Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
The Internet

Openly Published e-Commerce Security Precautions? 101

Posted by Cliff from the knowing-how-secure-your-merchant's-data-is dept.
zCyl asks: "When I went to purchase a SCSI card online a while back, I went to a dealer that I had heard was reputable. Then a little later they were purchased by Egghead, and I was added to the Egghead database and I unwittingly became one of the millions of customers who were notified that the Egghead database containing their information had been compromised. How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from? Are there any existing e-commerce sites that openly publish the precautions and security measures they take to ensure the safety of the information I entrust to them while making a purchase?"
This discussion has been archived. No new comments can be posted.

Openly Published E-commerce Security Precautions? More

Openly Published E-commerce Security Precautions?

Comments Filter:

  • a Losing Proposition (Score:1)

    by Anonymous Coward
    99.9% of the e-commerce sites don't give a flying fuck about security. They want your money, they want profits, end of story.

    Your security is not their concern. Deal with it.

    They only way they'll change their ways is when pressure is brought to bear by the CC companies themselves. That will happen, but slowly. As more and more online CC fraud occurs, the CC companies will (1) raise their rates to cover fraud/chargebacks, and (2) start setting minimum security requirements.

    In the meantime, some russian hax0r is buying pr0n with your CC. Or at least that's what you'll tell your wife when she sees the bill.

  • Re:The Question Doesn't Match the Anecdote (Score:1)

    by Anonymous Coward
    What's he looking for?

    Their name on Slashdot, of course.

  • A.S.P - A Security Problem (Score:1)

    by Anonymous Coward
    I am responsible for security at a large asp, apart from project work it is the only thing I do. I find a distinct resistance from management to security initatives I devise and it is really a fight cause it costs. Sites I do lock down are audited for clients by tiger teams who report on the sites security. Ho Hum sowhat. I didn't really matter how well I could secure the O.S part, there are still so many points for attacks to take place. Network admins so often tout that a network is secure simply because it is swiched, which I find to be niave considering the tools available. Security is an uphill battle and peoples attitudes make it harder. I think the asp model is flawed from a clients perspective due to the bulk and range of attacks launched on a daily basis and the cost involved in constantly defending against such attacks. The more complex these asp's become the more vulnerable they become. How secure can I make my site, how much money do you have sir? You cannot guarantee what is out of your control. Commerce will always be vulnerable to fraud, that is the nature of commerce. Internet sites will always be vulnerable to hackdown, the question is How vulnerable and How will you mitigate the risk. I think I used one of my CC# once online, cause I really had to. I check the monthly statements (as you do) and have a low limit on that card. Caveat Emptor.

  • big talk? (Score:1)

    by Anonymous Coward
    http://www.trustcommerce.com/security.html [trustcommerce.com]
  • Just a few ramblings from my side of the desk:

    AMEX Private Payments is a system of which you get a one time use number/exp date credit card number. All payments show up on your regular AMEX bill, but you give the merchant a different CC num and exp date.

    I've used AMEX's Private Payments over a dozen times online, and it's worked beautfily every time. They have software for Windows that can autofill forms and authentic you via a smartcard. But, for those of us running under other OSes, they have a web page that gives out the numbers. Really easy to use. I just double click on the number, drag and drop it onto the merchant's webform. I do have to manually select the exp date, but that is always the end of the current month.

    If you have an AMEX card, try using it. Saves time and limits your exposure to fraud. It also lowers the bogus charges to AMEX, so it saves them (and to a small extent me) money.

    I sometimes wonder why we are in this mess to begin with. Merchants should _never_ _ever_ store your CC number online. I don't care if they claim it is for 'ease of use' or 'security'. Use the realtime CC submit, and just hang onto the transaction number. Most merchant processors support the use of just the transaction number or autherisation number to finalize the payment.

    By the way, we could have one time payments already, but SET [setco.org] got bogged down in technical details and tried to do too much at once. Shame SET never got a chance to get up and running, but it required too much infrasture changes. Every CC user (you and me) had to get a digital certificate for our CC. It's kind of like X.500, too bloated and complex. I hope we would see a SET trimmed down to the needs, like LDAP trimmed down X.500.

    I work for an industrial computing manufacture. We have millions of dollars of parts, inventory, and equipment around. Every year, in order to maintain our insurance, we have a physical audit at an unannoucned time.

    I've been chatting with some of my friends about the whole CC on the internet mess, and I can tell you that merchant contracts are going to be stiffened up for online transactions ('card not present'). Most will have to get randomly audited on an IT/computer security level, plus new restrictions on keep the number 'on file'.

    99% of merchants won't be able to qualify for 'on file' status unless they are using secured OS where the number never leaves the machine, but external machines can ask for it to be used or validated. Visa will also be planting 'fake' numbers in the database, some the company will know about, some it won't. If transactions start showing up on these fake numbers, heads start to roll if the merchant didn't inform Visa ahead of time.

    On average, it costs a credit card company over 50 dollars to sort out the damage of a stolen number. Not only in reissuing a new card, but in stopping all the fraudluant transactions. Under the plan for the new rules, these costs would be thrown onto the merchant whose systems got cracked and the CC numbers gotten from. They would be charged a set fee per number that they every have had on file, plus they would be required to pay for the fraudlant charges that the crackers ring up. My guess is that few vendors will keep numbers around, or use a more secure backend online payment provider (YahooStore, etc).

    Next Week: Privacy and Money, why didn't Chaum and ecash survive.

    thanks
    dunk

  • There is no reason to use credit card numbers to authenticate transactions.

    As it is, right now vendors need to keep credit card numbers on file as part of their reciept of a credit card transaction. Forcing vendors to keep this information until the transaction completes (which would normally be a complete payment cycle) is an invitation for disaster.

    Ideally, credit card numbers would accept a hash of the credit card number, the vendor number, a transaction identifier, and maybe evewn the amount and date. It would be virtually impossible for anyone to pull anything useful out of this hash, but this hash could be used by the consumer, vendor, and credit card company to authorize and authenticate transactions.

    Taken to the next logical step, web browsers could be configured to generate these e-commerce hashes, in which case web consumers could be guaranteed that a vendor didn't know their credit card number at all.

    Credit card companies could even supply two cards, one with a number printed on the front and one without. For the majority of in-person credit card transactions nowadays, there is no need to publish your credit card number on the card when most restraunts and stores use a bar code or magnetic strip reader built into their registers. There is much less chance of some teenager at the pizza joint making a carbon copy of your CCN if it is only on a magnetic strip. Sure it is not totally fraud proof, but it raises the expense and complexity of stealing your credit card, saving the credit card companies tens or hundreds of millions of dollars in fraudulent charges.

  • Heh -- I put together a system for doing that a few years as part of a University research product. Never finished the writeup, but I've got dated papers (might prove useful as prior art).

    My scheme worked roughly as follows (it's been a few years, so I may be missing things):

    Each consumer is given a hardware device which contains a public value, a private value and a counter (for the number of times it's been used). Each transaction it contains contains in cleartext the public number and the amount. It also contains a one-way hash of the private number, the amount and the usage counter.

    To verify, the bank runs through a series of hashes made up of the private number (looked up from the pub#), the amount and last 20 (or so) possible unused usage counter values. Get a match, and it's good.

    The number had to be something like 26 digits to provide decent security, longer being better of course, but it worked. I still have the prototype software around somewhere.

  • Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing.

