Slashdot Mirror
Openly Published e-Commerce Security Precautions?
zCyl asks: "When I went to purchase a SCSI card online a while back, I went to a dealer that I had heard was reputable. Then a little later they were purchased by Egghead, and I was added to the Egghead database and I unwittingly became one of the millions of customers who were notified that the Egghead database containing their information had been compromised. How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from? Are there any existing e-commerce sites that openly publish the precautions and security measures they take to ensure the safety of the information I entrust to them while making a purchase?"
AMEX Private Payments is a system of which you get a one time use number/exp date credit card number. All payments show up on your regular AMEX bill, but you give the merchant a different CC num and exp date.
I've used AMEX's Private Payments over a dozen times online, and it's worked beautfily every time. They have software for Windows that can autofill forms and authentic you via a smartcard. But, for those of us running under other OSes, they have a web page that gives out the numbers. Really easy to use. I just double click on the number, drag and drop it onto the merchant's webform. I do have to manually select the exp date, but that is always the end of the current month.
If you have an AMEX card, try using it. Saves time and limits your exposure to fraud. It also lowers the bogus charges to AMEX, so it saves them (and to a small extent me) money.
I sometimes wonder why we are in this mess to begin with. Merchants should _never_ _ever_ store your CC number online. I don't care if they claim it is for 'ease of use' or 'security'. Use the realtime CC submit, and just hang onto the transaction number. Most merchant processors support the use of just the transaction number or autherisation number to finalize the payment.
By the way, we could have one time payments already, but SET got bogged down in technical details and tried to do too much at once. Shame SET never got a chance to get up and running, but it required too much infrasture changes. Every CC user (you and me) had to get a digital certificate for our CC. It's kind of like X.500, too bloated and complex. I hope we would see a SET trimmed down to the needs, like LDAP trimmed down X.500.
I work for an industrial computing manufacture. We have millions of dollars of parts, inventory, and equipment around. Every year, in order to maintain our insurance, we have a physical audit at an unannoucned time.
I've been chatting with some of my friends about the whole CC on the internet mess, and I can tell you that merchant contracts are going to be stiffened up for online transactions ('card not present'). Most will have to get randomly audited on an IT/computer security level, plus new restrictions on keep the number 'on file'.
99% of merchants won't be able to qualify for 'on file' status unless they are using secured OS where the number never leaves the machine, but external machines can ask for it to be used or validated. Visa will also be planting 'fake' numbers in the database, some the company will know about, some it won't. If transactions start showing up on these fake numbers, heads start to roll if the merchant didn't inform Visa ahead of time.
On average, it costs a credit card company over 50 dollars to sort out the damage of a stolen number. Not only in reissuing a new card, but in stopping all the fraudluant transactions. Under the plan for the new rules, these costs would be thrown onto the merchant whose systems got cracked and the CC numbers gotten from. They would be charged a set fee per number that they every have had on file, plus they would be required to pay for the fraudlant charges that the crackers ring up. My guess is that few vendors will keep numbers around, or use a more secure backend online payment provider (YahooStore, etc).
Next Week: Privacy and Money, why didn't Chaum and ecash survive.
thanks
dunk
Heh -- I put together a system for doing that a few years as part of a University research product. Never finished the writeup, but I've got dated papers (might prove useful as prior art).
My scheme worked roughly as follows (it's been a few years, so I may be missing things):
Each consumer is given a hardware device which contains a public value, a private value and a counter (for the number of times it's been used). Each transaction it contains contains in cleartext the public number and the amount. It also contains a one-way hash of the private number, the amount and the usage counter.
To verify, the bank runs through a series of hashes made up of the private number (looked up from the pub#), the amount and last 20 (or so) possible unused usage counter values. Get a match, and it's good.
The number had to be something like 26 digits to provide decent security, longer being better of course, but it worked. I still have the prototype software around somewhere.
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing.
I agree. Furthermore, it should be used for all purchaces. This would be a good application for smart cards and wallets. The merchant creates a clearsigned transaction record. The purchasor authorizes the card for the represented amount of the transaction. The card recieves the transaction record (including merchant's deposit only number and transaction amount) from the merchant, and if the amount is in agreement with the authorized amount, it adds a serial number and clearsigns the record (including the merchant signature). The merchant may at any time (including immediatly) submit the signed transaction record to their merchant account. It is then returned to them with the transaction result (auth or deny) signed by the merchant bank.
