Internet Fraud security discussion

[Guest Brivtech]

"BBC London was handed a document with credit card and customer details from over 300 customers hacked from an online store."

This was just what I heard on the telly next to me, followed by some rhetoric about the dangers of giving your credit card details over the internet. Bit or a dramatic headline grabbing news item, or is there soms substance behind their concerns?

I think this opens an opportunity to discuss store security more, as there isn't really much in the way of topics on the subject here.

I provide internet systems to customers, and included in my priorities to my customers is security and law. One of the reasons why I use CubeCart is because I believe that it's a secure system - Its undergone a security audit, which closed a lot of holes that would otherwise have been open to hackers. Al started this campaign, and Martin made it a fine art.

I also use 256-bit SSL security on all my customer's sites, so its practically impossible to do anything with the code data stream.

I'm also encouraging my customers to use online payment gateways for payment processing - This way, the customer does not see the credit card details, just the payment, so if their system was hacked (Or they have a dodgy member of staff looking to pay for a flight to the Cayman Islands after raiding the company pension account ), no payment details could be used.

I'd like to discuss further ways that a small internet business could make their internet systems more secure.

In particular, I'd be interested in knowing more about the security auditing that CubeCart went through - Are there any guarantees from the audit? What does the auditing cover? What does the auditing not cover.

Over to you lot. :ninja2:

[Al Brookbanks]

Well.... we were really pleased with the audit as they came back and told us that we already had some very good practices and suggested a few extra things to secure it further. It was also a great learning process so that we can code it stronger in the future. I believe it has also added value to the product.

It didn't come with any guarantees but (touch wood) so far not a single exploit has been found in CubeCart 4. ONLY the manual credit card capture module stores credit card data but it is stored with a strong mhash encryption method with a different key each time. This means it is safe on shared hosting or any hosting for that matter.

We often get sales tickets asking if CubeCart is PCI compliant. The reason is isn't is due to the fact we don't provide the hosting so effectively we only provide half of what is needed to even do a PCI test.

Some major reworks are going on taking full advantage of PHP 5 which will make it even more secure and quite considerably more efficient.

[Guest Brivtech]

I just saw the patch issue - Interesting to see that no other security issues has been reported on CubeCart from the same source for about 2 years. That's gotta be a positive.

[Al Brookbanks]

LOL yeah! The function only partially works due to the return true line. Doh!

Whatta mistaka to maka.

[Guest Brivtech]

It seems that it's not just the security of online software we need to worry about, but also offline trojans: http://news.bbc.co.uk/1/hi/technology/7193993.stm

I thought that article was quite concerning, and fired up the virus scanner straight away.

Apart from Al, there's not been much response to this topic. I'm interested to know - Do you all consider strict security measures as overkill? Personally, it's something that I try and build in to my own systems wherever possible to prevent problems further down the line.

[Al Brookbanks]

Any website on a shared server is susceptible to that sadly. An insecure script on the same server can execute a command on the server which writes to file on other accounts placing an iframe on the site which can infect the end users computer.

No script is immune from this due to other bad code on the server. This is why things like basedir restrictions are good to have in place.

[Guest EverythingWeb]

... and scripts executed as users, so they are wrapped in their own little bubble :homestar:

[Al Brookbanks]

Oooh the joys. Dedicated servers are great! :homestar:

[Guest webmonster]

Credit card fraud is expanding day by day not only online but also offline. So it is very important to ensure that your transaction is performed in your presence every time you buy something. Always check your card once the cashier returns it to you, and make sure that it is really yours and has not been tampered with.

[Guest Brivtech]

Good point indeed. I actually lost a potential customer recently because he was so paranoid about online fraud, and considered that almost every transaction he had would be charged back, so he decided the internet was not for him.

There's been a LOT of articles in the BBC this week about this, mostly prompted by....

The InfoSecurity Europe exhibition,that I went to earlier in the week to see if I could further my growing knowledge on compliance and security. To be honest, I was disappointed that no-one from the payment card industry or representing the law were there.

Mostly security-based hardware systems (for web hosts, drive encryption, security logging, etc.), and loads of security companies, who provide services such as penetration testing, etc., but there were one or two software systems that were of great interest, that provided very good management of attached hardware devices, preventing someone plugging in a USB stick and downloading the customer database for instance, or encrpyting downloaded data with a key, so only someone with the same key can later open the file, no matter if the file has been copied or not.

I'm not going to write up a full report of the show here, but suffice to say, many of the things that the security companies want to charge 1000's for, CubeCart has already got built into it's structure. Bloody well done Al and Martin and everyone else on the development team.

