17 posts categorized " Security"

08/14/2018

Why You Should Use Wild Apricot Payments - Powered by Affinipay

2C4FBE9A-5399-4A6A-91C8-5BA9C979B044 image from d2de4os9heh93v.cloudfront.netWild Apricot Payments, powered by Affinipay, is now the preferred payment vendor in Wild Apricot. In this article we will use Wild Apricot Payments and Affinipay interchangeably. The main features of Wild Apricot Payments are:

  • No monthly fee, no startup fee
  • A standard 2.9% + $.30 per transaction fee, collected in the standard currency of the account (CAD or USD)
  • Payments are transferred to directly your bank account within 48 hours.
  • When members check out they stay on your site, rather than leaving your site (eg PayPal Standard forces you to PayPal.com).
  • Recurring payments (aka scheduled payments) are supported.
  • There are a variety of financial reports that are available.
  • Wild Apricot provides integrated one-stop support for the product and the payment gateway.
  • Currently, only US and Canada residents can apply for a Wild Apricot Payments account in USD or CAD currencies.

As of October 1, 2018 only 4 payment gateways will remain -- Wild Apricot Payments, various PayPal flavours, Stripe and Authorize.net. Our informed opinion is simple:

Wild Apricot customers should all consider moving to Wild Apricot Payments, the preferred payment gateway, as soon as possible.

We forecast that support for all other payment gateways will be discouraged and eventually Wild Apricot Payment gateway will be the only supported online payment mechanism.

Many Software as a Service products that offer financial support (eg online invoicing systems) are amalgamating support around 1 payment gateway due to the nature of the evolving markets and availability of specialized gateways like Affinipay. Wild Apricot has created not only a technical relationship with Affinipay, but a financial one as well. Affinipay incents Wild Apricot financially to use them as a gateway, and that helps Wild Apricot to continue to keep software subscription costs down. When using any other payment gateway, Wild Apricot does not get any financial incentives. With Affinipay, this changes forever as Wild Apricot receives a commission based on the volume of transactions that flow from Wild Apricot to Affinipay. In effect the more online transactions you pass through Wild Apricot Payments on your Wild Apricot website, the more money flows to Wild Apricot effectively subsidizing your monthly Wild Apricot fee -- without costing you, the customer, one extra cent!

As a Wild Apricot customer, this only benefits you because not only can Wild Apricot focus on supporting just 1 payment gateway, but they can use the added revenue to create new features and benefits while working to keep the price of Wild Apricot low. This is smart business strategy, but it does create some uncertainty for current customers. We hope you will reach out to NewPath Consulting to assuage those fears and prepare to migrate your payment gateway when you are ready.

The Good

  • USD accounts can be setup in 2-3 days using a simple onboarding form
  • Affinipay has an easy to use and secure dashboard
  • You can send requests for payment (called Quick Bill) by email, and your customers can pay right from the email. This is an alternative of paying for an invoice directly from Wild Apricot.
  • You can also  charge credit cards on the fly using the virtual terminal feature
  • You can make same day voids and refunds up to 6 months after the transaction
  • Deposits happen daily - available in your bank account within 1-2 business days

     

Affinipay Dashboard
Test Mode Dashboard
Wild Apricot Payements Quick Charge Page
Wild Apricot Payments Quick Charge Page

 

Not so good

  • The Affinipay account setup for CAD accounts for Canadian customers requires some paper shuffling and is manual for now. I have assurances that this will improve eventually. For now NewPath can help CAD customers get up and running with a fancy form we are developing. Stay tuned!
  • Currently First Data Canada is the payment processor for CAD accounts and they can be somewhat bureaucratic for account setup. Hopefully this will change eventually without affecting existing or new CAD customers.
  • For now the payment information collection is still done on a separate Wild Apricot payments page (payments.wildapricot.com). This is not ideal because setting up conversion and goal tracking is hard to do on a page you do not control. I am told this is required for PCI DSS compliance.
  • There is currently no support for Interac transfers or debit cards.