    I agree. Furthermore, it should be used for all purchaces. This would be a good application for smart cards and wallets. The merchant creates a clearsigned transaction record. The purchasor authorizes the card for the represented amount of the transaction. The card recieves the transaction record (including merchant's deposit only number and transaction amount) from the merchant, and if the amount is in agreement with the authorized amount, it adds a serial number and clearsigns the record (including the merchant signature). The merchant may at any time (including immediatly) submit the signed transaction record to their merchant account. It is then returned to them with the transaction result (auth or deny) signed by the merchant bank.

    Nowhere in the process does any entity provide an abusable key or datum to any other party. The serial number prevents double processing the transaction. Each party can prove that the transaction took place independantly of the other parties. Neither the merchant or their bank needs to know the identity of the purchasor (only the id of the purchasor's bank). It is even possable for the merchant's identity to be a secret from the purchasor (limited utility but possable). If the smart card is activated by providing a passphrase, the cardholder need not fear theft or loss of the card. Since the cardholder authorizes the amount and provides a one transaction authorization to the card through his own wallet, there is no need to trust the merchant's hardware.

    Extensions of that protocol could create reusable transactions (authorizations) with limited abuse potential for periodic charges. The transaction would only allow credit into the merchant's account to remove incentive for dishonest employees. The period and amount of the charges would be specified to eliminate double charges. The cardholder could invalidate the authorization at any time and dispute the last charge if necessary. These transactions should also have expiration dates as an option.

    Such a system would greatly reduce fraud and fully de-sensitize credit card data.

  • As a result, they either hold the money back from the merchant's future payments or write it off. Joe Consumer (you and I) aren't liable for it, and generally aren't affected by it.

    When the money is held back, we aren't affected by it. The write offs show up in everybody's service charges and interest rates on their card. The money has to come from somewhere (and it's not going to be the bank's pocket, I assure you).

  • Hmmm.. now what prevents someone from using my now-encoded signature to "sign" something else that I didn't intend to sign?

    Very true. Of course, what stops someone from using Gimp to transfer your pen and paper signature to another document. By making a photocopy of that, they then have a photocopy of the document with 'your signature'.

    The fact is, signatures don't signify much unless they're cryptographic.

  • If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.

    Typically, that's the case. And so the merchant raises prices a little and you and I still end up paying for it. It's also unfair to the merchant who had no way to know the card was stolen in many cases.

  • Apparently there is a technology that tracks more than just the shape and "look" of your signature. It watches how you press the pen into the surface and the actual movements of the pen as you write your signature. So merely copying the signature would not be of much value.

    I've seen that. Copying a signature could be of value because most signatures are not made with that technology, society at large (and even courts) make much of the physical resemblence of a signature. The full capture devices further invalidate signatures, because now, even the more detained forensic examination trying to determine pressure based on indentation in the paper and damage to it's fibers will be in doubt.

  • So I'm confused. Which is more stupid?

    1) Buying something from an online merchant
    2) Buying something from a brick & mortar merchant who occasionally throws credit card records out in the trash
    3) Buying something from a brick & mortar merchant whose staff occasionally resells a credit card # that passed through their register.

    Obviously no matter what the hell you do, online or in store, you're taking a risk any time you use a credit card.

    #3 is pretty uncommon, though all it takes is someone with a good memory at the sales counter & the "right" kind of friends-of-friends. Hand over your card, obstentiously they stare at your signature, but instead have memorized the card number so conveniently printed on back. Bigger retail chains keep a somewhat tight control on the cashier's box (or try to), so beware of mom 'n pops...

    The problem as I see it is that the penalties levied against the merchants by credit companies doesn't seem to be enough incentive for online merchants to butch up on their defenses. From the scope of Egghead's breach I would have expected the
    companies to sever relations with them, but hey, I never understood high finance anyway.

    However, in any case, the problem isn't yours - it's the credit card company's problem (technically the merchant & the issuing bank get to fight it out). Every credit card I have has a "if you didn't charge it you're not liable" policy (this is why AmEx no longer authorizes adult/erotic merchants - too many disputes at the end of the month).

    Though my ATM/debit (nee "Checkcard") card has a $50 liability per fraudulent charge, which is why I never use that - except at ATMs. An informal survey of my friends has shown that this is commonplace, so I'd be a little less ready to whip that card out if I were you.

    BTW, my sole credit fraud incident (so far) wasn't at an internet store - it was either #2 or #3 above (that card hadn't been used online, ever). I never found out, the credit card company just issued me a new card and dealt with the merchants. Was I liable? No. Did any of the charges even show up on my bill? No - the company contacted me monday morning after someone went on a massive weekend buying spree.

  • It is the merchant, not the bank nor any other CC company, that is liable for fraudulent purchases. This is where the money comes from. This is why it is so easy to challange a change on your credit card.

    If the merchant can hold it together, the soon go out of business, via both bad press and lost profis on CC fraud.

  • Actually, although security through obscurity is not a solution in and of itself, it is necessary. A properly designed security policy will not only protect against unauthorized traffic, it will have detection mechinisms in place to detect when crackers are "Rattling the Doornob" (i.e. NIDS, portsentry, multi-level firewalls, etc...)

    By not publishing the security policy, you are forcing crackers to figure it out for themselves, which greatly increases the chance that they will trigger alarms set to catch them.

  • And so the merchant raises prices a little and you and I still end up paying for it.

    Yes, but you also have the option of seeking out other merchants (for most products, that is).

    I have been doing systems security for over ten years, and it is my professional opinion that it is IMPOSSIBLE to completely secure a machine (short of unplugging it totally and encasing it in concrete). Anyone who tells you any differently is either a)completely clueless when it comes to system security, or b) trying to sell you something.

    The point is, is that compromises ARE going to happen. It is the job of the security engineer to make this more and more difficult. Constant vigilance is key here.

    As long as there are systems on the Internet, there will be crackers. As long as there are crackers, there will be security compromises. And as long as there are security compromises, the cost of this will be passed on to the consumer.

    This is simply an operational cost associated with online commerce. This is no different than the cost of shoplifting being passed on to the consumer in meatspace stores. It can be minimized greatly, but cannot be completely eliminated.

  • Re:One thing you can do (Score:3)

    by trog ( 6564 ) on Sunday February 04, 2001 @12:23PM (#457915)
    I believe that the guys that work at the CC's probably have done quite a bit of work to make the unique transaction numbering issue a non-issue.

    Very, very wrong. I've developed secure transaction systems that were audited by Visa. They don't have a clue. They have no concept of asymetric encryption (their specs only required things to be encrypted using 3DES, which is useless for storing credit cards). They had no cooncept of known-plaintext attacks on credit card numbers, and very little concept of systems security in general. They were more concerned with hiring policies than anything else.

    As to why a symetric algorithm is useless in storing CC numbers, I will leave this as an exercise for the reader.

    It is actually the vendor, not the credit card company, who is responsible, because the vendor has to eat the cost in a fraudulent purchase (this is federal law in the US). The CC companies have no vested interest in e-commerce security, other than via a marketing angle.

  • Excellent, thank you. That's precisely what I was looking for when I posted my question. I hope the company you're working with uses its security policy disclosure as a major selling point, as I would love to see such things determine customer choice and eventually become mainstream.

  • One thing you can do (Score:3)

    by xneilj ( 15004 ) on Sunday February 04, 2001 @02:17AM (#457917)
    Without a good understanding of the security in place, the best you can do is presumably minimize the risk. Only shop with places where your credit card details are NOT stored on their systems, and if they give you the option, remove them.

    Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.

  • As the other reply points out, credit card company agreements with the merchant prevent the merchant from coming after you for payment. If that did happen, a complaint to the card company should settle it.

    Of course, you can't use this as a way to cheat merchants - you might get away with it once or twice, but if it became clear that that's what you were doing, your card could be cancelled and your credit rating would suffer.

  • as long as Best Buy can prove they compared the signature on the card with the one the customer signed, they're off the hook too.

    That's true. Of course, sale clerks at most stores don't often actually check the signature carefully, and if the store is found negligent, the card company can refuse to pay. Even so, banks absorb the costs far more often in these cases, so I'm sure you're right that they have an incentive to promote e-commerce (although the same applied to good old pre-Internet mail order.)

    But in fact, it seems to me that in almost all cases, much fraud could be prevented by merchants. Simply checking all signatures, or only shipping to addresses registered with the credit card company, would eliminate a lot of fraud that currently happens. It comes down to the fact that merchants don't want to appear not to trust their customers - it's not good for business.

    Anti-fraud measures like computerized detection of unusual buying patterns has helped a lot, though. Last time I saw a figure, approximately 0.08% of the dollar value of all card charges were fraudulent. This used to be closer to 0.2%.

  • How Credit Cards Work - for Shoeboy's benefit (Score:4)

    by alienmole ( 15522 ) on Sunday February 04, 2001 @10:33AM (#457920)
    With all "real" credit cards - as opposed to funky credit-card-like things, such as debit cards - the risk related to theft falls entirely on the merchant. Typical card agreements limit the cardholder's liability in case of card theft to a maximum of $50, and in practice I've never heard of anyone even being asked to pay that.

    If I steal Shoeboy's credit card number (assuming she actually had one) by hacking into shoeboy.com [dnsalias.com] (assuming there was actually something there to hack into), and use it to purchase an imperial ton of grits (the hot kind, naturally), it is the merchant who sold me the grits that will be out of pocket when the theft is discovered. The credit card company checks with the cardholder, and if the cardholder denies having purchased the items in question, the grits merchant doesn't get paid. Shoeboy wouldn't lose a dime.

    This puts the onus on the merchant to verify that they are dealing with a legitimate customer, which is why many online companies won't ship to addresses not registered with the card company, especially when dealing with a first-time customer.

    So, Shoeboy's statement, "Anyone who buys anything online is a fucking moron", might be applied to merchants who sell things online - or more to the point, their investors! - but not to cardholders. Someone buying something online with a credit card is actually being pretty smart. The only downside when your card or card number is stolen tends to be minor inconvenience.

    In addition, if you're not happy with a product, and the merchant doesn't want to give you your money back, within reason, card companies will refund your money and stiff the merchant. I've had that happen when purchasing telephony hardware from a company that went out of business right after shipping my product - the company couldn't be reached for support, so I called Amex and they credited me the money.

    Now, with Shoeboy, you can never really tell whether she's trolling or not, so maybe she already knows all this. But I post this purely out of the altruistic knowledge that I am contributing to the free and pure flow of e-commerce. Bezos would thank me, if his company weren't tanking...

  • some thoughts (Score:4)

    by Shoeboy ( 16224 ) on Sunday February 04, 2001 @02:54AM (#457921) Homepage
    So you want something like this:
    At shoeboy.com [dnsalias.com], we take the elementary precaution of changing the default password on our database servers! Your data is completely safe!
    Not going to happen. Companies can tell you that they "employ a security team" or that they "have been audited by a third party" or that the software the run has had "no remote exploits in 3 years."
    It means nothing. How can a company prove that it didn't misconfigure anything?
    How can they be sure that their in house developed project has any security at all.
    How can they verify that the well camoflaged back door the sysadmin put in to make his job easier won't get found? How do they even know it's there?
    How do get the CTO and Director of IT (both of whom threatened to fire you if you didn't give them domain admin permissions) to lock their workstations?
    Sure auditing is an answer, but what happens when the auditing team leaves? Security goes to pot again, that's what happens.
    There's always in house auditing, but do you trust a team that reports directly to the half witted manager who designed the network? You shouldn't.
    If nothing else, how do you know that the system is as secure as the company says it is? You don't.

    The final answer is that there is no good way to trust an online merchant if you can't inspect their setup yourself.

    And since you can't do that, you can't trust them at all.

    Anyone who buys anything online is a fucking moron. If your credit card gets stolen, tough - you deserved what you got.

    --Shoeboy
  • Exactly,

    I run the systems for one of the largest e-commerce sites on the net. We have extream precautions when it comes to credit card info. We do not however publish the details about that security because it's like giving a map to the loot to a theif. All our credit card info is passed to the authentication service via SSL and then stored in a double firewalled machine with console only access for a period before they are totally expunged. Similar precautions are used for the customer e-mail base and other such goodies. Our hosting facility requires retna scans and palm scans in order to enter the site and an escort to our cage, where we store our cluster. We designed the systems to be ultra secure from day one. Customer security is priority one. In short, we didn't use Microsoft products and companies like egghead that trust their solutions to people like Microsoft are basically doomed from day one. Large companies that f*ck up like that give companies like ours a bad name.
  • You shouldn't *need* to evaluate their security... the law should take care of that (but it doesn't).

    Do you evaluate the security of your bank? Of everyone you ever do business with? Then why should you evaluate them for computer security?
    And to top it off.. why does everyone still get so worked up about credit card fraud? I read my contract over and over again, and it says I am *NOT* responsible at *ALL* for fraudulent use of my card. I am responsible for up to $50 if my *CARD* is physically stolen, and the charges happen before I report it.

    Let them steal my # out of some database.. it's not MY money they are spending.
  • Most credit cards work that way. I know my Visa always did.. and every other contract I've looked at for credit cards.

    The only time you are liable for anything, in any case I've ever seen, is if your card is physically stolen, you can be held liable for up to $50.
    The other way you can be responsible is if they can prove gross negligence, ie: lending your visa to your neighborhood crackhead because he 'promised' to only go get your groceries for you.

    The card is only a token used to authenticate your credit line with the credit company; it is not the credit itself. It's the mechanism the credit company chooses to employ to ensure that they are extending credit to you and not someone else. If that system breaks down, and it's not your fault, they CANNOT hold you responsible. They onus will be on whatever merchant is involved to prove that it was, in fact, you that used the card. A signature, delivery to your house, perhaps phone logs... but that's it. They can't prove it, it's not your problem.

  • In most cases,(I know in mine), that $50 liabiltiy only applies if your card is actually stolen, (not just the number), and if it happens before you inform them that your card is missing.

    It does not generally apply to simply fraudulent transactions where all they had was your number.
  • I mean, if the CARD wasn't stolen, but just the number was.. how is that the card being stolen? I don't know about any other contract, but when I see 'card' I think 'the physical card'.
  • Right, but that's up to Visa. It's not my fault they don' thave a better way to authenticate my transactions. If they need to cancel it, and reissue, let them; it's their expense.

    I know we tend to live off credit, but let's not forget that using a Visa is a SERVICE they are selling to you; you are their customer. If they make it inconvenient for you to use, then you won't use it.

  • No.. I understand the term you used perfectly.
    What I mean is, my credit card contract says that I am liable if my *card* is stolen. What you describe is not your card being stolen, just the info from your card.

