Slashdot Mirror
Openly Published e-Commerce Security Precautions?
zCyl asks: "When I went to purchase a SCSI card online a while back, I went to a dealer that I had heard was reputable. Then a little later they were purchased by Egghead, and I was added to the Egghead database and I unwittingly became one of the millions of customers who were notified that the Egghead database containing their information had been compromised. How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from? Are there any existing e-commerce sites that openly publish the precautions and security measures they take to ensure the safety of the information I entrust to them while making a purchase?"
Very, very wrong. I've developed secure transaction systems that were audited by Visa. They don't have a clue. They have no concept of asymetric encryption (their specs only required things to be encrypted using 3DES, which is useless for storing credit cards). They had no cooncept of known-plaintext attacks on credit card numbers, and very little concept of systems security in general. They were more concerned with hiring policies than anything else.
As to why a symetric algorithm is useless in storing CC numbers, I will leave this as an exercise for the reader.
It is actually the vendor, not the credit card company, who is responsible, because the vendor has to eat the cost in a fraudulent purchase (this is federal law in the US). The CC companies have no vested interest in e-commerce security, other than via a marketing angle.
Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
rm -rf / is the evil of all root
If I steal Shoeboy's credit card number (assuming she actually had one) by hacking into shoeboy.com (assuming there was actually something there to hack into), and use it to purchase an imperial ton of grits (the hot kind, naturally), it is the merchant who sold me the grits that will be out of pocket when the theft is discovered. The credit card company checks with the cardholder, and if the cardholder denies having purchased the items in question, the grits merchant doesn't get paid. Shoeboy wouldn't lose a dime.
This puts the onus on the merchant to verify that they are dealing with a legitimate customer, which is why many online companies won't ship to addresses not registered with the card company, especially when dealing with a first-time customer.
So, Shoeboy's statement, "Anyone who buys anything online is a fucking moron", might be applied to merchants who sell things online - or more to the point, their investors! - but not to cardholders. Someone buying something online with a credit card is actually being pretty smart. The only downside when your card or card number is stolen tends to be minor inconvenience.
In addition, if you're not happy with a product, and the merchant doesn't want to give you your money back, within reason, card companies will refund your money and stiff the merchant. I've had that happen when purchasing telephony hardware from a company that went out of business right after shipping my product - the company couldn't be reached for support, so I called Amex and they credited me the money.
Now, with Shoeboy, you can never really tell whether she's trolling or not, so maybe she already knows all this. But I post this purely out of the altruistic knowledge that I am contributing to the free and pure flow of e-commerce. Bezos would thank me, if his company weren't tanking...
So you want something like this:
At shoeboy.com, we take the elementary precaution of changing the default password on our database servers! Your data is completely safe!
Not going to happen. Companies can tell you that they "employ a security team" or that they "have been audited by a third party" or that the software the run has had "no remote exploits in 3 years."
It means nothing. How can a company prove that it didn't misconfigure anything?
How can they be sure that their in house developed project has any security at all.
How can they verify that the well camoflaged back door the sysadmin put in to make his job easier won't get found? How do they even know it's there?
How do get the CTO and Director of IT (both of whom threatened to fire you if you didn't give them domain admin permissions) to lock their workstations?
Sure auditing is an answer, but what happens when the auditing team leaves? Security goes to pot again, that's what happens.
There's always in house auditing, but do you trust a team that reports directly to the half witted manager who designed the network? You shouldn't.
If nothing else, how do you know that the system is as secure as the company says it is? You don't.
The final answer is that there is no good way to trust an online merchant if you can't inspect their setup yourself.
And since you can't do that, you can't trust them at all.
Anyone who buys anything online is a fucking moron. If your credit card gets stolen, tough - you deserved what you got.
--Shoeboy
would be to have some sort of cost associated with loss of protected consumer data, period. Open the doors for easy class-action lawsuits; this would cause companies to acquire insurance, and those insurance companies will want to KNOW what is being done to protect that data.
Credit card companies don't 'jump all over it' because if someone fraudulently uses a card to buy a stereo, the credit card company DOESN'T HAVE TO PAY THE MERCHANT unles the merchant can prove they did everything by the book, including checking for signatures and obtaining an imprint, or some other form of authentication. If they just took the number and it turns out to be false, they don't get paid.
Following his purchase, Egghead buys the company. Now that company is absorbed into Egghead. Virtually nothing the company did before being purchased matters now, because now he is dealing (after a fashion) with a different entity, the security of which he never thought to judge.
That being said, he wonders how to determine the security/privacy of a site, but, ya see, in the case he details, it didn't matter, because the business transaction of the company purchase completely obviates any 'security checks' he could have done.
What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?
Carefree highway, let me slip away on you.
When you get ripped off, and you have your credit card company remove the charges, who do you think eats the cost?
THE COMPANY WHO CHARGED YOU
You may eat the $50 (although any good credit card company won't even charge you that if you notify them quickly), but Egghead will eat the rest.
That's part of the problem: a credit card crook will steal from several companies, none of which were hit for more than a few hundred dollars. If the crook is in another country, it isn't worth the companies' time to go after him. They just eat the loss and write it off.
Now, if the CREDIT CARD COMPANINES were responsible and had to eat the charges, now our crook has pissed off ONE company, for THOUSANDS of $monetary_units, and it's well worth the credit card company to go after him. And for those crooks in semi-lawless places (like the former Soviet Union), it may be worth their while to sub-contract the collection of the money to, shall we say, local collection specialists.
True, were the credit card companies responsible, they would also charge the costs back to us in higher interest rates.
Guess what! They do that anyway!
(that's also why I don't carry a balance from month to month on my cards. Pay them off in full every month, manage your money, and you don't pay interest. And good cards don't charge yearly fees.)
www.eFax.com are spammers
The e-commerce site I am currently working on (in testing with the client now) has a Security Policy page, similar to a Privacy Policy page. It mentions the basic stuff, 128-bit SSL Encryption, Thawte Digital Certificate... plus it also mentions a couple more advanced things... seperate secured relational database and, most importantly, removal of credit card data from online systems.
Basically, we are a smaller site who is hosting in a shared environment (as are virtually all smaller e-commerce sites). We added some extra precautions that the big guys should do, too. For instance, once the credit card is processed, it is removed from our online systems. We move it to another system for record-keeping purposes, but the online system's database is altered to show just the last 4 digits (XXXX-XXXX-XXXX-1234) of the credit card, mainly so a customer can tell which credit card was used when later looking at the order online. Sure, this is more of a hassle for us, but it makes things a heck of a lot better for our customers. And we wouldn't even think about storing the numbers in our system for "convenience" of customers when placing a new order. That's just asking for trouble.
Also, someone noted that even if you check a company out, you can't be sure what will happen when that company is bought or merges. Well, we actually make a statement about that. For security, it doesn't really matter, since cc numbers are removed from our online systems. For privacy, we state that if we merge, etc, we will ensure that your data has the same protections we offer (no unwanted contact, no spam, no renting, no selling, no changes to our policy without notifying you).
I wish all sites I dealt with offered these same protections.
Portable versions of Firefox, GIMP, LibreOffice, etc