​Is Your Business’ Reputation Worth a Free Burrito?

Earlier this year, Mexican restaurant chain, Guzman y Gomez received a reputational black eye when it was revealed inadequate planning and testing took place prior to the launch of a new app and promotion that allowed customers placing orders via the app to be eligible for a free burrito.

Not only did demand far exceed expectations, placing a significant and unexpected load on backend systems, but enterprising customers were able to circumvent built-in security checks by changing their account details and purchasing inexpensive SIM cards to register multiple times - ostensibly securing burritos for the cost of a SIM card (at a fraction of the cost of a burrito). After the company corrected this loophole, it was later revealed that the business’ SSL certificates had also expired.

SSL certificates form the backbone of encryption, the technology used to establish trust between two IP-connected systems. Encryption is critical cornerstone of security and privacy for all online transactions. The SSL protocol is ubiquitous, and is used for secure browsing, email, instant messaging and voice-over-IP (VoIP) applications. Though Guzman y Gomez’ SSL issue was quickly fixed, the vital role keys and certificates play in maintaining trust was exposed.

Maintaining visibility over the crytographic keys and certificates that underpin the secure connection between customers and business infrastructure is vital – visitors accessing secure services via a web connection will be notified by their browser if a certificate has expired or is invalid, leading informed customers to go elsewhere. Worse yet, expired or compromised certificates customers’ personal data may be exposed it attackers are able to collect the credential and session ID for the secure connection and gain access to users’systems.

While the maintenance of cryptographic certificates is a concern for every business, an additional risk factor is the expiration of the antiquated SHA-1 standard. From January 1 next year, SHA-1 – one of the most popular cryptographic hash functions in use since 1995 –modern browsers, including Internet Explorer and Google Chrome, will begin flagging pages that use this technology with security errors. The outdated hash function was designed for a far different web environment than we have in 2016, and is vulnerable to exploitation and attacks that risk theft of customer data.

From the start of 2017, browsers will notify visitors that payment and password pages secure with SHA 1cannot be trusted. This has the potential to lead to reputational damage and an erosion of trust from consumers, who will in turn be inclined to seek more secure competitors.

Businesses relying on SSL to offer secure services to customers and partners will need to migrate to the far more robust SHA-2 standard in coming months, but the migration can prove quite a challenge for businesses with sprawling, complex IT systems. Many organisations lack of visibility into where the keys and certificates that underpin encryption are located within their infrastructure and have no way to automate the maintenance and renewal of certificates and keys to ensure they remain current and up to date. Businesses must conduct regular audits of their keys and certificates and automate the process as much as possible to not only track risk factors, but also effectively manage the lifecycle of their security infrastructure to maintain the trust of customers and partners alike.

With the clock ticking towards 2017, any organisation conducting business online needs to take heed and audit and upgrade their keys and certificates before it’s too late. After all, reputations can take years to establish, yet mere moments to be dashed.

Join the CSO newsletter!

Error: Please check your email address.

Tags Free BurritohackSIM cardGuzman y GomezencryptionSHA-1customer dataSSLcryptography

More about GoogleVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeff Hudson

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts