Great article. It makes me wonder why the idea of one time use credit card numbers hasn't caught on for on line shopping. Oh and that CVV number is increasing useless.

Some brick and mortar retailers are taking the CVV2 codes and inputting them into their computer systems when handed the card: Office Depot for instance.

Even though the card was swiped in their presence, the employees are told to enter the CVV2 code into the system. That seems an unnecessary risk.

Why do they do this?

Because the CV2 verification is not yet mandatory. We need federal regulation on how transactions are carried out, how they are authenticated and who is responsible for the losses. The consumers have protection, but the small businesses do not. All the while the payment processors are profiting off of every fradulent charge.
Every time someone uses a stolen credit card, the payment processing company makes double the amount they make on a authentic purchase. And they are in charge of security.
Most people don't even know what a payment processor is, what they do, or how they need regulation. The subject is too confusing for most people, so they will just have to get used to the crime and find new ways to cover the same story.

AT&T Mastercard has an online program for creating virtual card numbers. As soon as the charges come through on these numbers you can close them out. The expiration date is always the next month on the calendar and the CVV number is always different as is the credit card number itself. Discover also has this feature, but I can't get it to work with Firefox. It always says it can't find an open browser. I wish Discover would fix this so I can use both, but the AT&T one works fine with IE and Firefox and I use it for ALL online purchases.

Rich B.

To CV2Now.com
Yes, but by violating the rules and storing CVV2 codes, a hacked business increases its culpability and could bear more of the damages than the card issuer or their insurance carrier (who might use that action to deny part of the claim)

I've been very wary of small online merchants ever since I discovered one that was using a shopping cart application that was running on secure server and thus 'looked safe' to customers, but that emailed the order, complete with credit card info, to the merchant in plain text. They had configured it that way without a clue as to why this could be a problem.

identity theft as we know is the fastest growing crime and people need to know how to protect themselves and have a restoration system in place. As a certified identity theft risk management specialist I can tell you that most companies are not complying with the variety of legislations past to protect consumers. I have had Identity theft shield for 3 years had my identity compromised twice and Kroll Risk management takes care of the entire restoration process. to see how this works vist www.prepaidlegal.com/hub/thalligan your peace of mind will reach new heights

Out of curiosity; does anyone know of a site that lists sites known to have been hacked &/or sites known to be completely secure? If I make purchases online, they're only from larger companies with great reputations, but this could be useful none-the-less. Thanks.

If the small merchants were using a payment page and/or a payment gateway and not storing the credit card information, THEY wouldn't be putting THEIR customers at risk. Someone blamed the processors, but it the MERCHANT'S responsibility to conduct business on the net properly.

Thank you for writing an enlightening artical on security holes. At this time I am building an e-commerce website for my wife's business. I already use a database that allows triggers and procedurs so that I can encode data on the fly. We pay the extra for a secured site. I would have made one mistake though; requiring that CVV2 code. I'll not include in the database and will verify the orders with a phone call, possibly automated, that asks the purchaser to supply that number vocally or with phone buttons.

This is freightening. Are there any other suggestions beyond those posted by Timmer Halligan, the blogger and others that might help some of the rest of us vunerable dummies? Thank all of you.

Ev: Timmer Halligan is what is known as a shill, doing a little marketing, poorly. There's no shortage of resources on preventing identity theft, but common sense is always your first line of defense - looking for small signs like the man offering to watch your back not being able to spell "passed". It's hard for shoppers not to ignore seemingly trivial signs that something isn't right, especially when staring at a huge bargain - but this is where you have to start.

Citibank has a service for their credit card holders whereby they issue you a virtual credit card number that is set to expire at the end of the following month and can only be used at a single merchant. Hackers can't get my real credit card number. They can get my name and adress, but tht is in the phone book anyway

It should be made clear that a huge percentage of these online security breaches are because of some kind of negligence or ignorance on the part of the seller. If by not patching an application or by leaving some default account password in place. If the merchants took the time and effort to do a better job then id theft could be minimized.
It would be nice to see some legislation at the federal level to hold these companies responsible for their criminal negligence. They know that their systems are vulnerable and they're too pig headed to correct the problem. In some cases these companies are being misled by these "smoke and mirror" online sites that offer an image on a homepage. Such statements as "hacker safe" are as misleading as snake oil for hair restoration.

I work for a web hosting company in DC and we get fake orders all the time. The problem? The banks *do not care*. We have tried to call the issuing banks (we ask for the name and the phone number as an extra step) and the banks will not talk to us because we are not the card holder

If we weren't a MOTO - that means "Mail Order / Telephone Order" and means that the card isn't present as it is in a store - then we would be able to call up and use the "code 10". That's where a merchant calls the bank and, because the fraudster is there, they're asked a series of questions (with yes/no answers so as to not arouse the fraudster's suspicion). If it is deemed fraudulent then the card is flagged and the purchase rejected.

As an online merchant though, we can't do that. No one, not the FBI, the police, or the issuing bank will accept a call from an online merchant about the card data having been stolen and being misused. Which is a real pity because we get many fraudulent orders with full details and we can't tell anyone. You'd think, given the fuss about ID theft that there would be a phone number that you could call and say "someone just placed an order using card number X, first name, last name etc ... oh and we think its fraudulent because they claim they live in florida, but they connected from a computer Romania"...

You'd think that would be a bit of a give away really, but apparently its not enough.

Incidentally as Lenny alluded to, merchants do stupid things. Just because a site uses HTTP/SSL on the front end doesn't mean that they don't do cool things like e-mail the CC info to themselves in plain text without any PGP encryption.

As for J's request for a list of "secure sites" and "hacked sites". No such thing mate. You won't get a list of hacked sites out of anyone because ... it would result in you being sued into obscurity by the named companies and is like a good basis for getting yourself arrested as well because you're saying that this one web site can be compromised, which means someone can/did compromise it and therefore all the other script kiddies will try and break in too.

Effectively it could be argued that you're enticing people to commit a crime, rather than alerting the public like a good citizen. And like it or not reporting security flaws is a touchy area because the laws are not up to date, and those that exist defined it terms of the real world and not in terms of computer networks. For example port scanning isn't illegal, nor is repeatedly trying to login as a user. Its only if you do gain access that you've "technically" trespassed and even then its hard to prove. If you add into that the fact that in order to prove that their is a flaw you have to exploit it (and thus commit a crime) .. you're looking at problems.

Likewise you won't get a list of "secure sites" published, because there is no such thing. The server on which a web site is hosted is only secure to a point. It might not have any way into it at the moment, but that's only because someone hasn't found a way. A fully patched Windows box would have been considered "secure" a month ago, but as of two weeks ago the VML exploit in IE would class it as insecure. (Or in OpenSSL if you use Apache/OpenSSL for your HTTPS web server).

Likewise just because the server uses encrypted connections or encrypted data doesn't mean it is secure. For example the DES algorithm was used to encrypt most passwords and it was considered highly secure. Now people laugh at using it (search for "john the ripper"). Similarly MD5 algorithms are now commonly considered insecure due to the large work performed by researchers into optimizing routines and techniques for cracking them. (Search for the terms "rainbow tables" and "md5 collisions"). I should note that researchers find flaws in order to make things more secure, not just for the sheer hell of it.

"Secure" is merely a way to indicate that accessing the desired data (be it breaking the encryption, or gaining access to the box) takes so long that the data becomes useless. To a security expert (which I'm not) "secure" doesn't mean are they using HTTP/SSL. It encompasses every aspect of the server, the operating system, the network, the hardware, the people (social engineering is a great way to get information - you've seen Law and Order) the physical security of the box... For example a real security audit might involve things like "Did you know that the data center in which your server is hosted has a raised floor (to allow the cold air to circulate) and that even though your server is in a caged rack, you can just lift up the floor tiles, crawl under the floor and into the cage to gain physical access to the server and walk off with the hard drives?"