Nowhere in the process does any entity provide an abusable key or datum to any other party. The serial number prevents double processing the transaction. Each party can prove that the transaction took place independantly of the other parties. Neither the merchant or their bank needs to know the identity of the purchasor (only the id of the purchasor's bank). It is even possable for the merchant's identity to be a secret from the purchasor (limited utility but possable). If the smart card is activated by providing a passphrase, the cardholder need not fear theft or loss of the card. Since the cardholder authorizes the amount and provides a one transaction authorization to the card through his own wallet, there is no need to trust the merchant's hardware.
Extensions of that protocol could create reusable transactions (authorizations) with limited abuse potential for periodic charges. The transaction would only allow credit into the merchant's account to remove incentive for dishonest employees. The period and amount of the charges would be specified to eliminate double charges. The cardholder could invalidate the authorization at any time and dispute the last charge if necessary. These transactions should also have expiration dates as an option.
Such a system would greatly reduce fraud and fully de-sensitize credit card data.
As a result, they either hold the money back from the merchant's future payments or write it off. Joe Consumer (you and I) aren't liable for it, and generally aren't affected by it.
When the money is held back, we aren't affected by it. The write offs show up in everybody's service charges and interest rates on their card. The money has to come from somewhere (and it's not going to be the bank's pocket, I assure you).
Hmmm.. now what prevents someone from using my now-encoded signature to "sign" something else that I didn't intend to sign?
Very true. Of course, what stops someone from using Gimp to transfer your pen and paper signature to another document. By making a photocopy of that, they then have a photocopy of the document with 'your signature'.
The fact is, signatures don't signify much unless they're cryptographic.
If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.
Typically, that's the case. And so the merchant raises prices a little and you and I still end up paying for it. It's also unfair to the merchant who had no way to know the card was stolen in many cases.
Apparently there is a technology that tracks more than just the shape and "look" of your signature. It watches how you press the pen into the surface and the actual movements of the pen as you write your signature. So merely copying the signature would not be of much value.
I've seen that. Copying a signature could be of value because most signatures are not made with that technology, society at large (and even courts) make much of the physical resemblence of a signature. The full capture devices further invalidate signatures, because now, even the more detained forensic examination trying to determine pressure based on indentation in the paper and damage to it's fibers will be in doubt.
It is the merchant, not the bank nor any other CC company, that is liable for fraudulent purchases. This is where the money comes from. This is why it is so easy to challange a change on your credit card.
If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.
Actually, although security through obscurity is not a solution in and of itself, it is necessary. A properly designed security policy will not only protect against unauthorized traffic, it will have detection mechinisms in place to detect when crackers are "Rattling the Doornob" (i.e. NIDS, portsentry, multi-level firewalls, etc...)
By not publishing the security policy, you are forcing crackers to figure it out for themselves, which greatly increases the chance that they will trigger alarms set to catch them.
Yes, but you also have the option of seeking out other merchants (for most products, that is).
I have been doing systems security for over ten years, and it is my professional opinion that it is IMPOSSIBLE to completely secure a machine (short of unplugging it totally and encasing it in concrete). Anyone who tells you any differently is either a)completely clueless when it comes to system security, or b) trying to sell you something.
The point is, is that compromises ARE going to happen. It is the job of the security engineer to make this more and more difficult. Constant vigilance is key here.
As long as there are systems on the Internet, there will be crackers. As long as there are crackers, there will be security compromises. And as long as there are security compromises, the cost of this will be passed on to the consumer.
This is simply an operational cost associated with online commerce. This is no different than the cost of shoplifting being passed on to the consumer in meatspace stores. It can be minimized greatly, but cannot be completely eliminated.
Very, very wrong. I've developed secure transaction systems that were audited by Visa. They don't have a clue. They have no concept of asymetric encryption (their specs only required things to be encrypted using 3DES, which is useless for storing credit cards). They had no cooncept of known-plaintext attacks on credit card numbers, and very little concept of systems security in general. They were more concerned with hiring policies than anything else.
As to why a symetric algorithm is useless in storing CC numbers, I will leave this as an exercise for the reader.
It is actually the vendor, not the credit card company, who is responsible, because the vendor has to eat the cost in a fraudulent purchase (this is federal law in the US). The CC companies have no vested interest in e-commerce security, other than via a marketing angle.
Excellent, thank you. That's precisely what I was looking for when I posted my question. I hope the company you're working with uses its security policy disclosure as a major selling point, as I would love to see such things determine customer choice and eventually become mainstream.
