Stopping Hackers from Attacking your Credit Card Forms
Posted by Jason Shindler in security on October 1, 2012
The 1995 Movie “Hackers” was pretend, but real-life hackers can be a real headache.
Luckily, hackers and other malicious users don’t visit our clients that often. However, we recently had one client who has had their donation form attacked and I thought it would be useful to share some techniques for stopping similar attacks.
Their form was being attacked in order to test credit card numbers. The user would try a credit card number they thought might be good. If the “donation” went through, they could discover that the card is valid and be able to use the card to make fraudulent purchases on other sites. The damage to the non-profit is that many credit card processors charge a fee to the organization every time a card is attempted. Then, there is the hassle of taking care of the customer implications every time a card is charged fraudulently. This may also damage the organizations public reputation.
First, it is important to know that there is no 100% solution to stopping malicious users from attacking online credit card donation forms. There are ways to make it less likely and make it harder for the malicious user, but often those techniques can make it harder for regular users of your site as well.
That said, there are things that can help:
- Use a CAPTCHA: We used to only recommend these for email forms, relying on the fact that malicious users won’t use a credit card. However, given the above information, we now recommend them on all single step forms, like donation forms. Shopping carts and other multi-step forms are vulnerable to these types of attacks, but in the future, they may also need them. This will stop most automated attacks, but won’t stop someone trying a manual attack
- Require a CVV code: This will make it less likely that a malicious user will be successful. However, this may block a small number of cards that don’t have the CVV codes (mostly foreign cards).
- Set the Velocity: Many credit card processing gateways allow you to limit the number of transactions in a day. Setting this will limit the number of transactions and thus the damage should someone ever use the form in the malicious way described above. This will also block legitimate transactions, too — so it is important to think through the implications of this and evaluate the correct number to use.
- Block foreign users: If you can use a service to identify the location of a user via their IP address (Cloudflare, Geolocation services, etc), you could block the form from being used out the United States and Canada. Note that malicious users can sometimes appear to be in the United States when then they are not, and you of course would be blocking legitimate users from those locations.
Those are the techniques we’ve used. What have you tried?
What Consumerist’s Outage Teaches About Communicating
Posted by Jason Shindler in marketing, web development on September 25, 2012
Despite everyone’s best efforts, Web sites sometimes crash. They are victims of malicious attacks that affect there ability to function. Sometimes these outages last for an extended period of time. How a company responds to its clients and customers during this time period is often critical to the business’s reputation.
This is especially true with services where the client is paying a fee to access the service, but it even affects free services such as a blog or corporate Web site where money isn’t changing hands.
As an example, the Consumerist blog has been down for days. It is a popular free Web site where people gripe about their experiences with corporate America. At present, users have been greeted with this message:
Dear Consumerist Readers,
We’d like to take the opportunity to update you on our current technical difficulties and what we plan to do going forward.
We are working (day and night) on an interim solution that will allow us to keep the content coming.
As we mentioned before, it was a tough choice to take the site down while we make changes, but our readers are the most important consideration, and everything we do is with your best interests in mind.
Thanks for your patience, your understanding, and your offers of assistance. Our readers are the best, and anyone who says otherwise probably does PR for Bank of America. We look forward to writing for you again soon.
Yours Truly,
The Consumerist
support@consumerist.com
That fairly nebulous message isn’t keeping its users happy. Users have taken to its Facebook page with messages like:
For a company such as the Consumer Union who’s whole purpose is to not only rate and review products, but to fight for the truth, and make sure the consumers are not left in the dark. I find it highly disturbing that they are in fact no different than any other corporation in america. Sure publish bad things about other companies when they do wrong, but when something bad happens to a publication that is run by the Consumer Union, the consumer union feels there is a double standard and they do not need to be held accountable.
and
If you truly did this with the readers in mind, there would have been more notice, better communication, an insight into what is being done, what we can expect as readers and how you are going to mitigate our concerns.
When an outage affects a large number of people, users of free or even paid services expect the following:
- Honesty: You need to communicate the truth to your users, even if it is unpleasant. For example, if Consumerist was the victim of an attack, they need to say that they were.
- ETA: You want to give people an up-to-date expectation of the site’s restoration. Users know that this may change as you go along, but having an up-to-date ETA would be helpful.
- Where to go: During an outage, the usual location for updates may not be available, so you’ll want to communicate an alternative location for updates, such as Facebook or Twitter. Both can be useful for doing communicating even during an outage.
Join us on Social Media, Get a Chance to Win an iPod Nano
Posted by Jason Shindler in Curvine on September 21, 2012
We’d like to increase the number of people who follow us on Google Plus and Twitter. If you help us, you have a chance at winning an iPod Nano.
Here’s how to enter to win, by October 1, 2012:
- Go to Jason’s Google Plus Page and click “add to circles”. This will earn you one entry. If you are already follow, you are already entered.
- Go to Curvine’s Twitter Page and click “follow”. This will earn you one entry. If you are already follow, you are already entered.
The fine print: We will randomly select 1 winner from our Twitter followers and Google Plus on October 1, 2012. The winner will receive a new iPod Nano We will notify the winner on this site, as well as through a message sent using Twitter or Google Plus — if no response is received within 5 business days, another winner will be selected. This contest is not sponsored by Apple, Twitter or Google.
How To Make Time to Blog
Posted by Jason Shindler in social media on September 20, 2012
Picture by Flickr user Orangeacid.
When I speak with business owners about blogging and other social media strategies, the #1 thing they tell me is that they have the intention to do it, but they just never get around to it. So how do you fix this?
Especially in small businesses where the owner wears many hats, blogging is always the 1st thing to go when things get busy. You can always put it off and come back to it later. The problem is you never will. Here are some strategies for making time to post content on social media sites and your own blog.
- Develop an editorial schedule: you can plan out a schedule of content to write up weeks or even months in advance. You do this by making a calendar and selecting content topics that are of interest to potential readers because they relate to your industry or ones that relate to he time of year.
- Develop a plan to write content for your schedule: It is important to know that content does not need to be written the day the content is to be posted. You can write far in advance and use scheduling tools in your blogging software to have it post at a later time.
- Delegate: especially in small businesses, it is important to find someone who is good at writing and have them take care of this. As an aside, Curvine provides this service for selected clients.
- Use Technology: tools can repost your content automatically from your blog to other sites — be sure to use them.
If you can’t at least do these steps, it is better to not have a blog at all then to have one that hasn’t been updated in more than 2 months! How do you make time to blog?
How Internet Marketers Should Handle September 11
Posted by Jason Shindler in marketing on September 11, 2012
You would never wish someone a “Happy September 11th” or a festive “Pearl Harbor Day.” Yet, every year, there is a small minority of marketers who attempt to attach themselves to occasions that they ought to stay away from.
Examples of What Not to Do:
Casino Promotion: What were they thinking? $9.11 food voucher, $91.11 hotel rate — who approves this stuff?
9/11 Memorial Merlot: Marketing a wine with a 9/11 tie-in seems wrong. It was redeeming that 10% of the profit went to a relevant charity.
9/11 Themed Advertisement: A company tried to sell relevant products with a 9/11 tie-in. I see where it was coming from, but it just comes across as tacky.
Here’s what to do:
From prtini.com:
First, decide if it’s appropriate for your brand to tie itself to the anniversary. Then, ask yourself again if it makes sense. The 9/11 anniversary is a very sensitive subject, so if your brand appears in any way to be leveraging the situation for commercial gain, be prepared for potential backlash.
If you decide to somehow commemorate 9/11 this weekend via a brand’s social media assets, keep this bit of advice in mind, from the wise Justin Goldsborough:
The tough part is that you can’t just look at intentions. You have to judge how actions will be perceived, which really is PR’s job. [paraphrasing this tweet]
What’s the best Web development environment?
Posted by Jason Shindler in web development on September 10, 2012
There’s an alphabet soup of Web development environments available for developers to use: PHP, JSP, ASP.NET (VB or C#), Ruby on Rails, Python, and Perl are just some of the 200 platforms and languages that developers use. If you are like me, you run across people who feel passionately that their platform is the only one that anyone could ever use. So what’s the best one?
The truth is that there are multiple answers for multiple people. Here’s what makes a good environment for your Web site:
- It is updated often and supported by a large company with dedicated resources behind it or by a well developed organization of volunteers. For example, the latest version of PHP was released less than one month ago and has conferences and meet-ups all throughout the year.
- It is used by a large number of developers: Web development isn’t a popularity contest, but if your developer is using a platform that many people don’t use, it means that you become very reliant on that one developer. If something happens with that developer, you may have a hard time finding someone else to work on your site. So even if your developer says it is the best platform ever, be sure lots of others agree.
- A large number of Web hosting firms offer your platform as an option: Just like relying on any one developer is bad, relying on a Web host is worse. Be sure that many firms can host your site. As an aside, it is best to avoid custom configurations to even a well-supported language, because it will make finding another Web host difficult.
Based on these criteria, we recommend ASP.NET (VB.NET/C#), PHP as top-tier languages. What’s your favorite language?
5 Questions to Ask a SEO company
Posted by Jason Shindler in seo 101 on September 7, 2012
Despite the fact that online marketing involves 11 different things, I constantly get questions about just one of them: SEO. There is so much information and misinformation out there, it is hard to know who is right. I tell people, don’t trust me or anyone else who claims to know anything about SEO. Do trust Google, though. As the largest search engine, they know what works and what doesn’t work for getting in their search engine. Here are a series of questions you should ask any SEO “expert,” based on Google’s guidelines.