08/11/2018

WordCamp Niagara 2018 - Managed WordPress Demystified

In an updated presentation called Managed WordPress Demystified, Alex Sirota, wowed the WordCamp Niagara audience with an updated talk on selecting a managed WordPress host. The video (coming soon!) and the presentation is below.

04/17/2018

What is an Extended Validation (EV) SSL Certificate?

Chrome ssl

SSL secures the transmission of data passed between your web browser and the web server. When you enter data into a comment, or pay for something online, the information flows over the internet securely if and only if, the connection is secured by SSL. It turns out that there are 3 different types of certificates and they are indicated very differently by web browsers.

Insecure transactions will soon show "not secure" by Google Chrome as displayed below. Currently they show an i with a circle around it, but that will change this summer with the release of Chrome 68. Here is how all websites without SSL will display:

Treatment-of-http-pages2x

Below is a comparison of the 3 different security states a website can appear currently:

3 types of SSL certificates

There are 3 different types of security certificates available for websites, Domain Validated (DV), Organization Validated (OV) and Extended Validated (EV). Domain Validated certificates can be obtain by anyone, and even for free using Let's Encrypt. These are the simplest to obtain because they do not need any validation other than some sort of control over the website you are securing. This means just about anyone can obtain and secure a website, even for $0. Even though these websites are secure, you have no idea exactly who owns or runs them so the trust level for DV secured sites should be quite low. Situations where trust and credibility are less important such as personal websites and small forums that need basic encryption for things like logins, forms or other non-transactional data.

An Organization Validated certificate has different procurement requirements. To obtain an OV certificate the issuing certificate authority (CA) has to confirm the organizational existence using a non-automated method. As well as checking up on ownership of the domain name, the Certificate Authority will also carry out additional vetting of the organization and individual applying for the certificate. This might include checking the address where the company is registered and the name of a specific contact. OV certificates should be used for public-facing websites dealing with less sensitive transactional data. OV Certificates do not offer the highest visible display of trust like EV certificates which show a green browser bar organization identification.

The Extended Validated certificate is the current gold standard in SSL certificates. Any business that sells products or accepts payment information online should use an Extended Validation (EV) SSL Certificate. An EV certificate uses the same powerful encryption as other SSLs, but getting one requires a thorough vetting of the applicant's business. Only those businesses that pass this process will receive an EV SSL Certificate. Typically the use of an EV certificate is indicated by a green color – but this varies by browser. Anyone who sees the green address bar while on your site knows instantly they’re on a legitimate website.

EV verification guidelines, drawn up by the Certificate Authority/Browser Forum, require the Certificate Authority to run a much more rigorous identity check on the organization or individual applying for the certificate. Sites with an EV SSL certificate have a green browser address bar and a field appears with the name of the legitimate website owner and the name of the Certificate Authority that issued the certificate. From the CA/Browser Forum:

Having an EV certificate for your website is an indication to your customers (or users) that you are very interested in ensuring their safety and privacy by taking the most care that you possibly can in authenticating yourself (through your web site) to them. Even though it might take more time and money to apply for an EV Certificate, after following the application procedures through to successful completion of the vetting process, the CA will issue an EV Certificate to you. 

Before an EV Certificate is granted, a certificate vendor verifies that the business listed on the application is:

  • Legally registered
  • Currently in operation
  • At the address listed (PO Boxes are not allowed!)
  • At the telephone number listed (Voice mail systems will not be allowed for validation, there must be someone answering the phone!)
  • Owns the website domain name (usually done thr0ugh a CNAME record, a file placed on your server or by email.

You will need to pass this vetting process every two years to keep your Extended Validation (EV) SSL. 

Most types of organizations can get an EV certificate relatively easily if they have an established business background and are located in a jurisdiction that provides good online access to records of incorporation or registration.  But regrettably, there are a few types of organizations and a few jurisdictions for which there just isn’t good enough external registration information available in order for the CA to be sure enough of the details supplied by the person applying for the certificate for the CA to be able to easily issue an EV certificate.  For example some CAs do not accept PO Boxes as the organizational mailing address (even though the IRS or a local tax jurisdiction does!). Generally, if your organization is incorporated or fits into one of the more common business types such as an LLC or 501(c) not for profit, then you should be able to obtain an EV certificate.  Here's an example EV Certification Checklist from Comodo should you decide to go this route. It takes time and you should confirm your registration information is up to date and the phone number on file is answered by a person (not a voice mail service).