So, after a spate of my own security investigations, I can see weaknesses in the following areas (Not necessarily related to CubeCart):

1. Access to credit card details - If you're doing manual payment processing, this will in most cases be breaching PCI compliance guidelines. Using a Payment Gateway Provider over a secure connection, where you do not see the credit card details is definetly best. The credit card companies are now issuing large fines for any business who ( A ) has over a certain turnover level, and does not meet PCI compliance, and ( B ) under that turnover lets sensitive information be stolen, or mis-used.

My advice if you're doing manual credit card payments, is to delete the card details immediately after the transaction, and shred any paperwork with the CVV code written or printed on it.

Al and Martin, it may be worthwhile improving the security on the manual credit card processing function by:

- Making admin re-authenticate by having to re-enter password. This would help prevent access by an unauthorised user, while the authorised user has popped out to the loo, or to make a cuppa, with the time that the details are on screen limited to a few minutes.

- A limit to the age of the card data after its been viewed, and purging of the data when the order is completed.

2. Data access - Several people sharing the same login account (CubeCart, Hosting, Email, etc.), weak passwords, poorly set up shared hosting.

3. Data distribution - Policies should be in place for who gets to access what information. CubeCart does a reasonable job of this, but perhaps the system could be improved in the future to better make use of a policy-based system, rather than manually specifying who gets what permission: all those different permission settings can be overwhelming for most people.

4. Other applications on the server which can provide a back-door. CubeCart is pretty much secure, and I just saw a site that had a Hackersafe badge, so that's reassurance. However, many other systems are not so safe (blogs, forums, slideshows, etc.), and there may be new security vunerabilities against CubeCart in the future.

5. Out of date software - Opens yourself to exploits. As obvious as this may be, I had a meeting last Tuesday with a new customer, who was running Internet Explorer 5. I'd hate to know how many viruses, trojans, worms, etc. he's got on his hard drive. Suffice to say, my website didn't work, and he was surprised that he needed to upgrade, even saying "Its been working okay, why doI need to upgrade?"!

Ignorance is no defence against breaking the law, or letting hackers spoil your website.

[Al Brookbanks]

Great!! Sounds like you got lots out of it and we will certainly take on board your thoughts about improving manual card capture security. PCI is something that comes up regularly on the sales desk. I know quite a few of our competitors have guidelines about how you can make their software PCI compliant so I certainly want to do this. Being unhosted sadly we can't make CC PCI compliant from the go.

:homestar:

[Guest ITechWest]

AI,

Have you thought about incorporating a voice verification system like many hosting billing systems use. And if so I would recommend that this is done only once during account registration, not per sale.

I know that some will see this as another needless step, but as an optional mod, I would not mind having it. Some businesses this would be good while others may not need it.

[Al Brookbanks]

Yeah indeed it is something I have thought about. It could have a threshold so that it only comes into play for orders over say $300 or whatever the store admin sets it at. I doubt it is for the masses but it would be a good feature which I believe is already on the roadmap for sometime in the future.

Our site has ~5% fraud rate for purchases which is very high and I've considered implementing a system like it myself.

[Guest ITechWest]

It has played a part in fraud prevention on my hosting site that is for sure

On a side note, when you get a chance AI... ask Milos about the ticket I had this morning. I have brought up that we are going to work with www.changeroundup.com to integrate in our cart.

[Al Brookbanks]

What a great idea. Maybe we can implement it in the future.

[Guest ITechWest]

Ill keep you in the loop an probably be coming to you guys this week as we work on the coding.

I have some contact info requests from them for you, can you email me...

[Guest Boniknik]

:) Hello, I just want to let everybody know that one of my client's store using cubecart 4.2.2 was able to pass the PCI compliance test with (McAfee) hackersafe.com. There were only 2 vulnerabilities on the first scan of the cubecart store/website but they were resolved easily by just commenting out some alerts like the security warning on ini.inc.php and the mysql error disclosure on classes/db/db.php.

A lot of the vulnerabilities on the scans were not about cubecart but the host's configuration/settings, but we just transferred the cubecart store on a PCI compliant host/server and everything is now PCI compliant.

So if anyone of you are wondering if cubecart is PCI compliant, I guess the answer would be yes since the alerts on cubecart can be commented out, they are not important anyway when the site is already live and tested.

I will not mention the website, and the host that my client is using because this post might appear like an advertisement but if anyone is curious and wants to know, you can PM me and I'll tell you.

Cheers for cubecart! :yeahhh: