Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Who has your credit card numbers?

By Rasputin in News
Wed May 03, 2000 at 02:09:15 PM EST
Tags: Security (all tags)
Security

There's a story at The Standard about the abysmal security of "Shopping Cart" software that should probably scare you if you do any online shopping. In testing, 2 out of 2 packages were cracked in what the author describes as no time, allowing access to customer information (including credit card numbers) and the web site in general. More commentary below.


I may be misinterpreting what I see happening, but it certainly appears that in the rush to get their company online, a large number of people with no experience, no training (and no clue?) are putting up web shopping sites that are just begging to be abused by the criminally inclined. To make matters worse, with the exploding market for online shopping software, companies are throwing what could generously be called alpha quality code out into the world in an effort to hit the market window.

I don't know what the solution is, beyond being very careful about online shopping. There were also a couple comments in the article about not releasing information about the other cracked software until the company responsible had time to fix it. I guess we just have to hope our credit cards don't end up on those sites.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o The Standard
o online shopping
o Also by Rasputin


Display: Sort:
Who has your credit card numbers? | 22 comments (22 topical, editorial, 0 hidden)
Good reason to use an open source p... (none / 0) (#1)
by rusty on Wed May 03, 2000 at 10:16:48 AM EST

rusty voted 1 on this story.

Good reason to use an open source product instead. :-)

____
Not the real rusty

This story is almost a week old -- ... (none / 0) (#4)
by evro on Wed May 03, 2000 at 11:02:05 AM EST

evro voted 0 on this story.

This story is almost a week old -- Wired's story from 4/27. But it's true, people are so eager to have their own e-commerce site that they don't look into things like security. A guy I did a site for wanted to sell sweatshirts and motorcycle parts through his site, but because I didn't know any secure way to do this I told him I couldn't do it. He insisted that I could just use an email form for every order, and I told him that I would not do that because email is about the most insecure thing there is, and to have people transmit their CC# in plaintext is just plain stupid... So I can see where people would rush to use this generic cart software.
---
"Asking me who to follow -- don't ask me, I don't know!"

Maybe I'm wrong, but... (none / 0) (#14)
by pdubroy on Wed May 03, 2000 at 02:15:17 PM EST

Maybe I'm wrong, but I see k5 as a site that is more concerned with discussing news, rather than breaking it. If you want breaking new, try slashdot (However, you are likely to find even older news there).

[ Parent ]
Re: This story is almost a week old -- ... (none / 0) (#16)
by Coram on Wed May 03, 2000 at 03:52:44 PM EST

I believe that security is the number one priority (or should be) for any online service, but is there a reason this can't be done simply? Emailing credit card details could easily be a viable option. Having a server accepting purchases with SSL support, piping cgi output through gpg, through mail to a destination leaves the data encrypted but still easily accessible by the vendor without entering as clear text on disk. Isn't this a desirable, and workable, solution?

--
judo ergo sum
[ Parent ]
I don't know of anyone with aninkli... (none / 0) (#13)
by dgay on Wed May 03, 2000 at 11:10:07 AM EST

dgay voted 0 on this story.

I don't know of anyone with aninkling of technical know-how that trust 'ecommerce'. I also don't think that online transactions are any less secure than say giving your cc# out over the phone or handing it to a cashier. Anyone can shoulder surf to get your number or listen in on your calls. I guess the main concern is that it is a rather large stash of numerous cards in one place when you bring internet sites into the picture. Still, it deson't interest me to read more about a tragic failing of ecommerce security.

I foresee lots of "this is true" vs... (none / 0) (#12)
by leshert on Wed May 03, 2000 at 11:13:49 AM EST

leshert voted 1 on this story.

I foresee lots of "this is true" vs. "this is overreaction" discussion. Good stuff.

I don't know what the solution is, ... (none / 0) (#8)
by slycer on Wed May 03, 2000 at 11:25:20 AM EST

slycer voted 1 on this story.

I don't know what the solution is, beyond being very careful about online shopping. There were also a couple comments in the article about not releasing information about the other cracked software until the company responsible had time to fix it. I agree, online shopping is scary at it's current stage. But I don't think that not releasing the fact that there is a security hole in xbrand software is a good thing. The "crackers" will know that the hole is there, shouldn't others?

We're starting to see more and more... (none / 0) (#6)
by knick on Wed May 03, 2000 at 12:01:01 PM EST

knick voted 1 on this story.

We're starting to see more and more holes in shopping-cart software, and this is a bigger threat then the holes in Web servers. But, problably over-hyped by the media just like everything else. --knick
-- sig's are for sissies --

Blah. I don't shop online.... (none / 0) (#11)
by Saint Zero on Wed May 03, 2000 at 12:22:59 PM EST

Saint Zero voted 0 on this story.

Blah. I don't shop online.
---------- Patron Saint of Nothing, really.

Of course general clue lackage is r... (none / 0) (#2)
by Inoshiro on Wed May 03, 2000 at 12:23:53 PM EST

Inoshiro voted 1 on this story.

Of course general clue lackage is responsible for most security. If people knew what they were doing, they certainly wouldn't purposefully leave themselves open :-)

--
[ イノシロ ]

The strange thing is, no one ever s... (none / 0) (#3)
by driph on Wed May 03, 2000 at 12:28:40 PM EST

Driph voted 1 on this story.

The strange thing is, no one ever seems to really worry when they hand their credit card to a perfect stranger at the restaurant after dinner, or when they give out the numbers to someone on the phone.

--
Vegas isn't a liberal stronghold. It's the place where the rich and powerful gamble away their company's pension fund and strangle call girls in their hotel rooms. - Psycho Dave

Re: The strange thing is, no one ever s... (none / 0) (#15)
by fluffy grue on Wed May 03, 2000 at 02:48:07 PM EST

Yes, but the perfect stranger also isn't likely to be able to get online, use the credit card information (and know your address) in order to get some expensive stuff shipped to your address and get a tracking number, and then call up UPS to get the shipment diverted elsewhere. The perfect stranger also isn't likely to have a huge stash of credit card numbers with their associated names, expiration dates, and billing addresses and the ability to defraud a LOT of people for relatively little amounts of money and almost no traceability. Sure, the individual losses to the cardholders would easily be under $1000, but think of the *millions* of dollars' worth of fraudulent purposes someone could make, and then they could simply auction the goods off on eBay, posing as a general-purpose liquidation source and make a tidy profit. Sure, the individuals would only be accountable for $50 each under the credit fraud protection laws, but think of all the losses which the individual businesses would be responsible for (no signature means the credit card company isn't responsible, the individual business is), which would be reflected in higher prices for everyone.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Which is the easier way to get cred... (3.00 / 1) (#9)
by Mrs Edna Graustein on Wed May 03, 2000 at 12:44:01 PM EST

Mrs Edna Graustein voted 0 on this story.

Which is the easier way to get credit card numbers- become a waiter or cashier or spend time learning to become a 1337 H4X0R or even a real cracker. The dangers of online shopping are, I believe comparatively low.
--
And if any of you put that in a .sig, I'll hunt you down and kill you twice. ;-)
Rusty

Re: Which is the easier way to get cred... (none / 0) (#19)
by Inoshiro on Wed May 03, 2000 at 05:57:00 PM EST

Potentially a script kidde can get a lot more CCs from cracking a group of sites running the same vulnerable software in a few days than a social engineer could in a few months, but you have a point.



--
[ イノシロ ]
[ Parent ]
Ugh. I try to only shop at places ... (none / 0) (#5)
by fluffy grue on Wed May 03, 2000 at 12:45:05 PM EST

fluffy grue voted 1 on this story.

Ugh. I try to only shop at places which only use my credit card number once (to do the transaction) and then throws it out, but then I'll often find out later that they KEEP the numbers (probably in plaintext, no less) and that there's no easy way to get rid of it. That's the main gripe I have about half.com - they keep your CC# instantly available for making purchases, which is really convenient (for both the buyer and them), but doesn't make me confident at all. :/
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]

Re: Ugh. I try to only shop at places ... (none / 0) (#22)
by fluffy grue on Fri May 05, 2000 at 03:40:41 AM EST

At the risk of violating netiquette...

From: service@half.com
Date: Thu, 04 May 2000 18:46:33 -0500
Subject: Re: Privacy/Security - Feedback ID 132261
To: joshagam@cs.nmsu.edu


        Hi,

Thanks for contacting half.com customer service.

We are sorry to inform you that at the current time the only way to remove your
credit card information after each purchase is to delete it from our files.  We
do have a very secure site and have had no thefts of credit card numbers from
our secure server.  We do thank you for informing us of your concerns, and we
will forward your e-mail to our programing departement for possible future
alterations to the site.

If you have any further questions, please feel free to visit our Help Desk at
http://www.half.com/help/index.cfm , or email us at service@half.com.