- How do you get people to sign up for your service? Referrals from clients is the correct answer. Sending spam emails to people is usually a sign of a problem.
- Can you guarantee me a #1 ranking? You would think you would want a guarantee, but since no one knows Google and Bing’s algorithms, there is no way for anyone to guarantee a #1 ranking. If they are doing this, be highly skeptical.
- What exactly will you do to improve my rankings? Ask for specifics!If they can’t tell you, you should likely avoid them.
- Will my Web site have to link back to the SEO company? If this is a requirement, it is important to know that this helps them build their presence but doesn’t help you at all.
- What part of my money goes to advertising versus helping my organic search results? There isn’t a wrong answer here — but it is important for clients to know what they are getting.
What questions would you ask?
Learning by example: What makes a great Functional Web site?
Posted by Jason Shindler in great web sites on September 6, 2012
Whenever I talk to potential clients about Web sites, they always say they want a site that is “clean,” “user friendly,” and “easy to use.” Basically, everyone wants a great Web site. How do you make one?
A great way to learn how to make a great site is to study one up close. Today, I had the chance to do so. I was shopping for airline tickets and I was frustrated that I need to check multiple sites to find the least expensive ticket. Even among sites that say they search multiple airlines, they sometimes miss things and they make me retype information many times.
Enter ITA software (owned by Google): They have a great site called “Matrix” that is everything a great site with a lot of functionality should be:
- Light on graphics when heavy on functionality: The site is very powerful, so it lets the graphics take a back seat. What few graphics there are are out of the way and small and serve a purpose. That’s not to say all sites should be light on graphics, just ones with lots of functionality.
- Professionally designed: just because a site is light doesn’t mean you skip the graphic designer. The designer provided a consistent and concise user interface.
- Saves me time: I frequently search for the same complicated search. Matrix remembers it and lets me easily recall it without filling in many text boxes.
- Powerful, yet easy to use: For me, I’m looking for flights going to one city, leaving another, across multiple airlines, within a 2 day range and from multiple city choices. No other site even does half of that. This site does it all and makes it look easy. It even flags flights with long layovers who overnight flights with little icons that are easy to find.
Why can’t all functional sites be like Matrix?
Internet Marketing Articles We are Reading
Posted by Jason Shindler in what we are reading on September 5, 2012
Here are a few articles I’ve come across in the past week which are worth the read:
- How To Increase Your Conversion From Online Advertising Using Retargeting And Segmentation - Chris Dowsett has a high level view on how to send targeted ads to people who visit your site, so as to get them more likely to buy.
- Four Reasons Your Messages are Missing the Inbox: The eTail blog has a great write up on why some of your marketing messages aren’t being read or even received, and what you can do about it.
- Handling Social Media Snafus: We all make mistakes — sometimes they are more in the public. Healthy Marketing has a write up on what to do when things go wrong.
Fall into Increased E-Commerce Sales with A/B Testing
Posted by Jason Shindler in e-commerce on September 4, 2012
It is time to “Fall” into more sales, right?
As Summer turns to Fall, it is a great time to start some good practices that will lead to more sales. A/B testing is a great technique that works with any Web site and will over time lead to more sales and profits.
What is A/B testing?
At its core, A/B testing involves splitting your customers into two random groups — labeled A and B. For A, you’ll leave the Web site alone. For B, you’ll make some change and test to see if it leads to any changes. Changes can be small — the size and color of the Add to Cart button, or they can be large like a completely different Web site design and layout. The groups can be equal sized, or you can show the altered version to a smaller group. You’ll be able to see the difference in sales (for example, Group B’s sales for 5% higher), but you’ll need statistics software to help you figure out how significant the change is.
When Should an E-Commerce site use A/B Testing?
All of the time! A business should always be experimenting to learn more about its customers. You can/should be doing this even during a busy season. Though not all experiments succeed, so you’ll want to limit experiments you aren’t confidant in to a small B audience and be ready to abort the experiment if you see a significant downside.
Is there software to help accomplish this?
Yes. Google Analytics Content Experiments is one of many software packages that will help substitute the content for the “B” group and help determine the margin of error (which helps you determine if the changes are significant). Some shopping carts have built in tools that can help with this too.
Have you used A/B testing? Post your thoughts below.
About Curvine
Every company has a Web site. But most business owners don't know how to make their Web site generate leads and sales. Our firm, Curvine Web Solutions -- a Web site development firm located in Bellevue, WA, creates strategies, designs and writes code to make your Web site make money for your business.
Please contact us at 425-818-9096 to ask for a free proposal. You can also visit our Web site at www.curvine.com