A few weeks ago, Test Achats/Test Aankoop has published a resounding report (FR /NL) about the security of 100 online shops. They claimed that 55 of these websites are vulnerable to cyber-attacks. Test Achats/Test Aankoop even gave every website a “security rating” between “good / secured” and “very bad”.
Even if we appreciate that such an organisation is raising cyber-security awareness in the market, at Approach, we were very surprised by this report, as it raised us two major questions:
- Was this initiative performed in a legal way?
- How accurate are the results?
Hacking a website without consent is illegal
The Belgian penal code* is very clear: hacking a website without consent is strictly forbidden, whether the intent is malicious or not. The malicious intent is only an aggravating factor. So our question is simple : Have Test Achats/Test Aankoop asked permission to perform such test to all the targeted web sites ?
That being so, some interpretations of the law consider that there is a violation of the law only if the unauthorized access implies a damage. In our case the damage could be easily reproached:
- First, the tested websites could suffer from a reputational damage, as the results have been publicly published.
- Second, by pointing out which websites are the most vulnerable, some malicious hackers could benefit from this information and try to hack and harm the websites.
Concluding that a website is vulnerable is not that easy
“An open door in a bank does not mean you will be able to break in and steal money. This might be the toilet door. The money might be protected by other doors and security mechanisms.”
When trying to break into a website, this is the exact same story :
- As a first step, the hackers scan the website for vulnerabilities by the use of automated tools. This is relatively fast, but it generates a lot of false positives. In other words, doors that are left open but that will not let malicious people harm the website or steal information. While it can give a first insight on the security level of a website, it is not accurate enough to draw definitive conclusions.
- The second phase when performing a penetration testing is the exploitation of the discovered vulnerabilities. It consists of validating that a vulnerability can effectively been exploited to penetrate the systems. This phase requires manual work performed by skilled ethical hackers to draw pertinent conclusions. Depending on the analysis that needs to be performed, the budget can be highly impacted.
In their report, Test Achats/Test Aankoop states that their test took approximately one month (performed during September 2018). This short test duration leaves us skeptical on the accuracy of their results:
- Either, they only used automated tools to scan the vulnerabilities of the selected websites. In this case, their conclusion might be too hasty.
- Or they must have allocated a lot of resource to be able to draw accurate conclusion for 100 websites in one month.
Within a month, we feel very unlikely that Test Achats/Test Aankoop was able to perform thorough exploitation of the discovered vulnerabilities. Most probably, they draw their conclusions based on the automated vulnerability scan. And possibly conclude that a website is “unsecure”, while none of its vulnerabilities are critical and can be exploited.
In a word, this report might be both illegal and misleading. We hope Test Achats/Test Aankoop realizes the extent of such testing and, if need be, may they change their approach when ranking the cyber security of company websites. Should Test Achats/Test Aankoop disagree with our comments, we would be happy to hear their side of the story.
* “Art. 550bis.§1er. Celui qui, sachant qu’il n’y est pas autorisé, accède à un système informatique ou s’y maintient, est puni d’un emprisonnement de trois mois à un an et d’une amende de vingt-six francs à vingt-cinq mille francs ou d’une de ces peines seulement. Si l’infraction visé à l’alinéa 1er, est commise avec une intention frauduleuse, la peine d’emprisonnement est de six mois à deux ans.”
“Art. 550bis. § 1. Hij die, terwijl hij weet dat hij daar toe niet gerechtigd is, zich toegang verschaft tot een informaticasysteem of zich daarin handhaaft, wordt gestraft met gevangenisstraf van drie maanden tot een jaar en met geldboete van zesentwintig frank tot vijfentwintig duizend frank of met een van die straffen alleen. Wanneer het misdrijf, bedoeld in het eerste lid, gepleegd wordt met bedrieglijk opzet, bedraagt de gevangenisstraf zes maanden tot twee jaar.”