homepage Welcome to WebmasterWorld Guest from 54.198.148.191
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
McAfee Secure - is it worth it?
McAfee Secure
robert76




msg:3845624
 3:19 pm on Feb 9, 2009 (gmt 0)

I'm seeing this seal on almost every ecommerce site. So as not to be left out of the crowd in case this is something shoppers are really looking for when choosing where to buy, I contacted them and they quoted over $5000/year. The average increase they say clients receive is 14.7% by displaying the logo. Based on ROI, this cost is do-able even though on an absolute basis it is still an awful lot of dough for what pretty much amounts to use of a logo. Is anyone actually receiving 14.7% lift from this? (and since it's an average, that means some users must be receiving twice that!)

 

ssgumby




msg:3845758
 6:26 pm on Feb 9, 2009 (gmt 0)

Id say yes, it is worth it. We saw an increase of around 12%. My price was only $1700 but I know its based on the amount of traffic you get so yours must be a lot more than mine.

We did the a/b split test to "prove" it was of value to us. While that showed us on paper that it was worth it we can see by the sheer volume of orders post implementation that it was worth it.

ssgumby




msg:3845760
 6:29 pm on Feb 9, 2009 (gmt 0)

Let me add ... in addition to the increase in conversions, it also has proven invaluable as a PCI compliance tool. I was dinged with a PCI compliance fine and was told I needed to use securitymetrics to veriy I was secure. After going around with my merchant provider I was able to print my PCI compliance certification from mcafeesecure and fax it to them and all fines have been removed.

topr8




msg:3845783
 7:07 pm on Feb 9, 2009 (gmt 0)

well i was telephoned and given the hard sell by these guys ...

and when the salesman gave me the line:

if you had the cure for cancer, wouldn't you share it with everybody - i just hung up.

i don't in any way dispute their claims, on the other hand i've had a site freeze on me because the page was waiting for the mcAfee server to serve the 'safe' symbol - more than once, but then again maybe they have sorted that issue out by now.

vetofunk




msg:3845964
 10:21 pm on Feb 9, 2009 (gmt 0)

I don't think it is, but this is just based on one web site I have it on. It's only on that web site as the client wanted to have it because his new cheap competitors that are copying his site don't have it. We did some A-B testing from day to day and didn't see any difference in conversion rates, even with all the recommendations on where to place it.

I may test it on other industry sites though. Ask them about their 30 day guarantee. They said that if I didn't see an increase in conversion rates, I could cancel and get a full refund if I did so in less than 30 days.

bwnbwn




msg:3846437
 4:07 pm on Feb 10, 2009 (gmt 0)

Intresting read on this topic
[theregister.co.uk...]

ssgumby




msg:3846530
 5:43 pm on Feb 10, 2009 (gmt 0)

I dont agree with that article at all. They definitely do not "rubber stamp". My site has had XSS issues identified. I worked to resolve and and every once in a while a new one comes up. I think it is well worth the money for the increase in conversion, the PCI compliance and lastly for the insight into potential issues that I could fix. Without mcafee, how do you know if there is a threat to your site? My guess is you don't so it's just quietly sitting there. I think being proactive is a much better option.

vetofunk




msg:3846544
 6:02 pm on Feb 10, 2009 (gmt 0)

What about Geeks.com then? Hackersafe/McAfee even says they are not 100% secure:

[informationweek.com...]

ssgumby




msg:3846648
 8:42 pm on Feb 10, 2009 (gmt 0)

The geeks.com story is over a year old, but even so there are reports that they did in fact lose their certification off and on prior to the attack. In essence when a scan fails you have a limited amount of time to fix it or lose your seal. Even once its fixed, if you are working on your code you can easily inject your code with another issue and get another alert that it needs fixed. They do allow you a certain amount of time and in that time you certainly could be hacked. However, again, if you don't have something or someone telling you that you have an issue how would you know? Is it better to be vulnerable and blind or vulnerable and proactive?