 

02/19/2018

General Data Protection Regulation (GDPR) and Wild Apricot: May 25, 2018 is GDPR Deadline

On May 25, 2018, the European Union will begin enforcing a new set of data protection regulations, known collectively as the GDPR (General Data Protection Regulation). The GDPR regulates the collection and storage of personal data for EU residents (including UK residents), regardless of where the organization doing the collecting is located.

The GDPR replaces and expands upon the 1995 Data Protection Directive. The biggest change is the extended reach of the regulations, now applying to all organizations that collect the personal data of European residents, even if those organizations are based outside of Europe.

Consequently, Wild Apricot and any of its clients with members in Europe need to understand the requirements of the GDPR, and set up procedures for complying with them.

If your Wild Apricot database contains information about any European Union residents, please let us know and we can help you identify whether your organization is compliant with GDPR. Wild Apricot has begun auditing their processes and software for GDPR compliance, but as of February 2018 Wild Apricot staff have not completed the audit or any remediation actions. Organizations in breach of the GDPR can be fined up to 4% of their annual global revenue or €20 million (whichever is greater). There is a tiered approach to fines, whereby an organization can be 2% for not having their records in order, 2% for not notifying about a data breach, and so on.

 

02/02/2018

VIDEO: Setting up a custom domain with Wild Apricot: what can go wrong?

Setting up custom domains in Wild Apricot can be tricky. If all goes well you're good, but what if you don't know where to start? This video will show you how to find your registrar, which domain name settings you need to update and some final steps on what you can do for a successful launch.

A short recap:

  1. Setup DNS records you must have access to your control panel (GoDaddy, Wix, 1and1, etc). Use reset password if necessary to get access.
  2. Use WHOIS to check the registrar if you don't know where your domain name is registered
  3. Login and adjust the DNS records as per the Wild Apricot docs. The A record is absolutely critical to successfully launch under your domain name. If the DKIM records are not set your email may end up in your members junkmail folder.
  4. Wait for an hour or two for DNS records to propogate.
  5. Go to Settings > Site > Domain Name Management and click the Check... button. You should see this. If not continue to check your DNS settings or wait a bit longer.

05 Custom Domain Settings Checked

 

Once verified, set your domain as the primary domain name.

Note that the From email address has changed. Make sure the From: and Reply to: email settings are set to a real mailbox that can send and receive emails. Your emails will be addressed by default with these settings! 05 From Email Settings

Send a test email campaign to check your email settings are correct.

05/17/2017

Don't WannaCry? Keep Windows updated with these tips.

Do you have your Windows 7 machine updated and set to update with the latest patches? WannaCry virus uses ETERNALBLUE exploit, which is has been patched by Microsoft security update MS17-010 released in March 2017. You should check to see if the updates in this article have been applied.

For older systems (Windows XP, Windows Server 2003 R2), Microsoft released special patches.

Below is a screen shot of the January 2017 security rollup that fixed this vulnerability on Windows 7. Check to see if it is installed on your Windows 7 computer - if not turn on Windows Update and make sure it does get installed.

Jan 2017 security update

Here's a great way to have Windows regularly check and apply critical updates. Let it run in the background and never have Windows Update disturb or notify you, so it can do its job silently and reliably. Critical updates happen every few weeks and definitely every month as a "Security Monthly Quality Rollup."

Windows Update Settings in Win 7

03/01/2017

Why Use a Password Manager When the Browser Saves Passwords?

Last month, a hacker breached an online police forum to sell over 700,000 pieces of data from US security enforcement agencies on the dark web, including the FBI. If these security professionals can fall victim to hacking, it’s a warning sign for all of us to boost our own password security.

The password management problem is simple: as you browse around the web, opening accounts on websites, you’re asked to create password after password. The average person has 100 passwords, though most probably have between 100-500. How could anyone remember that many pairs of usernames and passwords?

