With any online business venture there is an inevitable degree of associated risk. Wherever personal and financial data are stored there is a potential for that information to be accessed and exploited maliciously. With reports of DDoS attacks and data breaches on the rise, it seems more important than ever for online businesses to be prepared for the worst outcome.
While it is impossible to completely insulate yourself from the threat of such attacks, you can at least take proactive measures to ensure that your information is as secure as possible, and supported by a team that is capable and up to date with the best tactics to counter cyber intrusions.
I sat down recently with two of our resident developers and security experts, Michael and Jacob, in order to discuss our in-house cyber security protocol at SAE.
Q: There have been reports in recent days of data breach attempts against various online companies, including some within the auction industry. Can you give a brief overview of some of the security measures we use here at SAE to ensure that we are as prepared as can be against a similar attack?
Michael: We stay very up to date with the best and most proven methods currently known to the cyber-security community. We use HAProxy to optimize resources and minimize response time, end-to-end SSL encryption to ensure that all data passed between server and browser is kept private and secured, and Stripe connections to utilize a proven, highly capable payment processor.
Jacob: We use cloud based storage, as well, which is quickly becoming the industry standard for a variety of reasons. No secure data is stored within the database itself, so an outside attempt against it would be pointless. Our firewall rules also rigorously regulate what type of traffic is allowed to pass through.
Like Michael said, all of our deployments are behind SSL, our application of which was rated A+ by SSL Labs. So people know they’re in good hands on that front. We’re also against “security through obscurity,” which is a rather old-school, discredited security philosophy that some tech companies still abide by. They think that mere obfuscation is a legitimate method of keeping data safe, which has been shown to be false through practice. We stick to vetted, proven standards.
Q: Why did we choose the server hosting partner (Linode) that we use?
Michael: One of the main reasons is that many of the popular alternatives to Linode are overly complicated, and it can be difficult to predict costs behind their microcharge APIs. Complicated definitely doesn’t mean better when it comes to Cloud computing. It’s awkward, and doesn’t fit the traditional manner of applications that we have. Linode doesn’t have these problems.
Jacob: A big problem with some of these other hosting companies is that they’re willing to (amongst other things) give out the last four digits of your credit card to outside parties, which is something that other sites ask for as a security question for their accounts, and this can lead to all sorts of vulnerabilities.
Q: How does SAE keep credit card data safe from hackers?
Jacob: We work with secure, trusted third party companies like Stripe, who handle the financial transactions of some of the largest companies in the world. Credit card info is sent directly to them, we don’t ever store it or even have it touch our server.
Michael: The entire platform is Cloud-hosted. Physical hardware security is managed by Linode, which is about the best hands it could be in. When you see the lock symbol in the corner of the URL bar, or the ‘s’ at the end of ‘http,’ you know that the site you’re on is confirmed to be secure, as ours is.
Q: It’s not uncommon to experience frequent, small scale attacks on servers. We’ve even experienced some here ourselves. How do we respond to that?
Michael: It’s really like the wild west right now on the web, and it will be for the foreseeable future. Hackers send out legions of bots en masse to detect vulnerabilities, and then exploit those servers that they find to have little or slow maintenance, and are thus less likely to be detected. We get hit by the debris of stuff that’s just floating around out there, which is simply an inevitability of hosting things online.
There’s nothing that can be done to prevent that element of it, but what we can do is prevent these initial excursions from becoming real problems. If there’s an attempt on any of our servers, we find out immediately through Linode or our in-house monitoring system that alerts us wherever we are, whether it’s in the office or at home in the middle of the night, and lets us do a quick, easy patch before it develops into a more serious problem.
Q: What can auctioneers do to help keep their info safe proactively?
Jacob: The most effective thing is also one of the most simple. Use good password hygiene. A huge percentage of attacks are just through old school password cracking. Don’t use the same password for two things. Don’t make it something anyone could guess by doing a little bit of research on you. No birthdays, anniversaries, anything like that.
Q: What happens if an auctioneers site goes down? Are there backups? Do we still have their data?
Michael: We do have backups, so in a worst case scenario there is always that to fall back on. HAProxy would help to mitigate a DDoS attack or something of that nature by dispersing high-traffic on one server throughout the entire network, so that significantly reduces the likelihood of an outage. The fact that each auction house is hosted on a separate server also ensures that an attack on one client would not also bring down a different client. If anything did happen to your server, it would have to be a targeted attack against your business, specifically.
Q: What should auctioneers do in the unlikely event that their site does go down?
Jacob: Call us right away. The sooner we know, the more effective we can be in helping, and getting to work to restore normal functioning to your site as quickly as possible.
Boost your SEO yourself, or simply use our platform and we’ll do the heavy lifting for you! Sharp Auction Engine offers a free 30-day trial.
Like our article? There’s more where that came from…