That's why you won't see such a list.
Sorry.

Its not all MS's fault, I work for a hosting company with Linux web servers. We are very close to banning all PHP apps, as it seems that not one PHP developer has ever thought of sanitizing their variable input. Most of them insist on allowing global variables, and implementing file upload. Any server is venerable when you have lazy developers writing apps.

Depending on the small business, I have them use paypal as the credit card "merchant". Since Paypal also accepts credit cards without requiring the customer to have an account, it removes a lot of the security risks because Paypal has the credit card data, not the small business.

Barring that, the old tried and true method of having a secure server PGP encrypt and E-mail does wonders, especially if the PGP encrypted mail is decrypted offline.

Yikes, it is losers like Phil (see post above) that give online commerce a bad name. NO ONE should be able to setup a website that accepts electronic payment without having that site reviewed by an approved authority and certified for use (with frequent and ongoing inspection while that site is in service). Will this make it more difficult and costly to setup an e-commerce website, absolutely! But that is the way it must be in order to guarantee consumer financial data is kept secure.

In response to Ev: a short answer is to avoid using payment methods that require you to provide an online merchant with your personal information. There are payment processors that can process online purchase requests securely and that don't require you to give personal details to people that don't need it. But, usually, the more secure payment methods are more complex and many people (customers and merchants included) don't think the benefits outweigh the costs - people have demonstrated that they would rather use a simple payment method and give a merchant their Social Security Number than use an complex method that is more secure. Thus the short answer is insufficient.

The long answer is, well, long. It involves making customers and merchants aware of the issues and risks involved in online commerce so that they see the benefits of more secure systems. It involves making the secure systems easier to use. It involves providing all concerned parties with an incentive to adopt more secure systems. Others can better explain it. I'd suggest that someone with better writing and teaching skills than I (maybe someone at the Washington Post?) provide a more in-depth survey of the details of online commerce and include such information as how an electronic transaction is different from a cash purchase at a store and why personal information is required for part of the online purchase process and who should have access to that information and how personal information can, when it needs to be, be transmitted securely and what is public key encryption and how it can be used as part online payments to minimize the spread of sensitive personal information and ... (the list goes on).

Were there any common denominators in the server environment such as OS? Database used? development language(s)? shopping cart software?

What did I miss that might be helpful to a merchant or hosting provider in avoiding known problems?

Such good articles are highly appreciated. I hope for more of those.
Information is critical here, indeed.

The problem is not what the bank ( vendor ) covers during a fraudulent ePurchase it's how much an Identity theft costs if carried fully out by fraudsters, and they have done to 9+ !! mln Americans.

We simply don't know if there is some "Boris" collecting in the opposite end . Then it's of less interest whatever protection bragged by vendor and associates. It might be a bogus protection, bogus merchandise and bogus credit card authorization.
The only true thing might be Boris, wiretap, spywares and ruin.

Each webshop ought to more use current solutions to increase sales as a safe eShopper buys more and repeatedly. The concerned one browses the webshop and abandons cart (57%) for so called cross-border purchases ( online seach / offline buy ).

www.clickz.com/stats/sectors/retailing/article.php/3430671

Some stats, maybe somewhat old neverthelsess talking a alot to savvy eMerchants:

QUOTE
The Q3 2004 "E-Commerce Site Trend Report" from DoubleClick reports online shoppers look at 33.8 percent more pages (10.3 pages in 2004, vs.7.7 in 2003) this year than last. While they may be looking at more, they're spending a bit less time on commerce sites (0.5 minutes, a 10 percent decline), averaging only 4.4 minutes per session. This decline represents a 14 second (32.6 percent) decline in time spent per individual page, from 43 seconds last year to 29 seconds in 2004. One potential reason for the drop, according to the report, is the increase in broadband users, which has risen to over half the U.S. online population.

Cart abandonment continues to be a problem for online retailers though it appears to be leveling off. In Q3 2004, 57 percent of shoppers abandoned carts without purchasing, a 7 percent increase over the same period last year. From a lost revenue perspective, cart abandonment grew 7.9 percent this calendar year. This translates into $4.10 left in abandoned carts for every dollar actually spent on an e-commerce transaction. That figure is on the way down from a Q4 2003 high of $6.30. Users who returned to abandoned carts represented 26 percent of all sales, which DoubleClick notes is a decline from Q2 2003, when it was 36 percent.

Conversions rates and average order value have increased in the last year. A total of 4.9 percent of e-commerce visits now result in a conversion, which is an increase of 14 percent over last year. The average online order value increased by 15 percent over last year and now stands at $134.01.

The results of the report were compiled using data based on "hundreds of millions of unique visitors, tens of millions of online shopping carts and over $1 billion in total e-commerce sales."

UNQUOTE

Sean Michael Kerner is a contributing editor at sister site internetnews.com, where this story originally appeared.

-----------

Q: Why 57%?
A: Moment of Truth. It's safer to leave away merchandise in abandonned cart than to leave away Identity by abandon it to Boris.

I would, myself, never ever give away my 16 digits Identity to any potential Boris. Better is to give him a few of the digits as these are of no commercial value to him. When I'm forced to shop online I cut my card within 30 secs thereafter requiring a new card or if possible I prefer going Offline with my printed specification.

Everyone seems to be focused only on one area - on line transactions! My credit card was compromised when a vendors system was hacked, including the server where they stored customer information. And don't sell on line at all!
Think of your department store when you swipe your credit card. Some stores are (maybe illegally) storing your card data and have a profile on you. Most major credit card suppliers prohibit stores from storing credit card information from their point of sales (cashier), but trust me it happens.
So the issue is not only securing web sites, but getting merchants of all types to get smart and protect all client data on their internal networks! It can be done, but there is no motivation as long as the banks absorb the cost (that's why we are paying 18-28% interest on our credit cards). The consumer always pays, one way or the other, especially as neither the bank or store is losing money over this. Each fradulent transaction is still profit for the bank as they calculate this in their cost of doing business and pass it on to us!
Great way to generate business!

Several approaches come to mind:

1) Make merchants financially liable for ALL loses due to identity theft traceable to their mishandling of data. The sole defense is that they had state of the art software in place and up to date.

2) Close down these chat rooms as fast as they are opened. ICANN should have monitoring of these and other types of chats/sites (kiddie porn comes to mind) and the IP addresses for them should be ended immediately upon their detection. If the crooks can find it, so can ICANN.

3) Make data encryption mandatory all the way into the data base. Only the backend software (Customer Service, shipping, payables, receivables, etc.) should be able to see the data in true form and they should be segregated from the Internet.

Its time business paid the price for its ineptitude. We can't be 100% safe, we never were, but they need to start being required to take responsibility for their use of our data and when they screw up, fixt it and pay for it.

It's worth noting that the term "identity theft" is a condradiction in terms. Identity is, by nature, that which cannot be stolen.

A better term is "identity fraud". Unfortunately, "identity theft" has pretty much taken over.

Thanks for the articles. I am not as knowledgeable as the above posters but it will make me think twice about handing out credit card information to a small business on the Internet.

Also I like the idea of using paypal since the seller then does not have access to my credit card information. While I realize Paypal is probably not 100 percent foolproof it is better than nothing.

Regarding the comment about PHP applications by Collin;

I am developer who has been working on PHP for many years, and I am, like most professionals, know of the security hole on the REGISTER GLOBALS issue, which by the way, has been out now for two years +.

Now here is the WHOLE story regarding this problem and how it is a three-way dance between clients, hosting companies and developers. First some facts you failed to mention and that you need to consider:

A) The infamous REGISTER GLOBALS issue was a problem for PHP 4.03 and below. PHP 5 has been out for nearly two years.

B) PHP 4.03 and below can be easily and quickly patched for this problem. It is up to the developers to fix the problem from the other end. (the code)

Ok, now for the "dance":

1) I alwasy tell my clients I refuse to work on SHARED SERVERS which in my experience account for a great deal of hacking and cross-site scripting. YET, the clients often choose to buy CHEAP SHARED HOSTING against the adviced of their developers. I often get shocked when I see a propect client willing to spend $3000 to $5000 in a shopping site, but then wants to save 10$ a month buying a cheap server.

2) Hosting companies REFUSE to update to PHP 5... Why? Because in almost ALL CASES of share hosting (and many Virtual Servers) the clients in one machine are sharing a single PHP resource, and the hosting company knows the moment they update to PHP 5 most of their client's applications will brake, thus creating a tech support nightmare, creating a chance for massive client exodus, and more importantly, making liable for lost of sales AND potentially LOOSING many clients themselves. In another words: MONEY. Don't kid yourself.

3) Web developers vs Money Mills: I can't tell you HOW MANY times I have lost a gig to some 3rd class pseudo-coder who is doing nothing more than downloading Open Source applications and installing them "AS IS", then maybe make a template....Voila!!....Give me money...So rather than hiring professionals with a track record they hire the "cheapest" coder they can find...And as they old say goes: "You get what you pay for"

4) Clients that do not listen: Web designers and car mechanics have one thing in common: We do stuff clients have not a clue about and they always think you are trying to milk them for more money. Case in point (and a perfect one for this argument): I have a client that has been running a shopping site on PHP I know FOR A FACT is not patched for the REGISTER GLOBLAS problem: the shop was created a few years BEFORE the register globals issue surfaced, so I created the site according to the security advisories available at the time. After the issue surfaced I contacted her, told her about the problem and that she needed to have the site patched, which would cost some money. What did she do? Refuse to do it over and over for the last two years. Even after I sent her multiple emails with links to articles about the problem (so she would believe me) she still would not do it. Why?...She thought I was trying to get more money from her. Eventually, and afraid for my own liability, I forced her to sign a waiver where acknowledging she refuses to patch her register globals. Clients, specially small ones, still llive under the bizarre assumption that web development today is like back in 1993: Should be cheap, easy and fast.

5) The "AOL effect": This refers to the situation that happens when a MARKETING GAG created by a company for non-technical people (the client) BECOMES what that client thinks it is the standard. Explanation: A client is going to pay me to develop a shopping site BUT he or she finds a hosting company that already OFFERS a shopping system (or another application) as part of their hosting package NOT BEEN AWARE that what the hosting company is offering is in reality a FREE APPLICATION that anyone can get and use. They pre-package all this free Open Source appliactions in HOSTING PACKAGES to make the client think he/she is getting the a great deal. The problem arrives when the client uses these applications NOT BEEN AWARE of any secuirty problems and assuming the hosting company is taking care of this, but in MOST CASES they do not, relying mostly on the good old and always helpful "Read the small print" gimmick that gets them off the hook if a hacker happens to break in. That is why I refuse to work with PREINSTALLED APPLICATIONS. What does this mean to me?...Remember what I said above about the client always thinking ou are trying to milk them for extra money?..Well, most prospect clients think the DEVELOPER is doing this, and they go with the hosting company solution.

Now, there are plenty of good hosting companies, good developers and clients who are willing to listen, learn and do things right from the start, but there are as well many of the opposite, and those unfortunately are the culprits.

I say all this so non-tech people reading this article/posts and considering hiring a developer keeps this issues in mind. I also mention this because such broad statements ( basically, all PHP applications are bad) is irresponsible: There are not such thing as a BAD application. There are, however, bad developers, greedy hosing companies and painfully distrustful clients, and the combination of all three crearte the problem.

Laters

The main problem with PHP is not that all PHP applications are bad; it's that the barrier to entry for PHP coders is so low that many complete bozos end up writing PHP applications. And some of the most popular PHP applications seem to have perpetual security problems--it's a running gag for me and my colleagues whether there will be a new vulnerability in phpBB this week, for example (there usually is).

There are design problems with PHP that are only now beginning to be cleared up. register_globals should never have existed; it fosters sloppy coding in the first place. More subversive are things like magic_quotes and allow_url_fopen. allow_url_fopen, in particular, has been responsible for more defacements than anyone can count, and having it on by default was pathologically stupid of the PHP designers.

A similar low-barrier problem exists with ASP, although at least with .Net the bar seems to have been raised somewhat.

Phil> At this time I am building an e-commerce website for my wife's business. I already use a database that allows triggers and procedurs so that I can encode data on the fly.

Phil, your application *will* have serious security vulnerabilities, like practically every RDBMS-based web application written by anyone other than a very, very experienced developer. Do yourself a favor and either use something tried and true, or hire a security consultant to review your project as soon as possible--because you will need to make architectural changes, and the sooner you do so the better--and again before you go into production.

bc says above:

Thanks for the articles. I am not as knowledgeable as the above posters but it will make me think twice about handing out credit card information to a small business on the Internet.

Also I like the idea of using paypal since the seller then does not have access to my credit card information. While I realize Paypal is probably not 100 percent foolproof it is better than nothing.

------

Don't forget to keep vigilance in the offline world. Check if your CC receipt has your number printed on it (most places have only the last four digits). And don't just hand waiters your credit card if they need to go somewhere you can't see to run your card.

What a bunch of hooey! The crooks must love discussions like this. The front door is wide open and we're talking about securing the windows.
Think about that for a minute. Seriously, think about it: The front door is wide open and we're talking about securing the windows.
The logical conclusion that everyone misses is the fact that if there is a security problem in any step of the process, the whole system is flawed and vulnerable.
Right now, someone reading this is having their card stolen and used to purchase goods. It is done because the processing companies make huge amounts of money from these types of crimes and therefore have no reason to secure the transactions.
So the crime will continue in many forms with us (the public) running around in circles pointing fingers.
POS (point of sale) is where this is all happening. If advanced authentication was used 75% of all the credit card fraud in this country would end-overnight, period.
If payment-processing companies would take some responsibility for the transactions they post, that would take care of the other 20%.
The final 5% will never be stopped.
Wake up folks-let's focus on the 500 pound gorilla in the room.
It is companies like Direct Merchants who are the biggest threat to credit card security. They profit every time a stolen card is used. In fact their profits are more than double on every single illegitimate transaction. They are not responsible for any of the losses, and they are the last line of defense when it comes to transaction security, and right now it is so easy to hack you can consider the front door wide open.
That doesn't seem to bother most people, but maybe this is a more enlightened group of people, I don't know. I am doing the best I can to let people know about it because it is our money here and the crooks have EASY ACCESS TO IT!!!!!
P.S. The credit card companies will ignore the issue unless you directly ask them about it-then they will say that I am right.

Hmmm, time to start using cash for all my transactions.

I've had my cc number stolen twice and I hardly ever buy anything online.

If all the SHARED SERVERS and SHARED HOSTING were so easy to hack or deface, don't you think script kiddies would rule the internet?

Just because you pay more for a shared server or dedicated server, does not make it any more secure.

What I would like to know is what are the key points to look out for and secure when shopping for a shared server?
1. Don't use Windows as a webserver unless you have to.
2. Limit file permissions to what is needed.
3. Remove extra features you don't need like bulletin boards etc.
4. Check if the server is up to date with all relevant server patches.
Anything else?
People looking to set up an ecommerce site need education about these things.
Where can they learn more about ecommerce and web server security?

Speaking on online transaction security though there are new technologies emerging, the hackers are ready with an other new concept to steal the information. Also its we the internet users should be careful and should check if the site is secure or not with the proper terms and security policies to ensure that we are safe from hackers.

Thanks,
Yuvaraj
http://yuvi-internetsecurity.blogspot.com/