    What I'm saying is, it's a failure in their system, not your own failure.

    We shouldn't forget that Credit card companies are a business, and we are their customers. It shouldnt' be up to us to police their merchants and make sure our info isn't stolen (Remember, the card belongs to THEM, not us... they should protect that information)

  • How they do it? simple.

    They don't pay their merchants.

    Remember, you are the customer. Remember, on your card, it the card is THEIR Property, not yours. THe card is their way of authentication you for purchases, so they can extend credit to you.

    If the merchant doesn't have your signature, or other way to prove the transaction actually involved you personally (delivery to your house, etc), then the credit company doesn't pay the merchant.

    It's GOOD that it's $0 liability.. it should be! They agreed to extend me, personally, some credit. It's not my fault whatsoever if they have difficulties determjining if it's 'me' or not buying something.. that's solely a problem in their business model, and we shouldn't be made to absorb the cost.

    This is why I'm puzzled at people who get really worked about about online card theft. It's inconvenient, but it's not like someone draining your bank account. Sure, you might have to cancel your card, and that is a pain in the ass.. but other than that.. it wasn't your card that was stolen, it was the issuers card, and the issuers problem to deal with.

  • But this isn't necessary. Card issuers are under no obligation to pay merchants for fraudulent transactions. Check out a merchant contract sometime. IF you are a merchant, and you take stolen credit-card information, you don't get paid.

  • A more sensible approach (Score:3)

    by mindstrm ( 20013 ) on Sunday February 04, 2001 @05:17AM (#457931)
    would be to have some sort of cost associated with loss of protected consumer data, period. Open the doors for easy class-action lawsuits; this would cause companies to acquire insurance, and those insurance companies will want to KNOW what is being done to protect that data.

    Credit card companies don't 'jump all over it' because if someone fraudulently uses a card to buy a stereo, the credit card company DOESN'T HAVE TO PAY THE MERCHANT unles the merchant can prove they did everything by the book, including checking for signatures and obtaining an imprint, or some other form of authentication. If they just took the number and it turns out to be false, they don't get paid.

  • Depends. If it's something like the credit card fraud protection, there are all sorts of penalties and nasty consequences if the credit card company tries any games, so you are likely to get reimbursed quickly.

    On the other hand, if it's a case of your tires blowing up, then it will be a long fight - but generally the lawyers figure it's worth the mega-fees and will take it on.

    Where you lose is the middle ground. If your case is too small to interest a land-shark, er lawyer and big enough to annoy the company, well, you are going to have a tough time.
  • But I think that addition to any long-tem email database wherein express Typed or electronically "signed" admittance has been attained should be illegal. It amounts to harassment, really. But that's just my opinion. I could be wrong.

    JoeLinux
  • ...and get a credit card that has no consumer liability for fraudulent purchases and use THAT card for any transaction where you don't have complete faith in the organisation that you're dealing with.

    Gratuitious plug: MBNA's card works like this, at least in the UK.

  • Most credit cards work that way. I know my Visa always did.. and every other contract I've looked at for credit cards.

    The only time you are liable for anything, in any case I've ever seen, is if your card is physically stolen, you can be held liable for up to $50.

    That's what I was getting at; my card has a $0 liability limit, regardless of cause. Dunno how they can do that, but that's not my problem. :)

  • I wasn't aware of the US situation until this post. In the UK, most cards require that the holder pay the first £50 or £100 of any loss. That's why I pointed out MBNA's arrangement as being unusual. Guess it isn't so unusual over the pond... :)
  • How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from?

    Just follow these thee easy steps - this works for all present and future e-commerce sites:

    1. Become a kickass hacker. If you are one of "us who do understand computer security" this should be a piece of cake.
    2. Try to hack into the vendors servers. Make sure you don't get caught by law enforcement agencies.
    3. If you succed in the hack, dont buy from that vendor, find another and repeat from step 1. Else, go ahead and buy.

    Simple and idiotproof, plus you're doing the .com's a favor by pointing out their lackluster security.

    -henrik

  • This may be nit picking but technically Egghead was bought out by Onsale. Onsale then changed their name to Egghead.

    Terry
  • I now have a credit card, and have thought about using it over the internet a couple of times, but then decided against this ( and no, I wasn't because I had maxxed(?) it out, but that won't take to long).

    My primary concern is with whether the link is secure (I have seen one site where they didn't have any security and wanted people to put in their credit card details). It is more to do with what happens once they have my credit card number. Who exactly am I dealing with here? Anyone with a little bit of money can get their own domain, can get a security certificate from Thwaites or some one similar, and can set up a secure server (and DNS and email servers for that matter) fairly cheaply. One Australian magazine even included on their cover cd ezimerchant for setting up this up (http://www.pcauthority.com.au/cd.asp?TOCID=256). It isn't all that difficult for them to set up a nice looking professional site either. So how do I know they are ridgy didge? How do I know that are not a dog[1]? Put simply, I don't. This is one thing that has kept me away from e-commerce (apart from all of the other security concerns), even though I have been on the web for 5 years. [1] For those of you who haven't been around that long, there was a saying that basically said that you never knew who you where talking to on the internet, it could even be a dog.

  • There is an important distinction that is alluded to here, and one that I haven't seen talked about much. alienmole says that if someone takes my credit card number and buys a bunch of stuff on the Internet with it, it's the merchant who sold them that stuff that loses. That merchant is out the cost of the goods. Exactly. However, this is only true for merchants that don't have a physical storefront: mailorder places, and -- of course -- Internet shops. For a place such as, say, Best Buy at the mall, as long as Best Buy can prove they compared the signature on the card with the one the customer signed, they're off the hook too. I believe (correct me if I'm wrong) that the credit card company is then responsible for this fraud.

    So, with credit card companies getting off the hook for Internet purchase fraud, is it any wonder that they're some of the biggest proponants of e-commerce? I've heard that the big Internet merchants take hundreds of losses of sub-hundreds of dollars everyday; money they'll never recover, because it costs too much to track down. Commerce on the Internet isn't safe at all, at least for the merchant. As a consumer though, I'll take my chances.

  • Just use a credit card that you have specifically for online transactions.

    By U.S. law you're only liable for $50, and most companies won't charge you anything if your account is jacked (if you're a good account for them).

    I pay all of my bills on time, don't carry a balance, and don't sweat it.

    What's the big deal?

    If you're concerned about your personal information getting out, get a credit card that contains bogus information, including name. I have one in my dog's name. It's perfectly legal.
  • Well, VeriSign does put it's brand on websites. It's brand is in the shape of a seal. Does that mean it's secure? I don't know.
  • Honestly, this is the best answer I have read so far. It is exceedingly pragmatic. Kudos to you, pngwnpwr.
  • For example, merchants cannot favor the use of one card over the other ("We'll take Amex, but we prefer Visa.").
    Is that so? I guess someone forgot to tell buy.com [buy.com] that.
  • How are small businesses going to afford the cost of such an audit? If this third agent has "small" audits that aren't very expensive then I fear corners will be cut and we won't actually know much more then we already do...
  • I work in finance-- auditors come in once a year, they go through all your books, take on some liability since they will be signing off on the audit and do an excellent job of making sure everything is in order. Sometimes, they do a systems audit and make sure your accounting system is reasonably secure.

    This could probably be easily expanded to the IT site. Most of the large accounting firms also have IT consulting counterparts. I'm surprised we don't have some kind of e-commerce security certification like Trust-e is for privacy.