Forgot-password-Fotolia_137263233_S

Most people don’t. They either use the same password for every site, maybe with slight variations, or they just keep using the “Forget Password” link that most sites provide. It’s usually a combination of both tactics. Then, if security breaches happen and their username and password is leaked, they blame the companies who’ve been breached, even though they failed to create and manage a safe password.

Unfortunately, when your password gets breached (stolen by a hacker), and you’ve used that same password on any other site, your accounts at all of those sites are now also at risk. The hacker can access those other accounts without having to do any more hacking.

Now the chances are low that this will happen, but if you’re somehow targeted for an attack and people have some of your passwords, they might now be able to get into your most sensitive accounts such as email, financial sites, and health sites, where they could potentially carry out malicious actions.

At NewPath Consulting, our customers typically take on anywhere from 1-20 new passwords for cloud-based services (e.g., PayPal, Mad Mimi, Wild Apricot, website hosting), and most of these are critical to their operations and keeping their financial data and customer information secure. Sites like these require the most complex passwords that will be difficult to hack.

What is a safe password?

The safest passwords are ones that:

  1. Are only used on one site
  2. Contain at least 8 characters
  3. Contain a combination of letters (upper case and lower case), numbers, and special characters (!%@#)
  4. Contain no dictionary words or proper names
  5. Change every six months or a year

Now we come back to the central question of how to remember all of these safe passwords, which are purposefully hard to remember or guess. Some people try writing them down, maybe on sticky notes attached to the computer (very risky if your computer is lost or stolen), or scraps of paper around the office or house (difficult to keep track of or find when you need).

Enter the password manager, a software application designed to help you accomplish three key goals:

  1. Create a new password for every site
  2. Generate and manage safe passwords
  3. Fill in your passwords for you without you needing to know or remember them

Why not just save passwords in your web browser?

Web browsers like Chrome, Safari and Opera all offer the option to save your passwords for you. They say they are encrypted, but many security experts have questioned whether storing your passwords in a web browser is truly safe. If your computer is stolen, your passwords can likely be easily extracted from your web browser.

Another big drawback of using the browser to manage your passwords is there is no requirement to choose a safe password. Password manager programs, on the other hand, automatically generate safe passwords, and if you create or enter your own they give instant feedback on whether it is strong enough.

Remember that a browser’s goal is to help you search the web, while a password manager’s only job is to keep your passwords safe. In fact, when you install a password manager, it will usually disable the built-in password manager in your browser.

Which is the best password manager?

At NewPath Consulting we use and recommend LastPass. It creates a vault with one master password - this becomes the last password you’ll ever have to remember again.

LastPass boasts strong encryption algorithms and no one at LastPass ever has access to your data. You have the option of two-factor authentication for extra security. With two-factor authentication, even if someone breached your master password, they still can’t get into your account without entering a second piece of information, such as a code that LastPass sends by text message to your mobile phone.

LastPass helps you easily accomplish all three password management goals:

  1. Create a new password for every site
  2. Generate and manage safe passwords
  3. Fill in your passwords for you without you needing to know or remember them

LastPass encourages good password management by actively monitoring to make sure you’re not using the same password on all sites, and by giving you a score for how safe your passwords are.

Like any software tool, using LastPass does have a bit of a learning curve, which is why we help our clients set up and learn to use it. Once you get used to it, however, it is truly quick and easy and gives you much more security.

How much does LastPass cost?

LastPass is free, with the option to upgrade for $12 a year for premium features such as family password sharing, 1 GB encrypted file storage for notes you want to save, priority customer support, an ad-free vault, and more.

What are some concerns people have about password managers?

Some people aren’t comfortable turning password management over to an outside organization. Others worry that if their master password is compromised a hacker will have access to all of their sensitive information at once (two-factor authentication is the solution for this).

Other people just don’t believe that password security is important or worth the time or money. Yet this infographic of data breaches over the last few years shows just how widespread data breaches are, how frequently they occur, and that we can expect this to continue.

Password security is one of those things that’s never a problem until it’s a problem. But as we learned from the Police.com breach this month, if security professionals can be hacked, why can’t you?

