Manage Subscriptions · Subscribe Now · F.A.Q.'s
HOME · Saturday, May 17, 2008
Accounting, Management & Legal
How To Steal Credit Card Numbers
First, locate a list of vulnerable computer codes
At SecurityFocus.com, Internet programmers can post the details of various software bugs to assist other professionals. These software bugs could include shopping carts, payment gateways, Unix code and more. The helpful programmers always supply, by name, the software manufacturer and the name of the program.
"Credit card thieves continually monitor sites like SecurityFocus.com," says Dan Clements, CEO of CardCops.com, a Los Angeles-based security firm that consults with banks and other firms on credit-card fraud. "Once a programmer posts a vulnerable piece of software there, the hackers add it to their scanning programs and then search for ecommerce sites that use the flawed software."
For example, say a programmer discovers XYZ Shopping Cart contains code that is vulnerable to hackers. He might post that code onto a site like SecurityFocus.com. A thief could then copy that code, add it to his scanning program and search the Internet for sites that use XYZ Shopping Cart. Having located those ecommerce sites, the thief can then run his scanning program containing a list of flawed code (called, technically, a SQL Injection List) against the sites' servers to detect if a particular line of code is in use. If it is, the thief can frequently penetrate the server and steal customers? names, credit-card numbers, billing addresses and so forth.
"Once they've found a vulnerable site," says Clements "the hackers will mine it day after day. The ecommerce owners don't know their websites are exposed. We?ve seen consumers of such sites cancel and reissue credit cards multiple times, not knowing which site is causing the problem."
According to Clements, the number of major ecommerce software providers that have had, at one time or the other, vulnerable programming code is long and prominent. "I can tell you prominent ecommercerelated companies that have had flawed code," says Clements. "When it happens, the programming flaws usually pop up on sites like SecurityFocus.com."
The lists of flawed computer code used by hackers can contain thousands of entries. "These lists float around the Internet," says Clements. "They aren?t really that hard to find."
Clements emphasizes that ecommerce sites are really a collection of different pieces of software. There?s the HTML for the site itself and various programming languages such as PHP and JavaScript. There?s shopping-cart software, credit-card payment gateways, server software such as Unix and Linux, forum software, newsletter software, order forms and so on.
"Each piece of software is a potential vulnerability," says Clements. "But the good news is that software providers, including hosting companies, will usually fix a flaw immediately. So the hackers typically have just a couple of weeks to exploit it before it?s corrected."
So, how do operators of ecommerce sites protect themselves from unwittingly using flawed software?
"The key is to keep the latest, most upto- date version of each and every piece of software," says Clements. "That's the best way for ecommerce owners to protect their customers' data."
Blinklist | Del.icio.us | Furl | Ma.gnolia | Newsvine | Spurl | Reddit | Technorati
Published on Saturday, July 01, 2006
Comments:
We, at Down Home Living Products & Gifts do not require our members to register, nor do we even keep credit card information. Our customers pay by check or money order by mail, or PayPal on-line. So, if their information is in fact comprimised on-line, that would need to be taken up with PayPal. Our site is secure, but in this day and age, is anything really secure? The most secure thing you can do is NOT keep that kind of personal information about your customers. That is the security we offer OUR customers.
Posted by: Kevin
Tuesday, March 13, 2007
Storing credit card numbers is illegal, as it violates the policy of protection of customer personal information.
Posted by: Storing Credit Card number is illegal
Friday, March 30, 2007
Storing numbers is not illegal per se, and many popular ecommerce sites, such as Amazon.com, do it. However, there's no reason to store any credit card information since authorizations are done via your payment gateway. And as for SQL-injection attacks, there are a number of techniques you can use to prevent such assaults (be sure to escape any variables passed through the URL or use mod-rewritting to make sql injection much harder). Also, make sure you keep your SSL certficate up to date! :)
Posted by: Eric
Friday, May 11, 2007
Ecommerce Articles
- Browse All Articles
- Browse our complete archive of ecommerce articles.
- Accounting, Management & Legal
- Ecommerce articles related to managing a small business including ecommerce accounting, business strategy and legal considerations.
- Conversion & Usability
- Online business articles about converting web site visitors into customers and how to gauge and improve your business website's usability.
- Development & Programming
- Articles to help designers, developers and programmers create successful, search engine friendly ecommerce websites and improve existing ones.
- Hosting, Infrastructure & Software
- Articles for ecommerce businesses about ecommerce web hosting, business infrastructure, business strategy and helpful ecommerce & small business software.
- Interviews & Profiles
- Interviews with prominent ecommerce business personalities and profiles of successful online businesses.
- Inventory & Shipping
- Ecommerce articles about inventory management, ecommerce order fulfillment and product shipping considerations.
- Marketing & Revenue Growth
- Articles relating to online marketing, email marketing and using the Internet to growing your business.
- Search Engine Optimization
- Search engine optimization articles for ecommerce business owners, strategists, marketers and developers.
- Shopping Carts & Online Payments
- Articles covering ecommerce shopping cart platforms and options for choosing an online payment gateway.
- Training & Education
- Tutorials and articles providing training and education for ecommerce business owners and developers of ecommerce websites.
Search Articles
Ecommerce Community
- Ecommerce Blogs
- Read our blogs about ecommerce topics written by industry professionals.
- Community Forum
- Connect with other ecommerce professionals to trade advice and answers in our community forum.
- Podcasts
- Check out our ecommerce podcasts covering topics ranging from interviews to tutorials.
- RSS Content Feeds
- Subscribe to our RSS feeds and have fresh ecommerce content delivered to you.
Ecommerce Resources
- Free Email Newsletter
- Sign up for Ecommerce Notes, our free email newsletter for ecommerce business owners and developers.
- Ecommerce Directory
- Browse our directory of ecommerce products and services, or submit your own listing in our directory.
- Ecommerce Glossary
- Familiarize yourself with terminology or submit terms to help others with our Ecommerce Glossary.
- Events Calendar
- Find out about upcoming ecommerce events or invite other ecommerce professionals by posting your own event.
- Press Releases
- Browse ecommerce related press releases and post your own press release for distribution.
- Ecommerce Store & Back Issues
- Pick up back issues of Practical eCommerce magazine along with other merchandise from Practical Ecommerce
About Practical eCommerce
- Frequently Asked Questions
- Look at frequently asked questions regarded using our website, subscribing to our magazine and more.
- Advertising Information
- Information about advertising in Practical eCommerce magazine, on our website, or in our email newsletters.
- Editorial Sharing
- Learn about options for sharing our content with your visitors, customers or employees.
- About Us
- Learn more about Practical Ecommerce magazine and meet our staff.
- Contact Us
- Contact Practical Ecommerce at any time for more information. We'd love to hear from you.
Copyright 2007 Confluence Distribution, Inc. and Practical eCommerce.
All Rights Reserved.
I don't see a compelling reason to store credit card information in your actual online store. If you script is tied in with your payment gateway to authorize and capture funds, you don't need to store their credit card info yourself. It opens you up to all kinds of security and legal issues.
Posted by: Emm
Tuesday, March 13, 2007