Posts Tagged ‘security’

Posted by: Jeff Leget, Director of Operations

A ClickBank client recently asked me about the tools we use to monitor and secure our systems so that he could learn more about monitoring and securing his own systems. So today I’m writing about some of the simple tools ClickBank uses to secure our servers and how those tools might benefit publishers and affiliates.

First, I think it is important to understand what parts of your technology are integral to your core business and what parts should be outsourced. At ClickBank, we use external outsourced data centers for many of our services. We want to focus our energy on providing innovative solutions that support your business, not building world-class data centers. Many ClickBank clients already outsource their Web services, because creating and promoting great products is their core business. A service provider can offer uptime guarantees, redundant network connections, and much more. These options can make your Web site significantly more complicated if you manage them yourself.

You should make sure that you always have multiple copies of your Web site code, both on and off the Web servers themselves. A disaster with your service provider doesn’t have to be a disaster for you. In addition, your Web site should also be protected from DoS (Denial of Service) attacks. You or your service provider should invest in tools that inspect your Web traffic. Web servers like Apache (with modEvasive or modSecurity) have the ability to handle or dynamically block traffic that doesn’t meet requirements. For example, if you receive 1000 requests in a row to your Web site for pages that don’t exist, the IP address requesting those pages should be blocked.

Regardless of whether or not you outsource facets of your Web site, you should monitor it from at least one external source. In addition to extensive internal monitoring, ClickBank subscribes to several external Web-monitoring services. These services include:
· http://www.alertra.com
· http://www.internetsupervision.com
· http://www.site24×7.com
· http://www.siteuptime.com

There are many others as well. These services often offer free monitoring at low levels (every 30 minutes to 1 hour) from a single location. Any downtime is automatically reported to you via email or text message. Paid subscription services often offer higher monitoring rates from various locations around the globe. Some services allow you to monitor content on the page. This enables you to make sure that your Web site is not hacked or modified without your knowledge. Other services like www.dnsstuff.com allow you to check the completeness of your Web site domain, the associated DNS entries, and potential email blacklists. It is important to make sure that the rest of the world views your Web site the same way you do.

Finally, for publishers, it is extremely important that you protect your product download itself. ClickBank allows each publisher to use the ClickBank Proof of Purchase to ensure that every purchase of your product is legitimate. A description of how to verify the Proof of Purchase, along with the code to perform this action, is available at:

http://www.clickbank.com/publisher_tools.html#Publisher_Tools_7

We work hard at ClickBank to build and maintain a secure and stable platform for our clients and customers. I hope that some of these tips help you to do the same.

Posted by: Greg Lems, Director of Application Development

If you ran a brick-and-mortar store, would you leave it unlocked at night when nobody was around? Of course not! Unfortunately, some ClickBank publishers do just that by not protecting their download URLs.

The download URL (also called the “Thank You Page”) is how paying customers download their digital product from a ClickBank publisher. Publishers configure this URL in the “My Products” section of their ClickBank account. It is important to realize that when ClickBank accepts a payment and sends the customer to the publisher download URL, we also pass along important encrypted information that only the publisher can decipher. The deciphering of this information allows publishers to quickly determine whether the person attempting to download the product has actually paid or not.

If you’re a Web site owner with programming knowledge, or if you have access to a programmer for your site, details on how to implement this feature can be found here:

http://www.clickbank.com/publisher_tools.html#Publisher_Tools_7

If you’re not comfortable with performing programming tasks on your site, there are numerous commercial products available that provide protection for your downloadable digital goods. Some examples of these products for sale on ClickBank include DLGuard, easyClickGuard, and Lock-It-Now, although more can be found in the ClickBank Marketplace.

ClickBank is dedicated to protecting our publishers’ content and helping publishers achieve proper levels of security. Be sure to take advantage of available tools to avoid the undesirable realization that you left your store unlocked overnight!

Posted by Greg Lems, Director of Application Development

Remember the good old days, when you could put a personal check in an envelope and leave it in your mailbox with the little red flag up? Nowadays the media is full of reports about identity theft rings, some of which collect bank account information by harvesting checks from mailboxes. Although incidents of this nature have increased in recent years, the overall chances of it happening are actually still quite low. Nevertheless, I won’t leave an outgoing check in my mailbox, because it can’t hurt to be extra safe.

In a somewhat similar manner, it is important for ClickBank publishers and affiliates to protect their Hoplink information. Hoplinks are the key to the ClickBank Marketplace.  Affiliates create them to promote publisher products, and publishers rely on them to drive traffic their way.