Want to secure your data and start surfing more safely online? Contact NewPath Consulting today for a complimentary demonstration of how we use LastPass, and how it could work for you.

[Update - March 20, 2017: Listen to The Russian Passenger, Reply All podcast episode #19, for a frightening story of how easy it is to be hacked, and charged for services you never used.]   

10/05/2016

Installing SSL Security on Your Website

Starting in 2017, you will be hearing a lot about securing your website with something known as SSL. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

So for example when you type your credit card into a form you want that information to be passed securely without anyone being able to snoop while it is in transit. That is what SSL does. A visitor to a web page knows a website is secure when they see a little lock somewhere near the address bar:

image from www.geek.com

If you manage a website, how do you obtain the necessary SSL certificate required? That's the question many will be asking, and there is a lot of confusion around this topic, unfortunately. In the past, SSL certificates were sold for anywhere between $20 and $100 and had to be renewed, like domain names, every year. This is presently still the case, but we think SSL prices will go down dramatically as more website owners start to purchase and install them. Obtaining an SSL certificate can be a complex exercise but many domain name registrars like GoDaddy and 1and1.com are making the process much easier and less expensive. Starter SSL certificates are now available for free from LetsEncrypt.org and from many hosts.

Zerossl.com is one such authority that can generate a free, domain-validated (ie DV) certificate using the Let's Encrypt system. Domain Validated certificates only need to confirm your ownership of the domain name. The confirmation process is very simple and there are two options to choose from: DNS verficiation and HTTP verification. The former requires creating a specific DNS record of TXT type for the domain. The latter requires creating a plain text file with a specific content on your web server. Note that the text file that you need to install does not have an extension and some hosts prevent files without extensions as a security measure. This may change in the future. Choose the option you are most comfortable with - normally all registrars provide a way to edit DNS records, but you might like creating a text file better. DNS verification also might take a bit longer depending on how quickly your registrar's servers publish the changes (usually within 15-20 minutes), while HTTP verification can be instant.

We have a Business Package from 1and1.com and recently were offered a free SSL Starter certificate that we enabled for www.newpathnetwork.org. The process was quite painless as it is essentially a one click install and creates a domain validated SSL certificate. We had to spend about an hour eliminating references to non-secure code in our website to ensure full security was activated.

Finally we had to create an .htaccess file to ensure non HTTP requests (non-SSL) redirected automatically to the secure version of the site. This also makes sure when Google searches bring up your site you will be found online. We are sharing our .htaccess file stored in the root directory of our Linux-powered shared hosting environment over at 1and1.com. If you are running WordPress, SSL installation may be even simpler with your host.

Step 1. Create or edit a file called .htaccess in the root of your website.

Step 2. Add these lines (or edit if they already exist)

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.yourdomain\.com$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [R=301,L]

Step 3. Save the file. You can upload via SFTP or use your favourite shell editor to edit the file.

Step 4. Test your website to make sure the SSL secure site is loading. Click the lock or the little circle with an i in it to check security details.

Essentially these commands take an inbound request for www.yourdomain.com or yourdomain.com and redirect the visitor to the https://www.yourdomain.com equivalent. Any URL will automatically redirect to the correct new, shiny and secure URL.

NOTE: Adding SSL security to your site does not mean that you don't have to maintain the integrity of the software that runs the site. If you have a host that does the updates and maintenance, then great! But if you are worried about hackers getting into your website, get in touch with us. We can tell you more about how we can help you maintain security on your WordPress-powered website. We include SSL certificate installation with our Silver and Gold plans!

 

 

09/18/2016

Important Security Changes Coming for Google Chrome

UPDATE: In Chrome 68 (July 2018), the Not Secure message goes into effect. Expect lots of gnashing of teeth as insecure websites now flash "not secure" in the URL bar. This was about 18 months late, but it is finally here. Get your SSL now.

Important News from Google Security

Google Chrome (the most popular web browser in the world) will be implementing a user interface change in 2017 that will notify users that a website form that has a password or credit card field is insecure. This will be a default setting and eventually feature a red alert to notify users.