    I don't believe that any company willfully leaves their systems insecure. If they did know better, they would fix things. Perhaps a standardized security audit is an inevitable. I can see banks getting in a line to have their systems audited since they have the most to lose.

    Adi.
  • The slashdot-asker details a situation in which he purchased an item for a vendor, being satisfied with said vendor's security. He apparently "knows about" computer security, whatever that is.


    Following his purchase, Egghead buys the company. Now that company is absorbed into Egghead. Virtually nothing the company did before being purchased matters now, because now he is dealing (after a fashion) with a different entity, the security of which he never thought to judge.


    That being said, he wonders how to determine the security/privacy of a site, but, ya see, in the case he details, it didn't matter, because the business transaction of the company purchase completely obviates any 'security checks' he could have done.


    What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?

  • Egghead IS responsible... (Score:3)

    by wowbagger ( 69688 ) on Sunday February 04, 2001 @05:33AM (#457948) Homepage Journal
    When you get ripped off, and you have your credit card company remove the charges, who do you think eats the cost?

    THE COMPANY WHO CHARGED YOU

    You may eat the $50 (although any good credit card company won't even charge you that if you notify them quickly), but Egghead will eat the rest.

    That's part of the problem: a credit card crook will steal from several companies, none of which were hit for more than a few hundred dollars. If the crook is in another country, it isn't worth the companies' time to go after him. They just eat the loss and write it off.

    Now, if the CREDIT CARD COMPANINES were responsible and had to eat the charges, now our crook has pissed off ONE company, for THOUSANDS of $monetary_units, and it's well worth the credit card company to go after him. And for those crooks in semi-lawless places (like the former Soviet Union), it may be worth their while to sub-contract the collection of the money to, shall we say, local collection specialists.

    True, were the credit card companies responsible, they would also charge the costs back to us in higher interest rates.

    Guess what! They do that anyway!

    (that's also why I don't carry a balance from month to month on my cards. Pay them off in full every month, manage your money, and you don't pay interest. And good cards don't charge yearly fees.)
  • > Thing is, what's to stop someone trying random numbers until they manage to get money off someone at random?

    Make the numbers so large that the probability of hitting a valid one by chance is infinitisemally small. After all, that's how cryptography works: somebody also could try random keys, in the hopes that one of them cracks the message... And moreover, as the numbers would only be good for one transaction, for a preset amount, the damage would be rather limited, even if somebody did somehow manage to guess a valid number. All they could do is steal the money set aside for one transaction, and not empty your whole account.

  • While I can't really help answer you question because I don't ever buy anything online simply because I don't have a credit card (not entirely true because I've used sites where they bill me by other means, but still not very often).

    But anyway more to the point is that it's in these sites best interest to openly publish their security model on their website. Customers like to know their data is safe. If you don't tell them that their details are going into a backup database beyond many layers of security, they might as well pressume that their details are being published elsewhere on their website where the world can view it.

    AussiePenguin
    Melbourne, Australia
    ICQ 19255837

  • Write a browser plugin that scans any website you go to and provides the results in a little status icon in the staus bar of the browser. Thats what I did.
  • Don't do business with any merchant that databases your CC. The only way to know this is to ask, and get an affirmative answer, manager's name, date, and time. Then you still can't be sure. The hassle factor of cancelling and replacing CCs can be huge. The indiviudual liability is not too great. But any clueless online merchant that databases customer's CCs does not deserve to exist.
  • Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount.

    I like this idea; encoding a specific amount, though, would be a bit awkward. I don't want to have to go to my bank every time I want to buy a book online!

    However, a "check-book" of these numbers would be quite usable. Maybe have a couple of categories - under $10, $10-$50, etc. That way, I can buy a $5 book from anyone I like, knowing the worst case is they charge me $10 instead. Not good, but a hell of a lot better than giving them my Visa card details!

    Alternatively, you could get these numbers online: just go to www.visa.com, enter your details, and it gives you a one-time number for $4.99 or whatever. Properly implemented, this could work pretty well...

  • ...get a credit card that has no consumer liability for fraudulent purchases...

    Gratuitious plug: MBNA's card works like this, at least in the UK.

    In the UK, all credit cards work like that. Fraudulent use isn't your problem, unless you've been 'negligent' (which is basically a getout to stop you selling your card to a crook, then claiming the money back from the CC company.)

    That's probably why UK CC companies are (IME) very good at stopping fraudulent use. Last month, my father moved to Houston, and bought lots of stuff (new TV, microwave, all that stuff) from a store. To check who he was, Visa US called his UK bank, and the operator spent 10 minutes asking questions like "Complete the following 'phone number" (which turned out to be his direct dial number at the job he left six years ago!)

    Probably sounds silly - except under UK law, if he had been an imposter, Visa would have been left $1000 or so out of pocket. They tend to care about that kind of thing!

  • Openly published security precautions? OK, publish this:
    1. don't store credit card info (destroy it after transaction clears)
    2. don't store it
    3. don't store it
    4. don't store it
    5. don't store it
    You know, you'd think that this would be common sense. After all, the best way to protect your customers is not to keep any important data on network attached machines. I personally try to deal with online retailers who make their policy to only store your credit card number if you expliticly ask them to. But unfortunately, many other retailers (Amazon.com comes to mind) require a creditcard number as part of the account creation process, and once they have your CC number, they don't make it easy for you to get them to forget it (short of hoping their engine accepts the dummy/test VISA/MasterCard number 4111 1111 1111).

    I know all this information they give about secure databases and SSL encrypted transactions are supposed to make the user feel more secure, but asking for a credit card number before even placing the order shouldn't make anyone feel confortable. Nor should the pushyness of Amazon's current business practices make anyone want to deal with them ("Oh, signing up for an account, well, we'll just turn on add the advertising, and allow us to share information with anyone we choose, and did we mention one-click(TM) purchasing is on by default?").

    There are a number of companies out there that have this right, such as ebworld.com, and chapters.ca. They ask for credit card information during each and every transaction. Unforunately, it's not just the online world that's a little too lax with credit card precautions -- nearly any of the major gasoline stations in my area, will print your full credit card number on any and all receipts, etc. If you think about how easy it is to locate a credit card number in a normal person's trash, suddenly the danger of online transactions seems trivial.

  • You cannot be sure of any online security. BBBBZZZZZTTTTTTT. The warm fuzzies ain't there. I'd rather go into a Radio Shack and give the 17-yr old geek my CC number - and look him in the eye - than put my Amex # on the big I.

    I would rather take whatever risk there is in using my credit card online, rather than go into a store and be made to feel like the cashier is doing me a favor by taking my money.

  • Question:How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from?
    Answer: Easy, hack them before you purchase. Duh?
  • Ok, I'm about to set up my first site that actually makes use of online transactions. It seems to me that as long as three things are done correctly that the majority of security risks have been eliminated. 1) Only take credit information over an encrypted connection. 2) make sure that you have a secure link to your credit card processor (this would be a given, right?) and 3) don't keep the customers credit information at all. These seem to me to be reasonably adequate security. Aren't the two major way of stealing credit card information by packet sniffing and looking for it and by breaking into/stealing databases where the numbers are stored? I'm not saying that these are the only way, but the two major. If I'm wrong, please correct me. I was going to say that if you're going to store credit cards you should at least encrypt them, but I guess this is always crack-able. Any thoughts? Doug
  • from the knowing-how-secure-your-merchant's-data-is-too-lon g-to-fit dept.

