Attacks On E-Tail Sites Over Public Wi-Fi: Just A Click Away

How close are we to software that automatically attacks any E-Commerce being done on a nearby public Wi-Fi connection? Apparently, a lot closer than anyone would have thought a month ago. In October, a Seattle hacker released Firesheep, a free tool that lets almost anyone hijack public Wi-Fi Web browsing by people signed into Amazon, Foursquare, Facebook, Twitter and other retail-impacting social sites. In the weeks since, new tools that automate the hijacking have surfaced. The next obvious step: Versions that target E-tailers.

That may seem unlikely. After all, who would want to disrupt customers just trying to buy a book, a pair of shoes or a gadget online? Probably not professional thieves—it's not easy to steal money through an E-tail site. But among the 700,000-plus people who have downloaded Firesheep, some are likely to have vendettas against certain retailers (and no, not just the Wal-Marts, Targets and Best Buys of the world). The clock may be ticking on how long E-tailers have before they either provide full-session security for all shoppers or risk losing business.

Firesheep, the free Firefox add-on that started this shakeup, wasn't supposed to be that big a deal. According to Eric Butler, the programmer who wrote Firesheep, he was annoyed that so many social sites used secure connections when users logged on but then reverted to using cookies to track sessions after that. When those cookies are being passed on public Wi-Fi, anyone in the vicinity can capture them and hijack the user's session. Expert tools to sniff networks and grab those session cookies already exist; Butler just made session hijacking a matter of a few clicks.

Yes, it was a stunt. The purpose was to shame sites like Amazon, Foursquare and Facebook into spending the money to create secure connections for the whole time their users are on their sites.

In that respect, it's been at least moderately successful. Facebook now says it hopes to provide full-session encryption within months. Twitter says it's looking into it, too. And on Tuesday (Nov. 9), Microsoft's Hotmail service began offering full-session encryption as an option. Notably missing from the we're-getting-more-secure list is Amazon, the only big E-tailer among the sites targeted by Firesheep.Meanwhile, Firesheep has spawned imitators. One, called Idiocy, is much simpler. It's a 130-line script that just looks for people using Twitter on public Wi-Fi and automatically sends (for them) a tweet that says "I browsed Twitter insecurely on a public network and all I got was this lousy tweet." That's really all it does. It's pretty innocuous.

But in practice, it's also a template for any moderately capable programmer who wants to automatically hijack connections to any other online site—including that of a retailer.

No, that threat isn't at the level of someone capturing payment card data. But suppose someone automatically hijacks a customer's session and causes your E-tail site to behave erratically—say, searching for nonsense terms or constantly returning to your homepage. Who will the customer blame? It won't be the guy across the room at Starbucks. To the customer, it's the site that's broken.

As a prank by one programmer, that's annoying. But what happens if that prank goes viral? Remember, the number of people who have downloaded Firesheep is headed toward a million. And the number of customers who shop online using public Wi-Fi keeps growing, especially among smartphone users who either can't get a 3G signal or would just rather use the free signal.

Yes, it may be illegal. It's certainly obnoxious. But the only real defense against this kind of session hijacking is for E-tail sites to make every session completely secure.

That won't be cheap. Creating a fully secure session for each user requires more memory and more processor power to encrypt and decrypt everything that happens, and it also generates more network traffic. (Google claims it has cut the cost down to practically nothing, but most E-tailers can't use all of Google's tricks.) That's why most E-Commerce sites wait until a customer is ready to check out before switching on the security. And in the past, spending for the continuous security hasn't been seen as a necessity.

But cost isn't the only problem. Security isn't just expensive; it also makes things more complicated. For example, Microsoft warned Hotmail users that if they choose full-session security, they won't be able to use the Outlook Hotmail Connector or Windows Live Mail. Retail sites that are fed from multiple domains may have troubles of their own. And working out those kinks will take time, talent and money.

Still, the price of that improved security will soon have to be balanced against the risk of a damaged reputation and lost revenue. Both of those are likely results of E-Commerce that is hijacked or disrupted by anyone who can encourage users to download and install a relatively simple program.

That's no longer a question of if, but when. And if Firesheep is any guide, it's a risk that is really only going to get worse.