Jump to content
Sign in to follow this  
cubicsquare

What happens when a cart is hacked? (Doesn't have to be CubeCart)

Recommended Posts

Hi there,

Just curious, and want to do some risk assessment - what are the risks in a shopping cart website application getting hacked?

What exactly tends to go wrong?

I'm not necessarily referring to CubeCart. I have tried to Google but didn't find what l was looking for.

Share this post


Link to post
Share on other sites

"What exactly tends to go wrong?"

Additional code gets added to the application. This added code can <insert your worse nightmare scenario here>.

  • Like 1

Share this post


Link to post
Share on other sites

OK i think i have an idea what it entails now. I just googled a specific cart software and what happened when it got hacked.

I gather in a recent famous example (with another cart software), it's something to do with SQL databases being injected with code that steals card details.

So, my next question, apart from further pending answers to the first question:

Can't somebody create a Snapshot button so that when you're done uploading new inventory items, you press Snapshot, and that takes a snapshot of your entire shop's backend filing system, including the databases, so that anything new is rejected?

 

The risk would be, l suppose:

- Losing an entire inventory creation session because you forgot to Snapshot

- Hacker snapshotting what they have added (but at least it'd be easier to roll back the changes. In fact, every day you might be able to roll back to your last inventory creation session, so that anything not legit in between then and now, gets rolled back)

 

 

1 minute ago, bsmither said:

"What exactly tends to go wrong?"

Additional code gets added to the application. This added code can <insert your worse nightmare scenario here>.

Thank you, just seen your reply

Share this post


Link to post
Share on other sites

There are multiple reasons for people wanting to gain access to websites, and especially those that take payments :

1) Install keyloggers or other software to capture credit card transaction information

2) Redirect payments, either full or partial away from the store owner to another source

3) Redirect traffic to other websites

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
4 minutes ago, havenswift-hosting said:

There are multiple reasons for people wanting to gain access to websites, and especially those that take payments :

1) Install keyloggers or other software to capture credit card transaction information

2) Redirect payments, either full or partial away from the store owner to another source

3) Redirect traffic to other websites

Thanks, it all seems obvious now.

I just thought a hacked cart would be a broken cart but evidently not so.

 

 

So what do you think of my [obvious-as-hell] Snapshot button, as a means for counteracting these things?

 

Obviously it'd be wholly or partly dependent on the use of a very long checksum

Edited by cubicsquare

Share this post


Link to post
Share on other sites

There is a product, Deep Freeze, that works on a per-system basis.

SQL Injection is a vector, not necessarily an end result. The end result is a polluted database that needs to be trashed and restored from backup.

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
10 minutes ago, bsmither said:

There is a product, Deep Freeze, that works on a per-system basis.

SQL Injection is a vector, not necessarily an end result. The end result is a polluted database that needs to be trashed and restored from backup.

Can i have a link to Deep Freeeze?

Also, do you think it's possible to completely erase mention of which cart you are actually using? (So that known exploits will still require a lot of legwork to find a website to use them on) Or would that take away  end customer's trust in the transaction? And / or could a malicious user suss it out anyhow?

Edited by cubicsquare

Share this post


Link to post
Share on other sites

 

3 minutes ago, cubicsquare said:

I just thought a hacked cart would be a broken cart but evidently not so.

Not at all - the "art" of a good hack is that it isnt discovered or obvious that it has happened.  99% of the hacking attempts we deal with on a daily (make that every minute) basis are pretty basic but even these sometimes get by with some websites / hosting companies who dont care about security !

There is a 4th

4) People that feel the need to show others that they can and have hacked a website for no other reason that they can - these tend to either be high end hackers that do it for the challenge or very low end script kiddies doing it to show off to their friends and feel big about themselves

3) These are the most common and generally exploit known and published security issues in common software where the owner hasnt kept the software up to date

2) Less commonly seen now but have in the past seen where a hacker simply changed the PayPal details for their own and took all payments for orders placed.  More sophisticated methods changed the PayPal (or other payment gateways) to siphon off a small amount of each transaction hoping the store owner didnt notice a small difference

1) These are generally aimed at larger websites - think the British Airways hack of last year (see https://www.engadget.com/2019/07/08/british-airways-record-fine/  for details and the massice financial consequences) but plenty of other high profile hacks each month

5 minutes ago, cubicsquare said:

Also, do you think it's possible to completely erase mention of which cart you are actually using? Or would that take away  end customer's trust in the transaction? And / or could a malicious user suss it out anyhow?

It is trivially easy to find out what system any website is using IF they are using an off the shelf package - dont think it has anything to do with customers having trust - most of them wouldn't have a clue what underlying system is being used.

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)

Thank you.

Another solution: use your current GPS as an authentication key in whatever security solution is used.

That way, you can quickly know if you were hacked because hopefully you would know where you were at a given time. Problem then would be if the last given time and place were just erased.

 

Maybe the malicious user will suss out your returns address is in a specific suburb of Bristol. OK so make sure never to authenticate GPS  from that suburb, and set it to reject any updates done where you secure the update by authenticating from your returns address's GPS or near.

 

The list goes on and on. All about layers, l guess?!

Anyway, please let me know of any useful Snapshotting tools e.g. Deep Freeze or whatever, i'd like links please?

Edited by cubicsquare

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...