iEnhance Blog


Website and personal information Security

Business 3 Comments 10 March, 2011

As the world becomes more and more reliant on the internet, and the online ways of buying and selling, the question that really needs to be asked is "how safe are my details?"

We recently took on a client that has an online business, and has been involved in the online world since the beginning of the internet. This client is in a fairly niche industry, with a fairly proven business model. They came to us after their website was bumped from google, after a Search Engine Optimisation company pushed the rules too far. Without turning this in to a trumpet blowing story, we quickly got them ranking again, and traffic flowing through the site. This is where we faced our next hurdle. The client had also recently moved to a different programmer to rebuild the site, who had made lots of promises regarding the workings of the site.

In the following few months, I witnessed countless programming issues, and as one was fixed, another broke. I also questioned some of the excuses for not doing some pretty important things regarding the website. (these are not wholly relevant to this story...but they did make alarm bells ring as to the programmers competency.)

Eventually, enough was enough, and my client requested that another programmer be brought in to audit the site.

This was when we all realised the extreme lack of competency of "programmer A".

The code was all over the place, nothing was in any logical order, and there was absolutely no surprise that things were breaking all the time. This however, is not where it ended.

We then started looking at the overall security of the site. As the site handles LOTS of personal details, this was an imperative part of this project in my eyes. What we found was that we could access the personal details of customers, by simply changing some fields in the url string. more frightening was that we could also hack into our clients other websites (also created by "Programmer A") simply by changing a very small part of the url. This sort of thing, any school kid would know how to do......this is not complex hacking! With this access, we were quickly able to access my clients financial information, as well as business history (And their clients information)

Needless to say, Programmer A is no longer involved in this project. When confronted regarding the security issues, my client was told "that is just a small trivial problem" and was then dismissed.

One IMPORTANT thing should be noted here. As we could access this information so easily, so could Google! My client, and Programmer A are extremely fortunate that Google had not indexed the "private" parts of the site, and published all of the details. This has happened countless times before, and any programmer worth their salt would know this, and be able to identify holes as large as these were! The costs involved in breaching privacy like this would be enough to have put our client out of business very very quickly. It absolutely infuriates me to know that people are having their business' put at risk due to people not understanding the ramifications of their incompetent actions.

This situation has really made me think about who people should trust. Basically "Progammer A" had assured my client numerous times that the site was secure, and also that they were competent.

So, who can you trust?

Basically, do some homework and ask for references when you are getting someone new to work on any part of your business. As importantly, as a general rule, you get what you pay for.

There are three aspects to development:  

Fast - very quick turn around of development, can do what is required when its required 

Good - has functionality as required

Cheap - is very inexpensive

Clients can pick any two

fast and good OR

good and cheap OR

fast and cheap