ASOS is targeted by hackers every hour, which poses a “very real threat” to the site’s security, the company’s security officer Michelle Tolbay said yesterday.
Although the probes are generally quite unsophisticated, Tolbay says this is still a “major concern” for the clothing e-tailer.
Speaking at a NetBenefit event on compliance with the Payment Card Industry code, she said that more serious attacks are made once a week on average by hackers trying to steal credit card information.
Our test sites are targeted constantly as they have lower levels of security. I think people make a basic attempt to hack the site, and if they happen to find any holes then they will push further.”
As of last March ASOS had 5.3m registered users and 3m active customers from 160 countries, so it is a prime target for hackers trying to steal credit card details.
The site also gets hit by denial of service attacks – Tolbay said they had identified groups of people who try to checkout baskets of up to 10,000 items 20-30 times within a 30 minute period to try and overwhelm the site.
One attempted hack was even traced back to a potential competitor in China.
To plug any potential holes ASOS runs frequent security assessments and organises ‘hackathons’ to test the site for weaknesses prior to any upgrades.
One of these sessions, performed on the mobile site prior to launch, uncovered 12 problems that needed to be fixed.
The main focus of Tolbay’s talk was PCI compliance and how e-tailers can make sure they are up to standard.
The PCI Data Security Standard is a set of industry regulations governing the protection of confidential data – the penalties for breaches can include a hefty fine or removal of payment services.
Tolbay said that as e-commerce is a fast paced industry, compliance needs to be looked at on an ongoing basis rather than in the few weeks before an audit.
Changes and updates have to be made continuously in the background. You can’t simply shut the site down for maintenance and do a whole load of changes – since you’ll lose all your customers.”
The key to making sure your business is PCI compliant is to find a good qualified security assessor (QSA) that has experience in your industry and can give advice on how to get up to standard, while also ensure that any third-party hosting companies are also compliant.
Another important element is to make sure that your company’s staff training and processes are up to scratch, as no amount of technology can make up for the fact that your staff are poorly trained.
Tolbay said that as part of its commitment to security all notepads in the ASOS call centre had been removed and replaced with white boards so if anyone wrote any confidential customer details down there was no chance of it leaving the premises.
You can read more about PCi compliance and data protection in our Internationalisation of E-commerce Best Practice Guide.