Title: Locking down your web storefront
1Locking down your web storefront
- Techtarget web chat
- April 2002
- David Strom
2eCommerce security 101
- Make sure you protect your enterprise network
from intrusion - Limit user access, isolate servers, lock down
scripts, harden servers - See www.nwfusion.com/netresources/0202hack1.html
3Outline
- Database issues
- Payments and payment processing issues
- Evaluating Commerce Service providers
- Preventing credit card fraud
- Privacy issues for consumers
4Database issues
- Understand security weaknesses and access
controls of local database users - Understand web/database interaction from security
perspective - Understand proxy server attacks (ala Adrian Lamo)
- Block them CGI scripts!
- Who is root and what can they really do?
5Common mistakes with payment processing
- Provide too few or too many order confirmation
pages - Confusing methods and misplaced buttons on order
page - Make it hard for customers to buy things
- Dont make your customers read error screens
6A taxonomy of bygone web payment approaches
transmit 164 over the Internet?
yes
no
buyer encrypts?
buyer confirms?
yes
yes
no
no
synchronous?
plaintext
merchant decrypts?
eCash
yes
yes
no
no
buyer signs?
CyberCash SET
GlobeID
VirtualPIN
yes
no
SSL
S-HTTP PGP
7Why didnt they work?
- Too complex to implement
- Too much infrastructure
- Not too many stores took their kind of money
- Too many other technical challenges
8ConEd bill payments
- Claim they needed 100,000 customers to break even
- https//m020-w5.coned.com/csol/main.asp
- Note lack of security, anyone with valid account
number can see your bill! Try acct no.
434117168910006
9So what payment instrument to use today?
- SSL Credit cards
- eWallets/SET
- Cybercash and other payment gateways
- Commerce Service Providers payment systems
- 1-Click service providers
10All providers are not the same
- Compare services
- Which cards do they authorize?
- Do they provide electronic check services?
- Do they provide check guarantee services?
- Compare prices
- Start-up fees
- Monthly discount fees
- Other service fees (per transaction)
- Statement generation fees
11Evaluating providers
- Do they offer storefront design?
- Have in-house programmers?
- Hosting of your own web server machine?
- How many payment systems do they support?
- What kinds of accounting reports do they offer?
12Preventing credit card fraud
- Don't accept orders unless full address and phone
number present - Be wary of different "bill to" and "ship to"
addresses - Be careful with orders from free email services
- Be wary of orders that are larger than typical
amount - Pay extra attention to international orders
13Credit card fraud, cont
- When in doubt, call the customer to confirm the
order - Use software or services to fight fraud
- When youve found fraud, contact your merchant
bank immediately - See www.scambusters.org/Scambusters23.html
14Privacy issues for the consumer
- Most people just want to be asked for their
permission - Your customers dont object so much if you use
their information to sell them other products you
may offer - But many object if you sell or rent their names
to someone else
15Conclusions and questions
- David Strom
- Senior Technology Editor
- VAR Business magazine
- david_at_strom.com