose web site will be secured by the SSL certificate). If your CSR contains incorrect information, Authentication Customer Support cannot process your order, and you will have to create a new CSR and a new order with the correct information. For DV level certificates not having the correct information is not typically an issue unlike EV or OV level certificates.

        Bottom line is the more accurate the information is on the order and on the CSR the faster the certificate will be issued.

        Certificate Request Checklist.jpg

        What Authentication does in order to validate a certificate....

        What exactly is required to get a DV level certificate?

        This is as automated process in which an email will be sent out to a Whois lookup for the domain that the certificate was enrolled for. You will have the option to select admin@, administrator@, hostmaster@, postmaster@, webmaster@ for this confirmation e-mail. Once the e-mail is received it is just a matter of approving the order. That’s it your certificate is issued within minutes.

        What exactly is required to get an OV level certificate?

        The validation process typically takes 1-2 business days. During this time, the Authentication team must perform the following steps to validate your certificate order with independent, third-party sources:

        • Authenticate your organization
        • Authenticate your domain
        • Verify your organization’s address
        • Verify your contact information

        What exactly is required to get an EV level certificate?

        EV certificates have a more vigorous authentication process than OV level certificates. If all the information on the order is accurate and the information that Authentication requires is readily available, then an EV certificate can be issued within little time.

        Authentication must be able to confirm all of the following organizational registration requirements:

        • Official government agency records must include:
          • The organization's registration number.
          • The organization's date of registration/incorporation.
          • The organization's registered address (or the address of the organization's registered agent).
        • A non-government data source (such as Dun & Bradstreet) must include the organization's place of business address if it is not included in the Government agency records
        • If the organization has been registered for less than three years, Authentication must verify operational existence through one of the following means:
          • Through a non-government data source (such as Dun & Bradstreet)
            - or -
          • By verifying the organization has an active demand deposit account (such as a checking account) with a regulated financial institution through a Lawyer’s Opinion Letter or directly with the financial institution.

        Domain Authentication Requirements:

        To qualify for an Extended Validation SSL Certificate, domain registration details must reflect the full Organization name as included in the Certificate Signing Request (CSR). Where domain registration does not reflect the organization name as identified in the certificate request, positive confirmation of the Organization's exclusive right to use the domain name is required from the registered domain administrator or via a Lawyer Opinion Letter.

        • The domain must be registered with ICANN or IANA registrar (for ccTLDs). Domain registration details must be updated to reflect the organization name as included on the certificate request.
        • Where domain registration is private, the domain registrar is required to unblock the privacy feature.
        • The Organization's certificate approver must confirm knowledge of the organization's domain ownership during the verification call.

        Organization's Certificate Approver (Corporate Contact) Authentication Requirements:

        To qualify for an Extended Validation SSL Certificate, the Certificate Approver identified in the certificate request must be employed by the requesting organization and have appropriate authority to obtain and delegate Extended Validation certificate responsibilities.

        Authentication must be able to confirm all of the following about the Certificate Approver:

        • Certificate Approver's identity, title, and employment through an independent source.
        • Certificate Approver is authorized to obtain and approve EV certificates on behalf of the Organization. This can be verified through one of the following methods:
          • A Lawyer's Opinion Letter
          • A Corporate Resolution
          • Directly contacting the CEO, COO, or similar executive at the organization and confirming the authority of the organizational contact. If no public records are available regarding the CEO, COO, or other executive, Authentication will attempt to contact the organization’s Human Resources department for contact details.

        Order Verification Requirements:

        Authentication must verify the Certificate Signing Request and all certificate details with the Certificate Approver identified in the certificate order. Authentication must contact the Certificate Approver using an independently-verified telephone number.

        This telephone number is obtained through one of the following methods:

        • By researching qualified telephone databases to find a telephone number. Ensure your organization’s primary telephone number is listed in a public telephone directory.
        • As provided in a Lawyer's Opinion Letter.
        • As confirmed during a site visit conducted by Authentication.

        Additional Verification requirements:

        If Authentication is unable to verify any of the required information on your certificate application, they may request you to provide a Professional opinion from a lawyer or accountant to verify the information.

        When it comes time for your organization to get a certificate keep in mind the three different types EV, OV,  DV, and what it takes to be authenticated to receive them. Already knowing the three different types and the validation procedures that goes behind them will make it a smoother ride for you to get a certificate for your organization.

        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL Authentication procedures
        • SSL verification
        • Symantec Website Security
        • SSL
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Security Community Blog
        • SSL Certificate Authority