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
rm -rf / is the evil of all root
If I steal Shoeboy's credit card number (assuming she actually had one) by hacking into shoeboy.com (assuming there was actually something there to hack into), and use it to purchase an imperial ton of grits (the hot kind, naturally), it is the merchant who sold me the grits that will be out of pocket when the theft is discovered. The credit card company checks with the cardholder, and if the cardholder denies having purchased the items in question, the grits merchant doesn't get paid. Shoeboy wouldn't lose a dime.
This puts the onus on the merchant to verify that they are dealing with a legitimate customer, which is why many online companies won't ship to addresses not registered with the card company, especially when dealing with a first-time customer.
So, Shoeboy's statement, "Anyone who buys anything online is a fucking moron", might be applied to merchants who sell things online - or more to the point, their investors! - but not to cardholders. Someone buying something online with a credit card is actually being pretty smart. The only downside when your card or card number is stolen tends to be minor inconvenience.
In addition, if you're not happy with a product, and the merchant doesn't want to give you your money back, within reason, card companies will refund your money and stiff the merchant. I've had that happen when purchasing telephony hardware from a company that went out of business right after shipping my product - the company couldn't be reached for support, so I called Amex and they credited me the money.
Now, with Shoeboy, you can never really tell whether she's trolling or not, so maybe she already knows all this. But I post this purely out of the altruistic knowledge that I am contributing to the free and pure flow of e-commerce. Bezos would thank me, if his company weren't tanking...
So you want something like this:
At shoeboy.com, we take the elementary precaution of changing the default password on our database servers! Your data is completely safe!
Not going to happen. Companies can tell you that they "employ a security team" or that they "have been audited by a third party" or that the software the run has had "no remote exploits in 3 years."
It means nothing. How can a company prove that it didn't misconfigure anything?
How can they be sure that their in house developed project has any security at all.
How can they verify that the well camoflaged back door the sysadmin put in to make his job easier won't get found? How do they even know it's there?
How do get the CTO and Director of IT (both of whom threatened to fire you if you didn't give them domain admin permissions) to lock their workstations?
Sure auditing is an answer, but what happens when the auditing team leaves? Security goes to pot again, that's what happens.
There's always in house auditing, but do you trust a team that reports directly to the half witted manager who designed the network? You shouldn't.
If nothing else, how do you know that the system is as secure as the company says it is? You don't.
The final answer is that there is no good way to trust an online merchant if you can't inspect their setup yourself.
And since you can't do that, you can't trust them at all.
Anyone who buys anything online is a fucking moron. If your credit card gets stolen, tough - you deserved what you got.
--Shoeboy
You shouldn't *need* to evaluate their security... the law should take care of that (but it doesn't).
Do you evaluate the security of your bank? Of everyone you ever do business with? Then why should you evaluate them for computer security?
And to top it off.. why does everyone still get so worked up about credit card fraud? I read my contract over and over again, and it says I am *NOT* responsible at *ALL* for fraudulent use of my card. I am responsible for up to $50 if my *CARD* is physically stolen, and the charges happen before I report it.
Let them steal my # out of some database.. it's not MY money they are spending.
Most credit cards work that way. I know my Visa always did.. and every other contract I've looked at for credit cards.
The only time you are liable for anything, in any case I've ever seen, is if your card is physically stolen, you can be held liable for up to $50.
The other way you can be responsible is if they can prove gross negligence, ie: lending your visa to your neighborhood crackhead because he 'promised' to only go get your groceries for you.
The card is only a token used to authenticate your credit line with the credit company; it is not the credit itself. It's the mechanism the credit company chooses to employ to ensure that they are extending credit to you and not someone else. If that system breaks down, and it's not your fault, they CANNOT hold you responsible. They onus will be on whatever merchant is involved to prove that it was, in fact, you that used the card. A signature, delivery to your house, perhaps phone logs... but that's it. They can't prove it, it's not your problem.
In most cases,(I know in mine), that $50 liabiltiy only applies if your card is actually stolen, (not just the number), and if it happens before you inform them that your card is missing.
It does not generally apply to simply fraudulent transactions where all they had was your number.
I mean, if the CARD wasn't stolen, but just the number was.. how is that the card being stolen? I don't know about any other contract, but when I see 'card' I think 'the physical card'.
How they do it? simple.
They don't pay their merchants.
Remember, you are the customer. Remember, on your card, it the card is THEIR Property, not yours. THe card is their way of authentication you for purchases, so they can extend credit to you.
