Locking down your web storefront Techtarget web chat

Locking down your web storefront Techtarget web chat April 2002 David Strom

e. Commerce security 101 • Make sure you protect your enterprise network from intrusion • Limit user access, isolate servers, lock down scripts, harden servers • See www. nwfusion. com/netresources/020 2 hack 1. html

Outline • • • Database issues Payments and payment processing issues Evaluating Commerce Service providers Preventing credit card fraud Privacy issues for consumers

Database issues • Understand security weaknesses and access controls of local database users • Understand web/database interaction from security perspective • Understand proxy server attacks (ala Adrian Lamo) • Block them CGI scripts! • Who is root and what can they really do?

Common mistakes with payment processing • Provide too few or too many order confirmation pages • Confusing methods and misplaced buttons on order page • Make it hard for customers to buy things • Don’t make your customers read error screens

A taxonomy of bygone web payment approaches transmit “ 16+4” over the Internet? no yes buyer encrypts? buyer signs? yes S-HTTP PGP no SSL yes no merchant decrypts? yes buyer confirms? no Cyber. Cash SET plaintext no synchronous? yes Globe. ID no e. Cash Virtual. PIN

Why didn’t they work? • Too complex to implement • Too much infrastructure • Not too many stores took their kind of money • Too many other technical challenges

Con. Ed bill payments • Claim they needed 100, 000 customers to break even • https: //m 020 w 5. coned. com/csol/main. asp • Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006

So what payment instrument to use today? • • SSL Credit cards e. Wallets/SET Cybercash and other payment gateways Commerce Service Providers’ payment systems • 1 -Click service providers

All providers are not the same • Compare services – Which cards do they authorize? – Do they provide electronic check services? – Do they provide check guarantee services? • Compare prices – – Start-up fees Monthly discount fees Other service fees (per transaction) Statement generation fees

Evaluating providers • • Do they offer storefront design? Have in-house programmers? Hosting of your own web server machine? How many payment systems do they support? • What kinds of accounting reports do they offer?

Preventing credit card fraud • Don't accept orders unless full address and phone number present • Be wary of different "bill to" and "ship to" addresses • Be careful with orders from free email services • Be wary of orders that are larger than typical amount • Pay extra attention to international orders

Credit card fraud, con’t • When in doubt, call the customer to confirm the order • Use software or services to fight fraud • When you’ve found fraud, contact your merchant bank immediately • See www. scambusters. org/Scambusters 23. html

Privacy issues for the consumer • Most people just want to be asked for their permission • Your customers don’t object so much if you use their information to sell them other products you may offer • But many object if you sell or rent their names to someone else

Conclusions and questions David Strom Senior Technology Editor VAR Business magazine david@strom. com