How Safe is Your Web Service

You are probably using several software applications that talk to each other.  Whether you have a custom web application or prepackaged financial solution, getting applications and services to communicate requires a skill, technique, and knowledge to protect your information.  So, what happens when your web service is not secure? What information could you be leaking and how could you be vulnerable?

Security Concerns

The four concerns of web service security are privacy, message integrity, authentication, and authorization.

  • Privacy refers to ensuring that messages are not visible to anyone except the web service and the web service consumer. Traffic should be encrypted so that machines in the middle cannot read the messages.
  • Message integrity provides a guarantee that the message received has not been tampered with during transmission.
  • Authentication provides assurances that the message originates from where it claims it did. Both a legal term as well as a technical term, non-repudiation refers to the concern of not only authenticating a message, but proving the origin of that message to other parties.
  • Authorization refers to ensuring that only consumers who should have access to a resource of your web service actually have access to that resource. Authorization requires authentication because without authentication an attacker could pretend to be a highly privileged user.

Building a web service or API (application programming interface) requires a methodology for exchanging secure information, and there are two popular solutions: SOAP and REST.

Technology Choices

Simple Object Access Protocol (SOAP) is a popular protocol specification. It is a complicated specification and some developers, though well-meaning, leave security vulnerabilities.  An example of a vulnerability is SOAP injection. What is SOAP injection? It occurs when the server attempts to parse the XML message from a client. If the XML message is malformed, meaning that it does not follow the rules that the server expects it to follow, the server may return an error message that actually shows code and gives insight into the underlying system. Developers may turn off this behavior. However, this is often forgotten before a deployment.

REST (Representational State Transfer) is an architectural style for distributed systems. The World Wide Web is one such distributed system. REST has become a popular architectural choice for designing web services. Such web services are referred to as RESTful web services. An advantage of using REST is that the security vulnerabilities are well known as they are the same vulnerabilities that impact web sites. This means that developers who are familiar with website security will be able to leverage their knowledge to secure RESTful web services.

Final Thoughts

Developers working with either of these technologies must be concerned with the four security points. No methodology or architectural choice ensures that your information is well-protected. It is important that your consultants explain the architecture they plan to use and how their implementation plan accounts for security concerns. If your developer does not have a detailed answer, it is a red flag.

Can You Afford PCI Compliance?

I remember hearing it on the radio; another major retail store was targeted by hackers, a store I had shopped not two weeks prior. That sinking feeling struck, the one that calls me to drop everything in order to familiarize myself with my credit card company’s phone bank to cancel my cards.

New brawny standards protect us against such events and the incentive for a company to comply is tremendous, but tough standards are not great if they are tough to reach. So we ask; is the arsenal guarding us from online theft too hard to grasp for the average online business?

That arsenal is called PCI DSS (Payment Card Industry Data Security Standard) Compliance, and is an overarching security standard defined by the Payment Card Industry Security Standards Council to establish common processes and precautions for handling, processing, storing and transmitting credit card data. It was created with both a carrot and a stick to prevent data security breaches like the ones we have seen with companies like TJX, Bank of America, Citigroup, BJ’s Wholesale Club,, LexisNexis, Polo Ralph Lauren and Wachovia.

These company names are huge, which makes them bigger targets. Still, the bulls-eye is on any of us who take credit cards online, and there is no company that wants to face customers with the bad news that they have been compromised.

The “carrot” alone is the personal satisfaction that your customers’ card data is buttoned up. Further allurement is the safe harbor provided by credit card companies from penalties and fines to merchants who are compliant.

The “stick,” however, comes with the threat of removal of your ability to process credit cards. Punitive fines of up to $500,000 per incident or $90-300 per stolen record will also inspire a business to comply.

Still, the price-tag for compliance is high and they even make calculators to figure it all out. This is one article that helps define the cost this way:

Level 1 Merchant:

  • Initial scope – $250,000
  • Becoming compliant – $550,000
  • Annual cost – $250,000

Level 2 Merchant:

  • Initial scope – $125,000
  • Becoming compliant – $260,000
  • Annual Cost – $100,000

Level 3 and 4 Merchants:

  • Initial scope – $50,000
  • Becoming compliant – $81,000
  • Annual cost – $35,000

Developers  have their work cut out for them as they must undergo the lengthy and costly process of validating their application. And all this will not get any less burdensome as the Security Standards Council releases a new version of the PCI DSS about every 2 years. Recurring audits, and additional/new hardware requirements are all stifling to the average businessman.

