How to Avoid the Most Dangerous Website Attacks

Stethoscope and Cyber Crimel, concept of network Security
By Jennifer Schlesinger
and Sabrina Korber

Every minute in the U.S., 19 people fall victim to identity theft, according to credit bureau TransUnion.

Consumers can unintentionally leak a deluge of personal information as they shop online and surf the Web. That's because websites can house coding flaws and other vulnerabilities that attract malicious hackers, who are prowling the Internet for consumers' personal information.

"Out of all the websites we've scanned, 75 percent of them have a vulnerability on the first scan," said Ainsley Braun, co-founder and CEO at Tinfoil Security, which specializes in website security.

Even large, well-known companies' websites can be vulnerable.

Braun said scans for potential vulnerability found 30 percent of Fortune 1000 companies have website flaws. Vulnerabilities also were discovered among some of the most visited websites, as tracked by the Alexa Rank of the top 500 sites.

Customer data loss, in fact, is a growing concern. A survey of information security professionals by cybersecurity company Trustwave found 58 percent of IT professionals worry about customer data theft. That concern eclipsed IT professionals' worries about international property theft, damage to reputation, and fines and legal action, according to the survey.

Here are some of the most dangerous kinds of attacks on websites, according to Braun and Michael Borohovski, co-founder and chief technology officer at Tinfoil.

Insecure Cookies

Every time you log into a website, your computer receives a small piece of data called a cookie -- information about your user session so you do not need to log in again when you visit a new page. %VIRTUAL-article-sponsoredlinks%If the website does not secure that cookie, your data is vulnerable.

The Open Web Application Security Project -- a nonprofit focused on improving software security -- also cited cookies as a potential threat. A hacker can gain access to a cookie on an unsecured wireless network and hijack a user's website session, potentially gaining access to private data, according to the group's 2013 report.

"For example I'm at ... Starbucks or something like that, an attacker who is listening for all of the network traffic that is flying around him can actually pull down the cookie since your information, your session information, is not secured and [they can] impersonate you on that website," said Tinfoil's Borohovski.

Cross-Site Scripting

Another kind of dangerous website attack occurs when it's unclear if the user is browsing the authentic website, or a fake site that's masquerading as the real thing. This type of attack is called cross-site scripting.

The attack starts once you click on a malicious link, which redirects traffic to the attacker's site. Cybercriminals then take advantage of users who are unaware they've been forwarded to a malicious site and innocently give up their username, password and potentially other bits of personal information.

The effects of cross-site scripting can be lasting.

"In some cases, cross-site scripting has been used to actually install malware on users' computers and thus maintain sort of a persistent attack on a user," Tinfoil's Borohovski said.

Database Injection

Borohovski said he believes database injection -- which can release a website's user information -- is the most devastating kind of website attack. According to OWASP's 2013 report, injection attacks, including database injection, were the top security issue.

"What an attacker can do with a database injection basically is rather than simply using the website to insert their own data, they could actually trick the database into dumping out all of their other data, of the other customer data," Borohovski explained.

Protecting Your Information

To protect yourself from these website attacks, Borohovski recommends using different passwords for different websites. This way, even if one account is compromised, the rest are safe.

Tinfoil suggests being cautious about sharing information on unsecured wireless networks, such as those in public places.

Also, check to see if the website you are on is secure. Most browsers will display a lock symbol to show a site is secure.

"Most browsers will also display a warning if that certificate has been tampered with, or modified, or if somebody is potentially listening in, in the middle of the connection," Borohovski said. "If that is the case, the user should not go ahead and click 'I want to go there anyway.' They should stop."

More from CNBC

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
How to Avoid the Most Dangerous Website Attacks

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story