ssgumby




msg:3846650
 8:44 pm on Feb 10, 2009 (gmt 0)

In a perfect world, our code would be secure and ANY changes no matter how small would go through a thorough security code review. I know that as a VERY small retailer I do not have the resources for that so mcafee is kind of an after the fact check.

ssgumby




msg:3846662
 9:00 pm on Feb 10, 2009 (gmt 0)

also, lets not be fooled into thinking anyone is secured. A seal in and of itself is NOT going to secure your site. Look at todays news. the FAA site was hacked.

trinorthlighting




msg:3847914
 1:28 pm on Feb 12, 2009 (gmt 0)

We just signed up. It does help identify weaknesses, but does not 100% protect you.

We did it more for the recogonized seal and increased conversions. Unfortunatly we do not have conversion data yet because our market has taken a dip recently with all the stuff going on in the economy so it is hard to guage increased conversions because of the seal when order volume is generally dropping due to the economy.

lgn1




msg:3850893
 8:23 pm on Feb 16, 2009 (gmt 0)

They originally quoted around $3000 plus per site but they kept lowering the price and the last offer was about $1200 a year for 5 sites total.

We still said no.

Someday we will use photoshop to make an official looking seal.

Seriously, if your site already shows trust by having a 800 number, physical address, SSL logo, etc; you don't need all these expensive feel good trust seals.

Design your site right, and you won't need to buy trust.

ssgumby




msg:3850905
 8:59 pm on Feb 16, 2009 (gmt 0)

We have an 800# prominently displayed, a physical address displayed, a nice statement about our use of SSL, a better business bureau logo, live chat and still the mcafee secure logo showed us a 12% increase in conversions. And again, it isnt all about the increase in conversions, it is about knowing/finding out you have a potential risk. Im kind of shocked how many people just think of it as a trust seal and not a proactive way to keep your site secure.

mattb




msg:3851065
 1:28 am on Feb 17, 2009 (gmt 0)

If you are required to become PCI compliant then you will need to pay for a site scan. (Most, if not all ecommerce sites are now required to do so.) Mcafee handles this and so does Security Metrics. You get a site seal with both of them which is optional to display. So in the future it may be a moot point about paying or not paying as everyone will have to. We have noticed in our surveys that a minority of customers express concern about site security. For us it is just one more small barrier to remove from their mind before buying. It's not a magic bullet but it probably won't hurt.

pbradish




msg:3851704
 7:15 pm on Feb 17, 2009 (gmt 0)

A $1,500 - $3,000 price tag is awful hard to swallow (and pitch), but as our e-commerce operations grow I think that it will be a necessary one to prove PCI compliance and match our top competitors.

I used to be dead set against Secure Seals, especially that old Hacker Safe logo. I even used to write against them, along the thoughts that it probably encouraged hackers.

Though I bet that the new McAfee Secure seal probably does increase conversions by a small amount, I think that a 12% increase in sales MUST be well above the norm - but if that's true than we could see a six figure increase in sales. That makes the initial investment seem very minimal.

What have others seen through split testing? 1%, 3%, 5%?

enigma1




msg:3855222
 12:50 pm on Feb 22, 2009 (gmt 0)

I believe you should check the facts and how these validation tools work. First of all these tools can only check the HTML and responses send from the server on a given request. They perform a limited number of requests and those are totally unaware of the shopping cart s/w or ecommerce web app specifics.

Therefore they can never catch errors that are generated on the server end when certain parameters are passed and target the specific web application or shopping cart. At the same time, attackers, when they deploy bots checking for vulnerabilities, are way more effective because they check software versions, server versions and other stuff like modules deployed with popular shopping carts.

End result is, these tools may do more damage, if a merchant ignores some basic facts and totally rely upon them. Facts like upgrading the server software, shopping cart code, etc. For some shopping carts, there are dedicated tools that check for weaknesses and can give you information on flaws from the server end.

