Posts

Immediate action required: SSLv3 security alert causing changes in PayPal modules

Due to the POODLE security attack, PayPal will drop their support for SSL 3.0 on December 3rd 2014. In order to keep offering PayPal as payment, this blog post will show you the possible ways to adapt to the issue.

 

This is an urgent note to everyone using PayPal as a payment provider in their OXID eShop.

In October 2014, a vulnerability of the SSL 3.0 protocol was detected, as discussed in forums and blogs recently. This means, websites and all internet businesses relying on SSL 3.0 can no longer sufficiently protect their users‘ information from hackers.

Payment provider PayPal will drop their support for SSL 3.0 on December 3rd 2014, 12:01 a.m. PST (09:01 a.m. CET), causing all PayPal transactions based on SSL 3.0 not to work any longer from this moment on.

In order to keep offering PayPal as a payment in your OXID eShop, please update your OXID eFire Extension PayPal to version

3.2.1 when using OXID eShop 5.2.x (EE) or 4.9.x (PE/CE)
3.1.2 when using OXID eShop 5.1.x (EE) or 4.8.x (PE/CE)
3.0.3 when using OXID eShop 5.0.x (EE) or 4.7.x (PE/CE)

We will also publish a patched version of the OXID eFire Extension PayPal for OXID eShop 4.4.x to 4.6.x within the next week.

Please note:

If you refuse to proceed one of the solutions mentioned above, every payment via PayPal will fail from December 3rd onwards! This also applies for the PayPal Portlets in our cloud platform OXID eFire, which will not be altered. If you still run this method, please update to our standalone OXID eFire Extension as soon as possible. The extension can be found in OXID eXchange.

Heartbleed and What to do Against it When Running an Online Shop

heartbleed

The so-called “heartbleed bug” in OpenSSL, unveiled a couple of days before, thrilled the entire Internet community. Speaking with the words of my mates @tabsl: “There has been nothing more terrible as this in the entire history of the Internet” and @[D³]tdartsch: “As a matter of fact, the entire field of secure Internet communications lies in ruins.”

Especially online merchants – no matter which shopping cart system is used – are hit hard: the heartbleed bug is a serious vulnerability that allows the theft of data that actually ought to be secured by using SSL/TSL encryption during the registration/checkout process in an online shop. Even worse: nobody knows if exploits have already happened to a website, because it is not even traceable… Fixing this issue is of the utmost importance, as a shop owner is responsible for the data stored in his database towards his clients!

 
 

Alright, lets all find a moment for a collective sigh of affirmative relief, if you run an online shop or have clients to run it, and shall we see what you can do actively:

  1. Please make sure that OpenSSL is up to date on your servers. If you have shell access, you can check it with $ openssl version -a. If you find the built on date past April 7th 2014, you should be safe.
  2. A new SSL certificate has to be issued and installed on the server. We talked to our hosting partners: all of them already run #1 and are in touch with their clients in order to exchange the certificates.
  3. Change your own credentials for accessing the admin panel of your system. Secure this admin panel with an .htaccess file (directory protection) and change these passwords.
  4. Force your clients to change their login in details and so forth, immediately. Tell them clearly about this bug and that you can’t guarantee for any misuse of their personal data if they don’t do it. Send an extra newsletter about this topic, maybe use a voucher with some percent to entice them.

Alright. You’re aware for this topic – act now! Good luck to all of you brave online merchants!

Let us know if there’s anything else to do from your perspective as a comment to this blog post.

10 Essentials for Mobile Commerce – Part 3

Finally we publish the 3rd part of our series “10 essentials for mobile commerce”. The last part focuses on the importance of usability and user experience as well as speed and security.

7. Usability is even more important on smaller screens

The usability of your online shop has a huge impact on the success of your business strategy. The smaller screens of smartphones and tablets turn the importance of usability friendly design even higher. There are a few basic principals which should be considered: Use a consistent design throughout the app. Make buttons big enough for touchscreens and use icons or images to make it more clear. Facilitate the navigation through different categories with a “Back”-button. Use intuitive gestures for multitouch-devices such as swiping to let customers navigate through articles. Make use of the accelerometer to show bigger images of articles in the landscape view. There are surely many more ways to optimize the usability of smartphone apps – keep always in your mind, that usability is crucial!

8. Be as secure as you could be

There is a very recent study of Forrester, which says, amongst other things, that many people have problems with entering their sensitive data in the tiny smartphone text boxes. For retailers this has two implications. First of all, be as secure as you could be in your app. Offer the possibility to pay via PayPal or other payment services without entering all the sensitive data. Use SSL or other security methods and communicate this fact to your customer.  Show your credibility by implementing the Trusted Shops seal in your app. Second implication is, that you have to practice educational work that mobile commerce isn’t at all unsecure and that all data lays on secure servers and so on. Explain your customer why she or he hasn’t to be afraid of purchasing your products on the smartphone and on the tablet.

9. Create a seamless user experience

Seamless user experience – what an expression. Sounds very complicated, but is in fact very banal. Create corporate identity guidelines which are consistent over all touchpoints with your customer. Print, ads, mobile, online shop, brick and mortar store and all other touchpoints with your customer should reflect the brand. Especially the recognition value of the mobile and the online shop has to be very high. Point 3 (in part 1 of our series) also counts onto the account of a seamless user experience. If there are cuts between different touchpoints it’s not seamless. To account for the fact that many people inform mobile and purchase articles in the online shop, you have to implement a basket which is persistent on all devices. Or, if this is too expensive/complicated, you may implement a possibility to email the basket and/or to create a link to the basket with all the products in it. This way you’ll facilitate your customer the change of the touchpoint and thus increase the possibility that this customer is buying. And remember, it doesn’t matter which touchpoint does which part during the customer journey, important is only that she or he completes the order!

10. Speed is the key to conversion

When we visit an online shop we expect instant loading of the sites, if the different sites are not loading as expected, we leave the website and the turnover for the retailer is gone. That’s exactly the same with mobile apps. And there is also a tiny little point why native apps are better than mobile optimized templates. Native apps are faster and exploit the hardware of the smartphone in an optimal way. So keep in mind that speed is the key to conversion.