    --
  • I see three problems here.

    One, it's a pain in the ass to go to the bank every time you want a fresh number.

    Two, there are only so many numbers available in the 16-digit LUHN-verified [techtarget.com] pool currently in existence. There are even further restrictions:

    • Based on the first digit:
      • 2=Vendor
      • 3=Amex [Discover too?]
      • 4=Visa
      • 5=MC
      • 6=Store/Other [Discover too?]
    • Based on the first 4 or 6 digits, ie:
      • 4510=Royal Bank [royalbank.ca] Visa
      • 4512=Royal Bank Gold/Platinum Visa
      • 4512 12xx=Royal Bank Gold/Platinum Visa from Central Card Center area
      • etc...
    • 4480=Security First Network Bank [sfnb.com]
    I would imagine some software uses what's above in its assumptions, thus changing these to make more free numbers may break such software currently in use in terminals and whatnot. Visa-affiliated banks recently changed from the standard 13-digit numbers to 16-digit numbers because the 13-digit pool was exhausted.

    Three, it's more trouble than it's worth, considering you are only legally responsible for the first $50 of unauthorized charges to your card, and most banks won't even hold you to that. I've had merchants double-bill me (and once some totally unauthorized charge from Denmark showed up), and Royal Bank instantly credited my account for the full amount and mailed me a form to sign and return stating that the charge in question was unauthorized. In every instance, the whole process took less than 5 minutes of my time and was totally painless.

    Essentially, the banks themselves are the only ones left holding the bag when fraudulent use occurs. As a result, they either hold the money back from the merchant's future payments or write it off. Joe Consumer (you and I) aren't liable for it, and generally aren't affected by it. Worst case, if the abuse on your particular card keeps up, they might cancel your card and send you a new one with a different number. Big deal.

    --

  • I'm not worried about fraudsters, it's the merchant themselves that are really dangerous.

    Merchants are held to a very strict contract with the credit card company called the Merchant Agreement. It states exactly what can and can't be done. For example, merchants cannot favor the use of one card over the other ("We'll take Amex, but we prefer Visa."). They also can't apply a surcharge when you pay by credit card. (Merchants have gotten around this by calling things "already cash discounted; add 2% for credit card payment".)

    "Mr. DiCarlo, you did not just buy a loaf of bread, you entered a contract in which we will supply you daily with three loafs of bread for a minimum contract length of 2 years and in which the initial discount of 80% expires after the 3rd delivery."

    Show me my non-forged signature on something that says that and you can have my money because I was a dipshit for not reading the fine print. A bank will also expect a copy of that.

    It all comes down to precisely two items: the signature and the card imprint. If you, as a merchant, don't have the person's signature on a slip clearly outlining what they're authorizing by signing it, or alternately a credit card imprint to prove the card was physically there, then you have no basis to defend against a chargeback, period.

    You will then say that the credit card company will intervene? Yes, they will negotiate with this particular vendor, especially if he's big enough, and in exchange for a higher commission rate on the transaction, they will prevent their customers from successfully initiating charge-backs.

    There are laws protecting consumers that prevent this. Notwithstanding that, if your bank will stab you in the back over a transaction, you can take your interest payments (and merchants' discount fees on every transaction you do) elsewhere. My bank [royalbank.ca] doesn't do that kind of shit. (I know from experience, as stated in my post.) Also, they'd make more money off you legitimately than by screwing you over once (because that's all it'll take to lose your business forever).

    --
  • I'm so tired of hearing this. If you live in the US anyway, there are FTC rules in place to protect consumers from credit card fraud. They've been in existence for ages. They work online just as well as they do offline. You cannot be held liable for more than fifty freaking dollars. If that amount of money frightens you, please cut up your credit card now - You shouldn't be using one.

    If you use credit cards at all, you're obviously not very concerned with security (Or privacy, but that's an entirely different issue). They are inherently insecure. You're about as likely to have someone take your wallet from your pocket as your walking down the street, as you are having your credit card stolen on the Internet.

    Until we all have finger-print readers built into credit card readers, you'll never be safe. The more I think about this question, the more the utter absurdity bothers me. If you're seriously frightened enough to post an Ask Slashdot question about this, JUST DON'T USE A CREDIT CARD, YOU ARE FAR TO SKITTISH. My guess is you just wanted to AskSlashdotSomething, and this was all you could come up with.
    signature smigmature
  • On a related note, does anyone besides me see a problem with the electronic "sign here" pads that Federal Expess and whatnot carry about?

    "To receive your package, you must sign your name on this electronic pad."

    Hmmm.. now what prevents someone from using my now-encoded signature to "sign" something else that I didn't intend to sign?

    For that matter, what would happen if I just say "Yes, name is Joe Blow and this is my package, but I won't sign that electronic gizmo. Give me a paper waybill and I'll sign that."
  • Very true. Of course, what stops someone from using Gimp to transfer your pen and paper signature to another document. By making a photocopy of that, they then have a photocopy of the document with 'your signature' -----> Apparently there is a technology that tracks more than just the shape and "look" of your signature. It watches how you press the pen into the surface and the actual movements of the pen as you write your signature. So merely copying the signature would not be of much value.
  • Alright, I'm near first! You cannot be sure of any online security. BBBBZZZZZTTTTTTT. The warm fuzzies ain't there.

    I'd rather go into a Radio Shack and give the 17-yr old geek my CC number - and look him in the eye - than put my Amex # on the big I.

  • He said, and I quote...
    "How are those of us who do understand computer security and could evaluate the security of an e-commerce site supposed to determine the security of the sites we purchase products from?"
    Exsqueeze me? He didn't say anything about online security? He hasn't asked a good question is what my original post was about but what you say I didn't ask about was what he was talking about in the first place unless ...

    Now, listen to me, Norman.


    I am lying.
  • Yes, it's called "indemnity" and any business to business sale has a contract with at least 5 pages devoted to it. Why shouldn't the customers be aware of it?
  • I couldn't agree more. Which was the point I originally tried to make.

    The gubmint wants to enact 3 thousand anti-law bills a year in the US. WTF? Why doesn't the Congress just mandate IPV6? Within 5 years that's all the router mfgrs are allowed to sell. Period.

    End of story.
  • why am i awake at 6am?

  • I think this is the best alternative. Put the reponsibility for security in the hands of the CC's. It's easier for each of the Card Companies to have a team of security gurus, than for every business to have even one of their own. I believe that the guys that work at the CC's probably have done quite a bit of work to make the unique transaction numbering issue a non-issue. It is in their business interest to engineer secure systems, much more so than the individual business owner.

  • E-commerce Site Security Policy (Score:4)

    by CritterNYC ( 190163 ) on Sunday February 04, 2001 @08:23AM (#457971) Homepage
    The e-commerce site I am currently working on (in testing with the client now) has a Security Policy page, similar to a Privacy Policy page. It mentions the basic stuff, 128-bit SSL Encryption, Thawte Digital Certificate... plus it also mentions a couple more advanced things... seperate secured relational database and, most importantly, removal of credit card data from online systems.