If the merchant doesn't have your signature, or other way to prove the transaction actually involved you personally (delivery to your house, etc), then the credit company doesn't pay the merchant.
It's GOOD that it's $0 liability.. it should be! They agreed to extend me, personally, some credit. It's not my fault whatsoever if they have difficulties determjining if it's 'me' or not buying something.. that's solely a problem in their business model, and we shouldn't be made to absorb the cost.
This is why I'm puzzled at people who get really worked about about online card theft. It's inconvenient, but it's not like someone draining your bank account. Sure, you might have to cancel your card, and that is a pain in the ass.. but other than that.. it wasn't your card that was stolen, it was the issuers card, and the issuers problem to deal with.
would be to have some sort of cost associated with loss of protected consumer data, period. Open the doors for easy class-action lawsuits; this would cause companies to acquire insurance, and those insurance companies will want to KNOW what is being done to protect that data.
Credit card companies don't 'jump all over it' because if someone fraudulently uses a card to buy a stereo, the credit card company DOESN'T HAVE TO PAY THE MERCHANT unles the merchant can prove they did everything by the book, including checking for signatures and obtaining an imprint, or some other form of authentication. If they just took the number and it turns out to be false, they don't get paid.
Depends. If it's something like the credit card fraud protection, there are all sorts of penalties and nasty consequences if the credit card company tries any games, so you are likely to get reimbursed quickly.
On the other hand, if it's a case of your tires blowing up, then it will be a long fight - but generally the lawyers figure it's worth the mega-fees and will take it on.
Where you lose is the middle ground. If your case is too small to interest a land-shark, er lawyer and big enough to annoy the company, well, you are going to have a tough time.
Just follow these thee easy steps - this works for all present and future e-commerce sites:
Simple and idiotproof, plus you're doing the .com's a favor by pointing out their lackluster security.
-henrik
Just use a credit card that you have specifically for online transactions.
By U.S. law you're only liable for $50, and most companies won't charge you anything if your account is jacked (if you're a good account for them).
I pay all of my bills on time, don't carry a balance, and don't sweat it.
What's the big deal?
If you're concerned about your personal information getting out, get a credit card that contains bogus information, including name. I have one in my dog's name. It's perfectly legal.
Following his purchase, Egghead buys the company. Now that company is absorbed into Egghead. Virtually nothing the company did before being purchased matters now, because now he is dealing (after a fashion) with a different entity, the security of which he never thought to judge.
That being said, he wonders how to determine the security/privacy of a site, but, ya see, in the case he details, it didn't matter, because the business transaction of the company purchase completely obviates any 'security checks' he could have done.
What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?
Carefree highway, let me slip away on you.
When you get ripped off, and you have your credit card company remove the charges, who do you think eats the cost?
THE COMPANY WHO CHARGED YOU
You may eat the $50 (although any good credit card company won't even charge you that if you notify them quickly), but Egghead will eat the rest.
That's part of the problem: a credit card crook will steal from several companies, none of which were hit for more than a few hundred dollars. If the crook is in another country, it isn't worth the companies' time to go after him. They just eat the loss and write it off.
Now, if the CREDIT CARD COMPANINES were responsible and had to eat the charges, now our crook has pissed off ONE company, for THOUSANDS of $monetary_units, and it's well worth the credit card company to go after him. And for those crooks in semi-lawless places (like the former Soviet Union), it may be worth their while to sub-contract the collection of the money to, shall we say, local collection specialists.
True, were the credit card companies responsible, they would also charge the costs back to us in higher interest rates.
Guess what! They do that anyway!
(that's also why I don't carry a balance from month to month on my cards. Pay them off in full every month, manage your money, and you don't pay interest. And good cards don't charge yearly fees.)
www.eFax.com are spammers
Gratuitious plug: MBNA's card works like this, at least in the UK.
In the UK, all credit cards work like that. Fraudulent use isn't your problem, unless you've been 'negligent' (which is basically a getout to stop you selling your card to a crook, then claiming the money back from the CC company.)
That's probably why UK CC companies are (IME) very good at stopping fraudulent use. Last month, my father moved to Houston, and bought lots of stuff (new TV, microwave, all that stuff) from a store. To check who he was, Visa US called his UK bank, and the operator spent 10 minutes asking questions like "Complete the following 'phone number" (which turned out to be his direct dial number at the job he left six years ago!)
Probably sounds silly - except under UK law, if he had been an imposter, Visa would have been left $1000 or so out of pocket. They tend to care about that kind of thing!
from the knowing-how-secure-your-merchant's-data-is-too-lon g-to-fit dept.
