India’s cyber security scene is in the spotlight yet again, with news emerging of leading pizza retailer Domino’s Indian website hacked and information of about 37,000 accounts made public.
The information includes names, contact numbers, email addresses, residential addresses and passwords in plain text.
According to Business Standard, the attack was carried out using popular SQL injection method and remote file inclusion.
Both these methods are one of the most basic ones used by hackers, with the aid of software tools.
SQL injection attacks take advantage of the lack of filtering of user-input text, allowing attackers to trick the website’s database into revealing information through SQL commands supplied from input areas. Remote file inclusion is a type of attack that allows hackers to upload malicious scripts to be executed at the web server; again, improper input field validation makes a site vulnerable.
This attack is a dream come true for identity thieves, and exposes the lack of protection employed by yet another popular website. It wasn’t very long ago that LinkedIn users’ passwords were exposed in plain text, calling for the need for better protection to be implemented.
Passwords should be both hashed and salted. Salting is a process of introducing random characters to a password, before it is garbled into a fixed-length, meaningless text via hashing to be stored at the server’s database. Salted passwords that are subsequently hashed are harder to guess via tools that can crack passwords that are only hashed.
Adequate server-side password protection methods do not incur much overhead, but Domino’s has missed out on that, and has to settle for the after-effects of a costly error.
In the recent past, there has been a spate of cyber attacks on Indian sites, including an attack on the very agency tasked with responding to cyber security threats in India, CERT-In.
Staying Safe Online
While websites take their time to implement basic security measures at their end, it is important for us as end users to stay safe.
Well-known Indian tech blogger Amit Agarwal has an excellent article on keeping online accounts safe and secure. Among the many tips, he recommends having separate email addresses for various services.
Sites like Facebook can have a publicly known email address associated with it, and others that require more security or no socialization can have a “secret” email address linked to it. He warns not to set one email address as the recovery email for the other, to prevent a hacker from taking over both email addresses if one of them has been compromised. He also recommends using a virtual credit card (VCC) for payment at sites that are not very well-known or may have questionable security.
Leaks such as the one affecting Domino’s can be dangerous for users who have the habit of using the same password across several services to aid their convenience, and such a practice should be a strict no-no. Furthermore, it is a good idea to insist on the cash-on-delivery or netbanking options when ordering online.