    Basically, we are a smaller site who is hosting in a shared environment (as are virtually all smaller e-commerce sites). We added some extra precautions that the big guys should do, too. For instance, once the credit card is processed, it is removed from our online systems. We move it to another system for record-keeping purposes, but the online system's database is altered to show just the last 4 digits (XXXX-XXXX-XXXX-1234) of the credit card, mainly so a customer can tell which credit card was used when later looking at the order online. Sure, this is more of a hassle for us, but it makes things a heck of a lot better for our customers. And we wouldn't even think about storing the numbers in our system for "convenience" of customers when placing a new order. That's just asking for trouble.

    Also, someone noted that even if you check a company out, you can't be sure what will happen when that company is bought or merges. Well, we actually make a statement about that. For security, it doesn't really matter, since cc numbers are removed from our online systems. For privacy, we state that if we merge, etc, we will ensure that your data has the same protections we offer (no unwanted contact, no spam, no renting, no selling, no changes to our policy without notifying you).

    I wish all sites I dealt with offered these same protections.
  • I haven't seen any reports of packet-sniff card theft. But then again, it would be single cards, basically small potatoes from the newshound point of view. When compared to the risks of non-online card theft methods (carbon paper, photocopy of credit slips, dumpster diving, cell and cordless phone scanning), the chance of your particular packet getting sniffed seems pretty remote. I'm constantly surprised by the reports of thefts of millions of card numbers. Why is the card number stored on the web server at all? I would expect that once registered, that only the card type, last few digits and expiration date would be listed, so that (a) the site could say "Is this your card?" and (b) it would know if it needs to get updated card info when the card expires. Any live link to credit processing is going to be secure -- I hope. I'd be surprised if any merchant card processor wasn't secured. But many online transactions aren't going to be immediately processed: a lot of places don't bill until items ship, or need to negotiate shipping prices, etc. Joel`

  • Security through obscurity? That isn't security at all... If one person stumbles accross it by accident then everything is lost. Also, if only a select few know how something is secured the chances are that they'll have missed something.

    Plus, all it takes is one ex-employee to reveal all and the whole thing is made public. And what about these external body employees? Do you trust them?

  • Yeah, but there will be ten years of court battles before anything ever gets paid out. I'm not an expert on the american legal system, but from what I hear any large corporation will just cover everyone in paperwork and never actually pay up.

  • That might work... Thing is, what's to stop someone trying random numbers until they manage to get money off someone at random? The basic idea sounds good, but it would have to be implemented extremely carefully to work.

    It might be easier to only allow banks / credit card companies to use credit card details. Maybe you could do your shopping on whatever e-commerce site, then be redirected to a credit card company to do the payment. Some domain name registrars (Gandi [gandi.net], for example) already do this successfully. This way the company never gets your credit card details.

  • Yes, it does.

    If they don't keep your credit card info after the sale, they can't sell it when they get bought. There should be an option where they don't keep it. If you wan't them to keep it for one-click-shopping, then that's your decision and your problem when shit happens. Presumably, this guy wouldn't check that box.

  • Surely you're joking. That's like saying that a proprietary OS is less susceptible to viruses because no one knows how the OS works.

    We know that's not true!

  • What's he looking for? A company that tells potential purchasers what they intend to do in the event of being purchased themselves?

    Actually, that's not such an unreasonable demand. One should be able to consult a document that does inform you, the consumer, about what happens to the information that you give about yourself in the event of a merger.

    Take, for example, what might happen in the even of a medical practise being privatised and purchased by an insurance company. Would you like your medical records to become a part of that company's records?

  • ...this hash could be used by the consumer, vendor, and credit card company to authorize and authenticate transactions.

    Couldn't someone steal the hash in the same way they can today steal the actual credit card number? Once stolen, the hash would be as useful as the card number itself.
  • What if Egghead.com became responsible for the $50 or so that every person is responsible for with false/stolen credit card charges.

    I know with my bank, that I'm not responsible for ANY charges fraudulently placed on my card. If it's proven that I didn't authorize the transaction, the merchant who sold the goods to the fraudulent person has to incur the costs, and write it off, unless they're able to track the item to a person and prove they committed the fraud.

    As far as egghead.com being responsible for any fraudulent charges caused by their database being broken into, it'd be near impossible to prove (without confession) that the fraud was directly a result of their dbase being compromised, and not by another merchant (brick & morter or otherwise) Fraud is committed and cards are compromised everyday, and ya know..I'd be willing to bet that more times than not it's because of card holder laziness/error/inattention, rather than a big bad corporation getting compromised.
  • Why should a credit card company be responsible, if they're not the group that made the transaction? That's like saying that Ford should be responsible for stolen cars.

  • Part of the benefit of using a credit card is that by law the card issuer cannot hold you liable for more then $50 of unauthorized purchases. I know $50 isn't chump change (at least for me) but if you look at it from the issuer point of view they needed someway to discourage false unauthorized purchase claims.

    In the end it is a risk, just like ordering pizza over the phone. Not quite the same scale but you don't really know how trustworthy the other end is.

    If the convenience isn't worth $50 of risk to you then don't use them.

    disclaimer: I'm not 100% familair with the details, please correct me if I'm wrong.

    Leknor

  • I've always claimed in order to fix up these e-commerce breakins a certification system would be necessary. Ideally one would think the credit card companies would be interested in this, but unfortunately they actually make money off break-ins or at least the fear of break-ins.
    What i'd propose is that someone (some company more like it) draft up a list of guidelines which it deems necessary to protect consumer privacy. Conditions like not storing credit card numbers on publicly available servers (or not at all as someone suggested ;)), firewall implementation, etc. You'd have to make it non-OS specific, since the market is fragmented whether you like it or not. A company beleiving that they met the standard can have an audit done by such a company, and upon successful completion (and passing) of the audit, the site would be deemed "Company X Secure." It seems obvious to me, however I wouldn't be surprised if there is a liability issue involved. But if you look at most sites, you often see claims as "100% secure" anyways, so I'm not quite sure.
    If the standard were publicly available, geeks like us could check them over, and decide if their protection is deemed adequete. This would allow companies to keep their security policies private, and yet have the verification of a third party to say, "Yeh, they are ok." But then again, I'm not sure if it'd make a difference to the lay-person.

    I honestly don't know if this has been done already. Like I said earlier, it seems obvious that the Credit Card companies would jump all over it, but they haven't. Next I would think one of the bigwig "Security" companies would do it. But I don't know.

    A Response to whether you think this can be done, would be interesting.
  • The question is, should your credit card number exist anywhere except impressed on your credit card? Vital statistics are one thing, but the ability to pick your pocket at the speed of light over long distances must be curtailed. We need legislation that requires all merchants everywhere to thoroughly erase credit card data the moment any and every transaction is finished. My name, address, and phone number are publicly available (unless I choose otherwise); the contents of my wallet are not. And as a side note, what's this with Radio Shack clerks asking my name and address when I pay for something in cash? I always say "No" but how many people just give up the data? Caveat emptor.
  • I'm a big wheel. Get used to it.

    But since you are too pathetic to I.D. yourself, we don't know who you are.

    Also what does this have to do with security of computer systems.

  • If there's anyone out there who knows security like the back of their hand, there's a tremendous business opportunity to be had due to the rampant paranoia about online transaction security.

    Simply start a security "brand" based on a security rating that you provide. Audit sites once a month or so, then give them a numerical score based on their security precautions. If they are deemed secure, they can place a logo of some kind indicating that they've been "certified" secure.

    Sites will be happy to get the audit, and the logo, once recognized, will drive business to their site. So they kill two birds with one stone and are happier to pay for a security audit than from a firm without a publicly-recognized brand.

