Transcript Locking down your web storefront

Locking down your web
storefront
Techtarget web chat
April 2002
David Strom
eCommerce security 101
• Make sure you protect your enterprise
network from intrusion
• Limit user access, isolate servers, lock
down scripts, harden servers
• See
www.nwfusion.com/netresources/0202
hack1.html
Outline
•
•
•
•
•
Database issues
Payments and payment processing issues
Evaluating Commerce Service providers
Preventing credit card fraud
Privacy issues for consumers
Database issues
• Understand security weaknesses and access
controls of local database users
• Understand web/database interaction from
security perspective
• Understand proxy server attacks (ala Adrian
Lamo)
• Block them CGI scripts!
• Who is root and what can they really do?
Common mistakes with payment
processing
• Provide too few or too many order
confirmation pages
• Confusing methods and misplaced buttons
on order page
• Make it hard for customers to buy things
• Don’t make your customers read error
screens
A taxonomy of bygone web
payment approaches
transmit “16+4” over the Internet?
no
yes
yes
buyer encrypts?
buyer signs?
yes
S-HTTP
PGP
no
SSL
yes
no
merchant decrypts?
yes
buyer confirms?
no
CyberCash
SET
plaintext
no
synchronous?
yes
GlobeID
no
eCash
VirtualPIN
Why didn’t they work?
• Too complex to implement
• Too much infrastructure
• Not too many stores took their kind of
money
• Too many other technical challenges
ConEd bill payments
• Claim they needed 100,000 customers to
break even
• https://m020w5.coned.com/csol/main.asp
• Note: lack of security, anyone with valid
account number can see your bill! Try acct
no. 434117168910006
So what payment instrument to
use today?
•
•
•
•
SSL Credit cards
eWallets/SET
Cybercash and other payment gateways
Commerce Service Providers’ payment
systems
• 1-Click service providers
All providers are not the same
• Compare services
– Which cards do they authorize?
– Do they provide electronic check services?
– Do they provide check guarantee services?
• Compare prices
–
–
–
–
Start-up fees
Monthly discount fees
Other service fees (per transaction)
Statement generation fees
Evaluating providers
•
•
•
•
Do they offer storefront design?
Have in-house programmers?
Hosting of your own web server machine?
How many payment systems do they
support?
• What kinds of accounting reports do they
offer?
Preventing credit card fraud
• Don't accept orders unless full address and
phone number present
• Be wary of different "bill to" and "ship to"
addresses
• Be careful with orders from free email
services
• Be wary of orders that are larger than typical
amount
• Pay extra attention to international orders
Credit card fraud, con’t
• When in doubt, call the customer to confirm
the order
• Use software or services to fight fraud
• When you’ve found fraud, contact your
merchant bank immediately
• See
www.scambusters.org/Scambusters23.
html
Privacy issues for the consumer
• Most people just want to be asked for their
permission
• Your customers don’t object so much if you
use their information to sell them other
products you may offer
• But many object if you sell or rent their
names to someone else
Conclusions and questions
David Strom
Senior Technology Editor
VAR Business magazine
[email protected]