ClickBank has put a tremendous amount of effort into the reliability and security of its Hoplink system. It is closely monitored and designed to provide every protection possible, so that affiliates get proper credit for their sales. At its heart, however, the Hoplink system relies on URLs to work and as a result information can be exposed about the affiliate for the sale. Luckily there is a way to avoid such exposure.

“Hoplink theft” is a term used to describe the act of changing Hoplinks so that they credit a different affiliate. A hardworking affiliate may place Hoplinks across many sites on the Internet, but a person with their own ClickBank account and bad intentions could, with some manual steps and scheming, create an identical Hoplink to the hardworking affiliate, but with their own nickname substituted in. This typically happens in one of two places: when a Hoplink is placed in an ad by an affiliate, or at payment time when a publisher attempts a quick hop to a different affiliate just before payment. It isn’t a common problem, and when we encounter it we swiftly discipline the dishonest parties. There are steps, however, that can be taken to prevent it from happening in the first place.

To avoid the first form of Hoplink theft, we recommend cloaking your Hoplinks. This involves the creation of redirects that will take users to the intended destination without showing them the exact URL they are being sent to. This can be done either with a bit of HTML that surrounds the Hoplink, or with some server-side scripts for redirects. More information is available on this topic here:

http://www.clickbank.com/affiliate_tools.html#Affiliate_Tools_2

Additionally, there are 3^rd party products available to cloak Hoplinks. Although ClickBank does not specifically endorse any of these products, we encourage anyone seeking cloaking functionality to investigate what’s out there and available, as there are a number of different ways to perform this simple redirect.

To avoid the second form of Hoplink theft, we recommend that you examine the order flow of the products you are promoting to ensure that additional Hoplinks have not been added to the ordering process. The most straightforward way to do this is to click your own Hoplink, view the publisher’s pitch page and then click through to the ClickBank order form. At the bottom of the order form you’ll see an indicator that starts with “affiliate=.”  If your Hoplink was constructed correctly, your affiliate nickname will appear there. It is a good practice to regularly check this flow to ensure you receive proper credit for sales.

Hoplink theft is not common. If you suspect it is happening, you can report it to abuse@clickbank.com and our security team will investigate. By cloaking your Hoplink URL and paying attention to the order flow of products you promote, you can ensure protection of your hard-earned ClickBank commission. Just like when mailing a check, the likelihood of something undesirable happening is low, but it doesn’t hurt to be safe.

Posted by: Monty Sooter, CTO

It is interesting when a neighbor asks me what I do for a living. I usually say I do computer stuff, and then there is no telling where the conversation is going. A common response that I like to receive is, “Oh, that’s nice,” and then we end up talking about the latest weather or how the kids are doing. The conversation I love to have is, “It’s incredible how the Internet has transformed business/life in the past decade,” and then I get to tell them about ClickBank. The conversations I try to avoid are, “I’m having a problem with this free software package on Windows 95.” I usually try to be patient, but I know there is a slim chance they will get help from me or anyone else. It would be less painful to just give them a thousand bucks for a new PC.

At work I have similar conversations. Some of my fellow co-workers do occasionally ask me what I do for a living; I hope they’re kidding. We do have great conversations about how ClickBank is transforming business. All of us have had many “traditional” business experiences, but ClickBank is the one that we view as the most transforming business experience in our careers. It is still amazing how this affiliate-driven digital goods business model provides so many benefits to folks across the globe, and it is only going to get bigger and better.

At ClickBank, we know that to “take care of business” we have to be able to adapt quickly to any problem that comes our way. Our thousands of affiliates and publishers rely on our IT systems to keep their businesses running at all times. Unlike most companies, our IT infrastructure doesn’t only affect our ability to do business; it affects the livelihood of our clients as well. It would be nice if we were only presented with easy problems, such as a failure of one piece of equipment, the failure of one network connection, or the failure of one database. Instead, we have to be ready to take care of the difficult problems, like a partial failure of one disk that corrupts one sector of a replicated database in the secondary data center.

We prepare to take care of these difficult problems when (not if) they happen by buying fully supported network gear and servers, purchasing support for all of the software products we use in production, and having redundant systems in two data centers. In each of the data centers, we have redundancy in the most critical hardware (database servers) to ensure that any failures do not impact business. Most of our software is open source and we make sure we have support contracts in place. We also take the time to perform regular hardware and software maintenance to make the most of our support contracts.

It is less painful and smarter to have put in the extra time and spent the extra bucks to have all the right hardware and software in place to make sure we are “taking care of business” for our many clients. It also means that I don’t have to ask my neighbors for help.