Also lots of the errors reported from tools like hackersafe, refer to the host exclusively and not to the shopping cart code. If you're on a dedicated server you may be able to add the patches and get around it. But if you are on a virtual or shared host, good luck convincing the host to do upgrades.

ssgumby




msg:3855408
 9:29 pm on Feb 22, 2009 (gmt 0)

enigma1 - Mcafee does more, way more, than checking HTML reponses. They perform server scans ... in fact they have pointed out issues with server specific settings that my host resolved for me. They have found cross site scripting issues with my cart and showed me exactly how they were able to do it. I was able to inject the mcafee secure site into the body of my page. They also showed my how a hacker could swipe cookie info. They have found issues and I have resolved them. Here is an example ... on my site I have product reviews ... very specific URL parameters for the reviews .. they were able to show me how they could manipulate these url parameters with embedded scripts and hack my site. Again, I resolved these issues but was VERY appreciative of them finding it. Mcafee has alerted me to specific versions of PHP I was running and vulnerabilities with them. I personally would not run a site without it.

enigma1




msg:3855750
 1:09 pm on Feb 23, 2009 (gmt 0)

ssgumby, hackersafe no matter how high you rank it, it doesn't know of the script specifics. I have used it and tested it on several occasions and it never caught problems that were script specific and manifest on the server end, simply it doesn't know the variables that are exposed by the script.

To give you an example, if your shopping cart s/w was using a variable $xyz, that was not exposed with the reviews form you mentioned and within the script you were doing something like
$xyz = $_GET['xyz'] followed by a dbase update, then those tools do not see anything. In other words a million things can happen on the server end for a request and the hackersafe won't have a clue because nothing will be send back by the server. However an attacker knows about the script specifics.

So it's best to keep your web s/w fully updated from the vendor and monitor the modules you have integrated, if any, for updates.

As I mentioned unless you're on a dedicated server, you don't have much choice but to either use the server s/w the host sets up for you or change hosts. There are separate issues that can happen from the PHP, MySQL, Apache, etc versions and different from the shopping cart s/w.

ssgumby




msg:3855776
 2:11 pm on Feb 23, 2009 (gmt 0)

enigma1 - how would an attacker know of the script specifics? I can assure you that mcafee has found issues with my site with script specific variables ... not sure what you mean by "exposed" but they have found issues with hidden fields.

I agree it is best, not even best but critical to keep your s/w updated with the vendor.

I am not on a dedicated server, but when mcafee has found server specifics my host has updated the server within days to help keep my site PCI compliant.

enigma1




msg:3855828
 3:22 pm on Feb 23, 2009 (gmt 0)

how would an attacker know of the script specifics?

He can determine the web software by sending a bot to crawl it (or he can even see the urls as indexed by the search engines). So let's say you have an e-commerce store. What are the most popular shopping carts out there? 10? 20? For each one the bot can test for a unique url/parameters and determine the nature the cart, although search engines can cover for most cases.

Once this is determined he can get the source code of the application and now he knows the weaknesses between different versions of the s/w (btw these are documented by the vendor). So if your reviews script has a problem is not even necessary to figure out what additional module the site has on.

Also many of the popular carts are open source so the code is widely available as well as the various modules or plugins. For closed source carts, it's a bit harder to acquire the code but it's still possible. Or he can visit sites like secunia where it contains a vulnerability database and then he starts applying the various documented hacks at every level. Server s/w, application, cpanel etc. Because if he knows the site he knows the host, may also know the server version etc from the headers.

Unless you have developed your own custom cart in which case yea it can be quite secure from the application point.

So in my opinion it is way more important to keep the s/w updated, than relying on some other tool that operates at the html level to figure things out.

particleman




msg:3856566
 12:43 pm on Feb 24, 2009 (gmt 0)

wow, I had no idea that was so expensive. I hope some of you find value in that, but I consider it my part of my job to do what that tool does, so besides that I don't think it is worth the money to stick the logo on our sites. In our case it would be 6x that because of the number of sites we have.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved