Slashdot Mirror

← Back to Stories (view on slashdot.org)

Openly Published e-Commerce Security Precautions?

Posted by Cliff on from the knowing-how-secure-your-merchant's-data-is dept.

zCyl asks: "When I went to purchase a SCSI card online a while back, I went to a dealer that I had heard was reputable. Then a little later they were purchased by Egghead, and I was added to the Egghead database and I unwittingly became one of the millions of customers who were notified that the Egghead database containing their information had been compromised. How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from? Are there any existing e-commerce sites that openly publish the precautions and security measures they take to ensure the safety of the information I entrust to them while making a purchase?"

4 of 101 comments (clear)

  1. How Credit Cards Work - for Shoeboy's benefit by alienmole · · Score: 4
    With all "real" credit cards - as opposed to funky credit-card-like things, such as debit cards - the risk related to theft falls entirely on the merchant. Typical card agreements limit the cardholder's liability in case of card theft to a maximum of $50, and in practice I've never heard of anyone even being asked to pay that.

    If I steal Shoeboy's credit card number (assuming she actually had one) by hacking into shoeboy.com (assuming there was actually something there to hack into), and use it to purchase an imperial ton of grits (the hot kind, naturally), it is the merchant who sold me the grits that will be out of pocket when the theft is discovered. The credit card company checks with the cardholder, and if the cardholder denies having purchased the items in question, the grits merchant doesn't get paid. Shoeboy wouldn't lose a dime.

    This puts the onus on the merchant to verify that they are dealing with a legitimate customer, which is why many online companies won't ship to addresses not registered with the card company, especially when dealing with a first-time customer.

    So, Shoeboy's statement, "Anyone who buys anything online is a fucking moron", might be applied to merchants who sell things online - or more to the point, their investors! - but not to cardholders. Someone buying something online with a credit card is actually being pretty smart. The only downside when your card or card number is stolen tends to be minor inconvenience.

    In addition, if you're not happy with a product, and the merchant doesn't want to give you your money back, within reason, card companies will refund your money and stiff the merchant. I've had that happen when purchasing telephony hardware from a company that went out of business right after shipping my product - the company couldn't be reached for support, so I called Amex and they credited me the money.

    Now, with Shoeboy, you can never really tell whether she's trolling or not, so maybe she already knows all this. But I post this purely out of the altruistic knowledge that I am contributing to the free and pure flow of e-commerce. Bezos would thank me, if his company weren't tanking...

  2. some thoughts by Shoeboy · · Score: 4

    So you want something like this:
    At shoeboy.com, we take the elementary precaution of changing the default password on our database servers! Your data is completely safe!
    Not going to happen. Companies can tell you that they "employ a security team" or that they "have been audited by a third party" or that the software the run has had "no remote exploits in 3 years."
    It means nothing. How can a company prove that it didn't misconfigure anything?
    How can they be sure that their in house developed project has any security at all.
    How can they verify that the well camoflaged back door the sysadmin put in to make his job easier won't get found? How do they even know it's there?
    How do get the CTO and Director of IT (both of whom threatened to fire you if you didn't give them domain admin permissions) to lock their workstations?
    Sure auditing is an answer, but what happens when the auditing team leaves? Security goes to pot again, that's what happens.
    There's always in house auditing, but do you trust a team that reports directly to the half witted manager who designed the network? You shouldn't.
    If nothing else, how do you know that the system is as secure as the company says it is? You don't.

    The final answer is that there is no good way to trust an online merchant if you can't inspect their setup yourself.

    And since you can't do that, you can't trust them at all.

    Anyone who buys anything online is a fucking moron. If your credit card gets stolen, tough - you deserved what you got.

    --Shoeboy

  3. The Question Doesn't Match the Anecdote by Fleet+Admiral+Ackbar · · Score: 4
    The slashdot-asker details a situation in which he purchased an item for a vendor, being satisfied with said vendor's security. He apparently "knows about" computer security, whatever that is.


    Following his purchase, Egghead buys the company. Now that company is absorbed into Egghead. Virtually nothing the company did before being purchased matters now, because now he is dealing (after a fashion) with a different entity, the security of which he never thought to judge.


    That being said, he wonders how to determine the security/privacy of a site, but, ya see, in the case he details, it didn't matter, because the business transaction of the company purchase completely obviates any 'security checks' he could have done.


    What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?

    --
    Carefree highway, let me slip away on you.
  4. E-commerce Site Security Policy by CritterNYC · · Score: 4

    The e-commerce site I am currently working on (in testing with the client now) has a Security Policy page, similar to a Privacy Policy page. It mentions the basic stuff, 128-bit SSL Encryption, Thawte Digital Certificate... plus it also mentions a couple more advanced things... seperate secured relational database and, most importantly, removal of credit card data from online systems.

    Basically, we are a smaller site who is hosting in a shared environment (as are virtually all smaller e-commerce sites). We added some extra precautions that the big guys should do, too. For instance, once the credit card is processed, it is removed from our online systems. We move it to another system for record-keeping purposes, but the online system's database is altered to show just the last 4 digits (XXXX-XXXX-XXXX-1234) of the credit card, mainly so a customer can tell which credit card was used when later looking at the order online. Sure, this is more of a hassle for us, but it makes things a heck of a lot better for our customers. And we wouldn't even think about storing the numbers in our system for "convenience" of customers when placing a new order. That's just asking for trouble.

    Also, someone noted that even if you check a company out, you can't be sure what will happen when that company is bought or merges. Well, we actually make a statement about that. For security, it doesn't really matter, since cc numbers are removed from our online systems. For privacy, we state that if we merge, etc, we will ensure that your data has the same protections we offer (no unwanted contact, no spam, no renting, no selling, no changes to our policy without notifying you).

    I wish all sites I dealt with offered these same protections.

    --
    Portable versions of Firefox, GIMP, LibreOffice, etc