There will be $24.3 billion in online transactions this holiday season; this will undoubtedly be accompanied by an equal rise in the number and type of attacks against the security of online payment systems and against ecommerce consumers. Some of these attacks will utilize vulnerabilities that have become noticeable in the third-party components utilized by websites, such as shopping cart software. Other fraud attempts will most likely use vulnerabilities that are common in any web application and can allow a knowledgeable hacker to penetrate the defenses of an ecommerce host webserver.
There are also the more popular electronic fraud techniques of "spoofing" and "phishing." This activity is on the rise with growing numbers of phishers sharpening their talents, producing quite convincing e-mails and dummy notices from ecommerce web sites; the number of consumers victimized using this method is increasing rapidly. Ecommerce website merchant have a clear mandate to exercise due diligence by doing everything possible to protect their hard-won customers from identity theft.
Know Your Software Vulnerabilities
There are a number of security vulnerabilities in some shopping cart and online payment systems that make them a target for sophisticated hackers. Being aware of these can help you take steps to secure your side of the customer's information pathway more effectively.
Some of these pitfalls are:
* SQL injection – this technique is begun by a hacker sending the single-quote (' ) character as a test; this can yield a detailed error message, which reveals the server's back-end technology and in some programs allows the attacker to access usually restricted areas of the server. In one well-known occurrence, a mid-level programmer in suburban California discovered how to uncover credit card numbers, transaction details, etc. from a number of ecommerce websites using unique URLs that contained meta-characters used in SQL programming.
* Buffer overflow vulnerabilities – this involves sending in a large number of bytes to web applications that are not geared to deal with them. Sometimes a hacker can learn the path of the PHP functions being used on the ecommerce gateway server by sending in a very large value in the input fields and interpreting the resultant error message. The server error pages that are returned by these efforts can serve as a valuable source for critical information enabling the hacker to manipulate scripts for fraudulently obtaining customer financial information.
* Cross-site Scripting (XSS) Attack – This method involves a web form that takes in user input, processes it, and prints out the results on a web page, which also contains the user's original input. A cleverly crafted URL is used in this process to try and steal the user's cookie, which would probably contain the session ID and other sensitive information.
* Remote Command Execution – This powerful hacking vulnerability occurs when the CGI script has inadequate input validation thus allowing the execution of operating system commands. This is most common with the use of the 'system' call in Perl and PHP scripts. A hacker using the command separator and other shell metacharacters can execute commands with the privileges of the web server administrator.
Guide Your Customer To Safety
The aforementioned "phishing" and "spoofing" are clever copies of an ecommerce website that request "password validation" or "account updating" and link to a dummy page that captures the financial information the hapless victim has been duped into entering. Another ruse is to have a pop-up form requesting username and password appear over a legitimate ecommerce website page. These all play into consumer unawareness and inattention.
The primary responsibility that any ecommerce merchant has is to caution the customer to be wary, help them recognize a false ecommerce webpage, and give those customers a way to verify the credibility of any communications they may receive that appear to represent the ecommerce store.
There are new fraud techniques appearing every week. The goal of any reputable ecommerce entrepreneur should be to give the customer the most rewarding, satisfying, and above all safe online shopping experience.
http://www.isedb.com/db/articles/1663/