--
The e-commerce site I am currently working on (in testing with the client now) has a Security Policy page, similar to a Privacy Policy page. It mentions the basic stuff, 128-bit SSL Encryption, Thawte Digital Certificate... plus it also mentions a couple more advanced things... seperate secured relational database and, most importantly, removal of credit card data from online systems.
Basically, we are a smaller site who is hosting in a shared environment (as are virtually all smaller e-commerce sites). We added some extra precautions that the big guys should do, too. For instance, once the credit card is processed, it is removed from our online systems. We move it to another system for record-keeping purposes, but the online system's database is altered to show just the last 4 digits (XXXX-XXXX-XXXX-1234) of the credit card, mainly so a customer can tell which credit card was used when later looking at the order online. Sure, this is more of a hassle for us, but it makes things a heck of a lot better for our customers. And we wouldn't even think about storing the numbers in our system for "convenience" of customers when placing a new order. That's just asking for trouble.
Also, someone noted that even if you check a company out, you can't be sure what will happen when that company is bought or merges. Well, we actually make a statement about that. For security, it doesn't really matter, since cc numbers are removed from our online systems. For privacy, we state that if we merge, etc, we will ensure that your data has the same protections we offer (no unwanted contact, no spam, no renting, no selling, no changes to our policy without notifying you).
I wish all sites I dealt with offered these same protections.
Portable versions of Firefox, GIMP, LibreOffice, etc
The question is, should your credit card number exist anywhere except impressed on your credit card? Vital statistics are one thing, but the ability to pick your pocket at the speed of light over long distances must be curtailed. We need legislation that requires all merchants everywhere to thoroughly erase credit card data the moment any and every transaction is finished. My name, address, and phone number are publicly available (unless I choose otherwise); the contents of my wallet are not. And as a side note, what's this with Radio Shack clerks asking my name and address when I pay for something in cash? I always say "No" but how many people just give up the data? Caveat emptor.
If there's anyone out there who knows security like the back of their hand, there's a tremendous business opportunity to be had due to the rampant paranoia about online transaction security.
:-)
Simply start a security "brand" based on a security rating that you provide. Audit sites once a month or so, then give them a numerical score based on their security precautions. If they are deemed secure, they can place a logo of some kind indicating that they've been "certified" secure.
Sites will be happy to get the audit, and the logo, once recognized, will drive business to their site. So they kill two birds with one stone and are happier to pay for a security audit than from a firm without a publicly-recognized brand.
And the unwashed masses, who aren't quite sure how this internet thing works and are therefore a bit nervous about the whole thing, are happier to shop at sites that have the logo.
A million dollar idea, folks. Yours for free
-- My choice of computing platform is a symbol of my individuality and belief in personal freedom.
Most sites publish a privacy policy about how they protect your "personally identifiable" information (yet we all know they sell the aggrigates to advertisers).
As for companies telling you what they do to protect from eletronic theft, isn't that the same as publishing what they don't do? I agree that security through obscurity is not the best way at all times, but does it have particular uses in these days of h/crackers releasing patches which DDoS the company? (I couldn't find the URL, but Network Associates underwent a light DDoS attack after a black hatter released a patch for BIND to fix the recently discovered bugs which had zombie code installed. What's incredible is it made it past BugTraq and NAI as "safe" and got posted)
Sites will be hacked. That is the nature of the Internet. What I would like to see is a site that will reimburse you if you are the victim of their own lax security. What if Egghead.com became responsible for the $50 or so that every person is responsible for with false/stolen credit card charges. Would this put a great monetary risk at the company? Yes. And isn't money what gets things done with the "Big Business"
IANA Business Major, but would this work? Just my thoughts on the matter.
Information is the catalyst for revolution
Without a good understanding of the security in place, the best you can do is presumably minimize the risk. Only shop with places where your credit card details are NOT stored on their systems, and if they give you the option, remove them.
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
Well, the only way is to have an external body that will grant companies security certifiacations. The companies will be required by law to get a liscense to hold data, on the condition that a secure external body examines their security arrangements. This way the company does not have to reveal its security arrangements to anyone but the government, and the customer can be assured that his data is safe because the company he trades with is certified by an external body.
Its a bit like bob and alice. We need a third agent to make things really secure, it would seem to me.
You know exactly what to do-
Your kiss, your fingers on my thigh-
You know exactly what to do-
Your kiss, your fingers on my thigh-
I think of little else but you.