But there is good news. By working with an approved Gateway that doesn’t require your server to store, process, or transmit card data you can save the hassle. These allow safe payment processing and reduce the regulatory scope by sending crucial data to their servers instead of yours.

There is also safety in choosing a cart that is widely accepted as compliant, like Shopify and BigCommerce; As opposed to a custom cart solution where compliance must be created from scratch., Paypal or Braintree provide off-your-server processing, and of these we have found Braintree to provide the most convenience because the data is not stored on your hosted server – even in memory.  Unlike Paypal (basic or express checkout), it also allows shoppers to remain on your site.

So to answer our initial question; PCI Compliance is too costly for the average businessman to comply, but we are fortunate to live in a free market that sees bureaucracy as an opportunity. Companies like Braintree may have been created with profit in mind, but they are offering a service that gives us carrots and saves us from the stick.



Sticky Notes; a Web Designer’s Best Friend

For the best lessons in Web Development, sometimes we don’t need to look further than the lessons we learned in kindergarten. We have found that one of the best tools to communicate between developer and customer is a simple pen and a few pieces of paper.

A crucial part in the development and design of websites and applications is communication. Communication of ideas, concepts, design and user experience between the developers and clients increases the likelihood of satisfaction for the client and a quality product. Frequent demonstrations of working software can keep the project moving and focused in the right direction. Yet it can sometime be hard to narrow down exactly what the client wants for their site or application. Most projects start with a general idea and become more focused as the project moves along. Clients don’t realize what it is they prefer in terms of design and functionality until they see the working software. This development method is called Agile Development and is very flexible and adaptive to constant changes. However, it’s most effective when the project has a basis/example from which to work towards.  Think “like Facebook for [insert x]” or “similar to gmail.” But what if the idea is one of simple parameters and functions but no clearly defined user interface or implementation?  That is where Paper Prototyping has value.

Instead of working software to demonstrate after a week of development, Paper Prototyping is utilized at the beginning of a development cycle. This method asks the client to act as the user while the developers “drive” them through the interface. However, it’s not software that is used, instead it’s common paper items found in every office. Sometimes it’s as simple as a white piece of paper with a drawing of the website’s look. The best and more effective kinds use folders, note cards, note pads, and post-it notes to represent different functions on the page. To show you what I mean, let’s look at some prototyping for a site that might want to implement a User Management feature.

Most sites today have users create some form of account or profile. If you are looking to design a site with this function, maybe you don’t know exactly how it should look or what functions should be available. For this example, we’ll use a site who’s company is looking to sell products and or services. Let’s start with a mock-up of the homepage:

It’s a white piece of paper with a “To-Do List” paper note as the profile sign-in.  On the left hand side or two sticky notes used to represent possible functions or features on the page. These features may have been explicitly stated by the client, but in the case where it’s not, they are easily changeable.  Case in point, you can quickly demonstrate what the user would see if they had an invalid login.
Quick and Easy. As the user, you are asked to then make a selection by the developer. So let’s say your goal is to attract new users. One thing they will all have in common is to fill out information on a “Subscribe” page. So, the user clicks the “Sign-up/Subscribe” button (indicated in green writing in the picture above) and the current page is taken away and the “subscribe” page is presented.
All we have here is a manilla folder with some notes pages and writing in pen. The value comes from being able to demonstrate clearly what the page looks like and answer questions such as:  Is this function useful? Could we make this better? Do we want to expand on this? Should more data be provided during this process? Is it simple and easy to understand?

Those types of questions usually get answered later in the development process. Lots of times its for no other reason than the client “hadn’t thought about that”. We are web-developers and, more to the point, we are the guides for clients to get into the expansive world of possibilities known as the internet. Paper Prototyping allows everyone involved to start on the most direct path toward the final product.

Go to Part 2 where we use Paper Prototyping to demonstrate standard user management features for existing profiles.

How Much is a Like Worth to You

Businessmen want to know how much effort to invest in pursuing “Likes.” The popular feature seems to many as a cheap form of validation, equivalent to the old Stuart Smalley bit, “I’m good enough, smart enough and doggone it, people like me.” Those who never wanted to become experts in social media are asking “why is it important?” and “will this bring me money?”

Likes Bring Measurable Results
To say a “Like” is an end is short-sided, like saying that motion stops when a pebble hits the water. To do so would ignore the ripples that act like homing beacons to viewers and search engines.