    And the unwashed masses, who aren't quite sure how this internet thing works and are therefore a bit nervous about the whole thing, are happier to shop at sites that have the logo.

    A million dollar idea, folks. Yours for free :-)
  • Most companies stick to the "security by obscurity" mentality because, frankly, that's what most people think works. We won't see companies coming clean about their security measures, until enough customers are technologically competent enough to evaluate those measures, and actually tell their stores they will decide where to buy their stuff based on how good the security is.
  • The only place i used that card, was, guess where? Paypal, ebay, and EGGHEAD. Given those facts, i'd have to say the truth is one of those folks were hacked, and abused. Egghead obviously comes to mind, but the others. i dunno. Doesn't bother me much, other than the hassle of having to cancel the card, and have a "Card stolen" trade line on my credit report.. but the lack of security is true. The hackers probably used a well known security hole. These Etailers just don't give a damn either. I guess they are spending their last $$ to save their asses and can't seem to find the cash to hire some full-time ultra-l33t hax0rs to guard their systems. If the script kiddies are capable of finding the holes in their systems, its damn straight just as easy for a good security admin to protect the holes. I find the etailers guilty of negligence. But is the problem just limited to etailers? No. Almost everyone that puts a site online these days, seems to forget the same old adage. If you don't pay attention to your initial security problems, and dont keep up with the daily updates of security, you are just as guilty. How many webhosting providers do you think take active security against their server farms? Probably close to none. Its your responsibility to ensure your commerce site is secure, and if you ignore the problem you'll end up like egghead in quick time.
  • i was carded electronically. The good ole fashion way. Steal card info from database, use it . Go search on for an old g-phile on carding and you'll understand the term i used.
  • Most sites publish a privacy policy about how they protect your "personally identifiable" information (yet we all know they sell the aggrigates to advertisers).

    As for companies telling you what they do to protect from eletronic theft, isn't that the same as publishing what they don't do? I agree that security through obscurity is not the best way at all times, but does it have particular uses in these days of h/crackers releasing patches which DDoS the company? (I couldn't find the URL, but Network Associates underwent a light DDoS attack after a black hatter released a patch for BIND to fix the recently discovered bugs [slashdot.org] which had zombie code installed. What's incredible is it made it past BugTraq and NAI as "safe" and got posted)

    Sites will be hacked. That is the nature of the Internet. What I would like to see is a site that will reimburse you if you are the victim of their own lax security. What if Egghead.com became responsible for the $50 or so that every person is responsible for with false/stolen credit card charges. Would this put a great monetary risk at the company? Yes. And isn't money what gets things done with the "Big Business"

    IANA Business Major, but would this work? Just my thoughts on the matter.
  • Perhaps a solution is this: start up a company to insure credit card #s from theft. The way this works is this: if someone steals a # from a merchant who pays premiums to this company, every # in the merchant's db receives an instant settlement for $50.

    The premium would be a function of how much sales the company makes by cc. Granted, this would be passed on to the customers, but the merchant is free to put a "Your credit card number is protected by {INSERT COMPANY NAME HERE]" logo on their site, and they receive a listing on the insurer's website.

    Obviously, the insurance company is going to make the premiums dependent on the extent of security precautions. In other words, if the merchant doesn't even change the database default password, then their premiums'll be sky-high and either the company goes under more quickly or it charges exorbitant prices to cover the premiums. Meanwhile, a company that employs a good security guy who secures the servers (keeping up with all the tricks of the trade) pays next to nil in fees, thus giving them lower prices.

    Build the security into the price of what you buy online, in other words.

  • Don't blame the problems of your country on the Jews, they are a humble people who want to live in peace and without hatred. The real "nation-wreckers" are often the most nationalist people, who want to repress innocent minorities like the Jews.
  • Without a good understanding of the security in place, the best you can do is presumably minimize the risk. Only shop with places where your credit card details are NOT stored on their systems, and if they give you the option, remove them.

    Personally I think the online world will be a much safer place once we have 'one-time' transaction numbers for specific amounts, much like American Express are apparantly introducing. Instead of giving any old company your full and 'permanent' credit card details, you go to your bank and ask them to provide you with a unique number for that individual transaction for a particular amount. It's then impossible for th company to store your details, mischarge you or charge you again in the future. Of course, we'd have to be confident that the credit card companies security is good, but I'd rather trust them than some merchant who's just about managed to get a Java e-commerce app running on his shared server.
  • The thing about security from the perspective of the company is that as far as they are concerned, they like to keep all the details secret. That way things are more secure, and people don't know how to crack them because nobody knows what the hell they are doing. But, the customer wants to know that his data is secure, and will want to know the details of how it is kept secure. So how do we resolve this conflict?

    Well, the only way is to have an external body that will grant companies security certifiacations. The companies will be required by law to get a liscense to hold data, on the condition that a secure external body examines their security arrangements. This way the company does not have to reveal its security arrangements to anyone but the government, and the customer can be assured that his data is safe because the company he trades with is certified by an external body.

    Its a bit like bob and alice. We need a third agent to make things really secure, it would seem to me.

    You know exactly what to do-
    Your kiss, your fingers on my thigh-

  • Out of the three retailers (Is PayPal considered a retailer?) The only one that matches up with the same fraudlent charge on my credit card is Egghead. I used a number of other retailers online, including CDW and a couple of small software makers.

    [Let me guess, 415 Rubles (about $15) in Moscow Russia, from a company called "Global Telecom", right?]

    So, despite what Egghead says about their break in, database theft, or however it was classified, it DID happen. My CC Company was smart enough to send a letter just in case I missed the charge on the bill. (I am in the process of contesting the charge at the moment.)

    The problem with this type of thing and having the retailer pay for it, is that there is no real connection between the fraudulent charges and the one from Russia. I dont know if the company in Russia will get the money, but if they do, it wont necessarily be Egghead that takes the loss. It will likely be my CC company.

    The "single use" number would work to combat this, and I see that more and more credit card companies will start using them. (Assuming there is not some overly restrictive patent on the concept.) But better than that, would be a "single retailer" number. One that works only if a certain retailer makes the charge. Then you know exactly who the culprit is, and you could turn it "on and off".

    The single retailer number (I'd only need 5 or 6 of them, so they would be easy to manage) could then help the customer by allowing retailers to much more safely use the "single click" shopping method without overly jepordizing the consumer's credit card if a hole were found and exploited. In the event that the company is purchased or reorganized as in the case of OnSale and Egghead, there would be less for the consumer to worry about.

    jafiwam
  • We need an on-line database profiling the policies, practices, and habits of corporations (both in the ways that are positive, and in the ways that they are predatory), in order to protect the privacy and liberty of individuals. This way, we can more effectively boycott any companies that engage in predatory business practices.

    Corporations have been doing this against us for so long - sharing and even selling personal information about their customers. It is time to turn the tables around. We have no choice but to try and protect ourselves also.
  • There is no real need to store a users credit card details. Here in Australia there is a very good payment gateway that will process refunds by suppling the merchant number and the receipt number that was issued. Therefore the responsibilty for security lies with the gateway, which would not last too long if it was breeched. IMHO too many companies dont take security seriosly when it comes to their websites, most small websites are constructed for very little, if you consider how much is spent on their internal systems, and will only pay minimal charges to host their sites. Not much of a saving if they are breeched and make the news.

    $0.02 worth

Slashdot Top Deals

E = MC ** 2 +- 3db

Close