1 / 15

Locking down your web storefront

Locking down your web storefront. Techtarget web chat April 2002 David Strom. eCommerce security 101. Make sure you protect your enterprise network from intrusion Limit user access, isolate servers, lock down scripts, harden servers See www.nwfusion.com/netresources/0202hack1.html.

leola
Download Presentation

Locking down your web storefront

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Locking down your web storefront Techtarget web chat April 2002 David Strom

  2. eCommerce security 101 • Make sure you protect your enterprise network from intrusion • Limit user access, isolate servers, lock down scripts, harden servers • See www.nwfusion.com/netresources/0202hack1.html

  3. Outline • Database issues • Payments and payment processing issues • Evaluating Commerce Service providers • Preventing credit card fraud • Privacy issues for consumers

  4. Database issues • Understand security weaknesses and access controls of local database users • Understand web/database interaction from security perspective • Understand proxy server attacks (ala Adrian Lamo) • Block them CGI scripts! • Who is root and what can they really do?

  5. Common mistakes with payment processing • Provide too few or too many order confirmation pages • Confusing methods and misplaced buttons on order page • Make it hard for customers to buy things • Don’t make your customers read error screens

  6. A taxonomy of bygone web payment approaches transmit “16+4” over the Internet? no yes buyer encrypts? buyer confirms? yes yes no no merchant decrypts? plaintext synchronous? eCash yes no yes no buyer signs? CyberCash SET GlobeID VirtualPIN yes no S-HTTP PGP SSL

  7. Too complex to implement Too much infrastructure Not too many stores took their kind of money Too many other technical challenges Why didn’t they work?

  8. ConEd bill payments • Claim they needed 100,000 customers to break even • https://m020-w5.coned.com/csol/main.asp • Note: lack of security, anyone with valid account number can see your bill! Try acct no. 434117168910006

  9. SSL Credit cards eWallets/SET Cybercash and other payment gateways Commerce Service Providers’ payment systems 1-Click service providers So what payment instrument to use today?

  10. All providers are not the same • Compare services • Which cards do they authorize? • Do they provide electronic check services? • Do they provide check guarantee services? • Compare prices • Start-up fees • Monthly discount fees • Other service fees (per transaction) • Statement generation fees

  11. Evaluating providers • Do they offer storefront design? • Have in-house programmers? • Hosting of your own web server machine? • How many payment systems do they support? • What kinds of accounting reports do they offer?

  12. Preventing credit card fraud • Don't accept orders unless full address and phone number present • Be wary of different "bill to" and "ship to" addresses • Be careful with orders from free email services • Be wary of orders that are larger than typical amount • Pay extra attention to international orders

  13. Credit card fraud, con’t • When in doubt, call the customer to confirm the order • Use software or services to fight fraud • When you’ve found fraud, contact your merchant bank immediately • See www.scambusters.org/Scambusters23.html

  14. Privacy issues for the consumer • Most people just want to be asked for their permission • Your customers don’t object so much if you use their information to sell them other products you may offer • But many object if you sell or rent their names to someone else

  15. Conclusions and questions David Strom Senior Technology Editor VAR Business magazine david@strom.com

More Related