A Like does many things behind the scenes, providing measurable objectives, reports, and now impacting search queries. Bing’s new features make it easier to see what your Facebook friends Like, incorporating your community in your search results.  This begins a more conversational aspect to your searches. Decisions can now be made by a committee of your choosing on news stories, bands, celebrities, movies,  or brands.

A Like is a validation that someone is interested in you, your product or your service. And in social media, we collect validation like currency.

Still, there are many benefits to a Like. When someone “Likes” your page it appears on news feeds, meaning their recommendation will be broadcasting  to their 300 closest friends; a ripple effect that allows compounding affirmation. This is validation supreme.

Those Likes that you click will also help Facebook configure what advertisements go to you, so for those Facebook advertisers who choose to focus on one or another interest, this is big.

Likes Bring Conversation
That Like also gives you permission to talk to your clients who have, in essence, voted for you. When you update your status, there is now a measurable audience waiting to see what you have to say. And if your content is share-worthy, you have the potential to go viral. This, of course, increases the need for your content to be impactful and relevant.

(Facebook graph demonstrating your posts, people talking, and total reach).

For Search Engine Optimization (SEO), the Like acts as a beacon for Google’s eager robots seeking content with recency and relevancy.  And while Google algorithms cannot see what is happening inside Facebook, they can certainly see what relevant activity is occurring on your site. And a Like button embedded on your site is highly relevant, especially if it is clicked often.

Of course, frequency is as important as reach; it’s important to get in front of your people repeatedly and often. And that endorsement from a friend is much more powerful than an paid ad, creating greater loyalty. It’s a handy medium to remind people that they have a friend when they need it, and the transparency personalizes and localizes in a format that allows the occasional shameless plug.

Can you monetize this?  Sure – like this article, which says:

  • On average, fans spend an extra $71.84 they would not otherwise spend on products they describe themselves as fans of, compared to those who are not fans.
  • Fans are 28 percent more likely than non-fans to continue using a specific brand.
  • Fans are 41 percent more likely than non-fans to recommend a product they are a fan of to their friends.

And this one which gives conflicting information:

Depending on who you ask and the metrics you use, a Facebook follower could be worth nothing at all, as little as $3.60, as much as $22.93, exactly $136.38 more than a non-follower, or a whopping $214.81 for a nonprofit organization.

Still, for those who grew up in traditional media, the Like button is Nirvana. Where we once were dependent on expensive statistics dependent on research diaries filled with vague groups and guesses, we can now track individual motivations and interests with laser-LIKE focus. Its value is measurable beyond compare.

The Great Security Question Hoax

Much of our identities are locked away in the ether. Kept safe in vapor pockets by banks and wireless providers with paper thin questions like, “What is your mother’s maiden name?”  We’ve all answered them, developing password fatigue as we try to remember our favorite sports team or if we used our grandfather’s given name or “Gampy.”

Some things are not that hard to figure out.  That Sarah Palin and her husband Todd met in high school was ferreted out by one such hacker just before her Yahoo mail became public knowledge.  Same with the name of Paris Hilton’s dog. Yep. Hacked.

A paper in Technology Review states, “researchers from Microsoft and Carnegie Mellon University plan [showed] that the secret questions…are woefully insecure.” Participants in a study were able to guess 30 percent and 57 percent of the correct answers of security questions asked in the top-five list of guesses. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name.

With all the insecurity, security questions are still used as an authenticator by key institutions as an extra security layer. Yet it’s an old-school (circa 1906) solution to a new-school problem in an age where Gampy’s name is one blog post away from a hacker’s cheeseburger in paradise.

Good security questions are hard to design as they need to be definitive, applicable, memorable and safe. If the question is too hard, it might be easily forgotten by the person who is being protected. In the study mentioned earlier, participants forgot 16 percent of the answers within three to six months.

— If the question is too easy, the world of hurt can be indescribably huge.

As a user, you could increase your own security by giving false random answers, calling the bank for a reset whenever you forget them. Still, it is a work-around for a system employed way too liberally by banks that know better.

Perhaps they do it to make customers feel like they are participating in their own security. And better systems, like sending new passwords by email, require hiring an extra person on the phone bank as customers need tech-support when they forget how to use these systems or when they lose auto-generated emails in their spam filters.

Password questions are still king as there is no viable alternative.  They reduce customer phone calls, giving companies incentive to keep status quo.  Still, finding the balance between customer convenience and protection from identity theft might be difficult. With much at stake, responsible corporations with our identities in their hands might consider titanium locks over vapor.