First change: Note how the "Not secure" message will prefix the web link in the address bar.

image from 4.bp.blogspot.com

The eventual treatment of non SSL/HTTPS websites will add a red alert triangle with an exclamation point:

image from 3.bp.blogspot.com

This is a big deal. I think it may be bigger than the mobile-friendly "apocalypse" that was mostly a non starter for many who have actively been using a mobile theme. Once Apple's iOS starts to change their user interface in Safari  on mobile devices, we forecast SSL becoming much more important on all our customer sites. This change will sort of slipstream into our Chrome updates in 2017 and by end of 2018 we believe customers will be clamoring to secure their sites. With that in mind we have added SSL setup services to our Silver and Gold service plans.

So the question remains -- what's the least painful way to setup SSL on WordPress? Here are a few recommendations:

0. Install SSL certificate (letsencrypt.org for a free certificate!) and configure WordPress. We can help you do this.

1. Ensure all your internal links point to the new HTTPS URLs.
Ensure any external links and new social shares point to the new HTTPS URLs, if you’re still getting links to the old HTTP version of your website Google can become confused and you won’t see the benefit that these new links have the potential to pass on to your website structure. Google won’t be able to decipher which is the most authoritative page that deserves a higher ranking.

2. Ensure that all rel=canonical tags within your HTML don’t point to the old HTTP version. Once you move over to HTTPS these tags must be changed to the new HTTPS URLs, as this helps Googlebot understand which version of the page should be used to rank. Again, if you still point to the HTTP version then Google will once again become confused over what page should be ranking in the SERPs.

3. Ensure that you’ve mapped out the new HTTPS URLs on a page-to-page level – you basically want an exact duplicate URL structure the only thing that is changing is that ‘http://’ will become ‘https://’. Once you’ve got these in place you then want to implement a permanent 301 redirect on a page level. Do not 301 redirect everything (either via global or via a wild card redirect) to the home page as this will kill all your rankings overnight.

4. You need to watch your Webmaster Tools account post go live and monitor for any issues Google may be having with your new HTTPS website. You can really drop your traffic overnight by doing this wrong.

5. Test any embedded SSL content from different domains on your website (images, forms, any other content). Make sure there are not any cross-site SSL issues when loading these forms.

These changes are best done on a staging server for any highly traffic sites that cannot afford to be down for any extended period.

06/03/2016

"Run Your Small Business With Online Forms" — Formstack May 19, 2016 Webinar Questions and Answers

Introduction and overview

Alex sirota formstack webinar
How to Run Your Small Business With Online Forms
webinar recording

Robin Macrae
LinkedIn, Twitter, Zoom

On May 19, 2016, Alex Sirota presented an in-depth case study of a NewPath Consulting customer that has employed a sophisticated Formstack form-based application to generate substantial revenue and sustain the business. In doing so, he highlighted the Formstack features that enable you to manage business data and processes and demonstrated that one of the largest benefits of online forms:  helping you manage your business processes online and transform your business into a digital workplace.
Alex Sirota image.
The event was a huge success with over 450 registrations, and a recording of the webinar is available online.

At the end of the webinar, there were over 20 questions in the Q&A, and not all of them could be adequately covered. As promised, this blog post will recap the questions and answers including a more detailed walk-through of the more complex questions.

The Q&As are organized in terms of common themes:

  1. Basic functionality
  2. Calculating fields
  3. Prepopulated (prefilled) fields
  4. Integrations | general
  5. Integrations | Google
  6. Security and access
  7. Subscription plans and features

Alex Sirota answered the questions in the webinar and in emails to those submitting them. Robin Macrae extracted the content, edited it for clarity and readability, organized it into categories and rewrote and supplemented the content where appropriate. The text is ~3,000 words.

Do you need help with a Formstack form or application? As Formstack consultants, we have become very experienced with the ways Formstack can enhance and drive your sales, marketing and operational efforts. Book a time for a no-charge half-hour consultation with a Formstack guru, Alex Sirota.

Continue reading ""Run Your Small Business With Online Forms" — Formstack May 19, 2016 Webinar Questions and Answers" »