Thanks for contacting Half.com Customer Service.
At least they're apparently concerned about security. They run Apache 1.3.9, use mod_ssl and mod_perl, don't seem to have any nonessential services running (including telnet)... in my original support question, I had asked if they encrypted the data on their disks for at least a bit of obscuring and they didn't address that question, though. I've already been doing the practice of deleting my CC information after placing an order, in any case, and it looks like they may actually have taken my suggestion (do this for you) into consideration. So far I've never had any complaints about their customer service... they're always punctual, and seem to respond personally, rather than copy-paste irrelevant FAQ sections like some sites do.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

There seem to be oodles of these so... (none / 0) (#7)
by sergent on Wed May 03, 2000 at 01:59:45 PM EST

sergent voted 1 on this story.

There seem to be oodles of these software packages out there. I'm surprised there hasn't been more convergence on a few fairly solid packages (like there has for web servers, for instance; or even for web application servers, where there are maybe five or ten that you hear about regularly). Or perhaps there has and I'm out of the loop.

What's the good stuff out there in this area?



Another default password issue (rin... (none / 0) (#10)
by bladerunner on Wed May 03, 2000 at 02:09:15 PM EST

bladerunner voted 1 on this story.

Another default password issue (rings of a recent Linux backdoor/default password problem). Common sense and just plain security conciousness (sp?) I think would dictate "never use teh defaults!" "Change the Password!" "Never run as root!" But that's just me.
-Ex-slashdotter. I love cats, but hate Katz.

Re: Who has your credit card numbers? (none / 0) (#17)
by FlinkDelDinky on Wed May 03, 2000 at 05:02:51 PM EST

These insecurities are scary and it folds into the giving out of personal numbers in general. You've got to give your SS# for oodles of things.

I've made tons of purchases on-line. The funny thing is that the only false purchase that has shown up on my card is from Mexico. The guy at the hotel must have run the card throught the slider thing twice then forged my name and charged $100 to a dummy company.

Re: Who has your credit card numbers? (3.00 / 1) (#18)
by Alhazred on Wed May 03, 2000 at 05:34:31 PM EST

Ah, well, having built 3 sites with e-commerce (and wrote my own shopping cart to boot) I can comment a little bit.

1st of all its easy to write software, its very hard to write secure software, just like its really hard to write bug-free software. How do I know if my shopping cart is secure? I mean none of the really obvious mistakes were made that I know of, but can I possibly track down every possible nuance of perl, CGI.pm, and various other packages used in its construction, not to mention the code we wrote ourselves.

EVERY shopping cart has to keep CC #'s by the way. At least until someone comes along and clears the order. Few if any carts automatically complete transactions to the point where the number could be thrown away immediately, and even if they did there are various other issues that would mandate keeping a copy of whatever info the user entered for at least some period of time somewhere.

As for using commercial shopping cart code. Its inflexible and doesn't integrate well with other packages. For instance one of my clients has a "community" which we developed for them. People log into it, it keeps track of who they are. I don't want to have to make those people REENTER information thats already there so they can buy stuff. What would be needed is a truely modular architecture that provides services and allows you to plug in functions of your own devising. Then I could write my community stuff, some other guy could write the e-commerce stuff, and we would both be authenticating off the same database. Something like that. The state of the art just isn't there yet. I'm betting Rusty will agree with me on that one!

I also have to say that while closed-source certainly doesn't make things secure, open source doesn't necessarily either. Having lots of users AND open sourcing your code helps.
That is not dead which may eternal lie And with strange aeons death itself may die.
Re: Who has your credit card numbers? (none / 0) (#20)
by fluffy grue on Wed May 03, 2000 at 08:23:14 PM EST

I understand that the shopping cart needs to store the CC# until the transaction's completed, but really, there's no good reason for them to store it afterwards. That's the thing I have an issue with. (I'm assuming that comment was directed towards comments in general, including my own ramble about half.com and potentially-hacked merchants.)
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]
[ Parent ]

Don't buy on-line with anyone! (none / 0) (#21)
by skim123 on Wed May 03, 2000 at 08:24:23 PM EST

Don't buy things online from sites that aren't big and well known. No different than from giving your credit card #'s out in the real world... you wouldn't give your plastic to some street vendor, so don't give it to the Internet equivalent... stick with the big, publicly traded firms.

Money is in some respects like fire; it is a very excellent servant but a terrible master.
PT Barnum


Who has your credit card numbers? | 22 comments (22 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!