30 days of Ecommerce Testing: Day 22 - Securing E-commerce data


(David) #1

“What are methods of securing ecommerce data? Discuss and share!”

I found a nice tutorial style article on e-commerce security, which is part of a larger tutorial on e-commerce that looks worth going through.

The article goes into some nice detail about what constitutes security, but the question was about methods, which include encryption(fairly obvious I would hope), digital signatures and security certificates. The site also mentions three internet protocols. We are all familiar with https, but I was not familiar with shttp. There were a few question/answer sites with discussions about the difference:

https://www.quora.com/Whats-the-difference-between-HTTPS-and-SHTTP-protocols


The tutorial also talks about SET (Secure Electronic Transaction) which is a set of protocols that came as a collaboration between Mastercard, Visa, Microsoft, and Netscape. A pretty thorough reference can be found here, but the basic components include a digital wallet, the merchant software, the payment gateway software and the certificate authority software.

There are obviously whole careers surrounding this area of e-commerce, so this post is barely scratching the surface.

-Dave K


(Heather) #2

I’m going to take some tweets for this one, I didn’t quite get to it myself :disappointed:


(Chris) #3

After going through both my company’s internal documents and the links that you’ve shared (thanks, everyone), the most vulnerable elements seem to be, in descending(ish) order:
the user -> other users -> data storing -> transmission
(thus the social engineering Trojans reign: https://bit.ly/2s7URLe, p.4)

Which would mean that the steps needed to keep e-commerce data secure (that a tester can lay his hands on) are:

  • minimum authorization - a user can access only what he must / has a strict permission to. From the user list of a buyer company to a customer list for the e-commerce itself. A LOT of threats (data leaks, inadvertent/malicious data breaches and more) come from insiders: https://bit.ly/2s7DCJM. Especially privileged ones, like managers.
  • safe authentication - enforce strong password, encourage 2-step validation, the system should give no info about the existence of a login (safe UI messages).
  • minimal data gathering - only what the app really needs from the user - not for the future analytics. And definitely not credit card info.
  • encryption - all the sensitive data should be encrypted with something that’s not deprecated.
  • routing ALL traffic via HTTPS- along with a SSL certificate that must be there and be valid; for larger companies - it should be a certificate with name, not just “Secure”, to confirm the unique identity of the site and mitigate the risk of fake site redirects (which can then at most buy the “Secure” certificate)

(Brian Martin) #4

Catching up with the challenge:

I think the main priority is to assure that the e-commerce is compliant with the PCI security policies. Here below I attach a link to read more about:
https://www.pcisecuritystandards.org/
Basically is a worldwide security standard whose objective is to assure the security of the end user while he is using any payment card. It is really important because not only could be really dangerous for the user, but also because companies could apply some big fines and this might cost the failure, besides the fact that it could cost other several penalties like prison and whatsoever.

In the other hand, there are several other things that an e-commerce could do in other to secure the e-commerce data. I think one of the important things is to have a monitoring system like “Splunk” in order to monitor all the possible suspicious activities.

Of course it will be needed to ensure that the website have authentications securities and all the traffic just go through a HTTPS.

Here I found out a particular warning in the PCI page


(Divya) #5

Methods of securing ecommerce data as far as my knowledge:

  1. Keep up to date certificates
  2. Require strong passwords
  3. Encrypt data wherever necessary

(Mike) #6

My Day 22

Almost the end of the month, so little time so much to catch up!


(Quang Le) #7

Behind applying the Security testing and certifications like OWASP…, there are some ways and tricks to secure e-commerce data:

  1. Choose a secure ecommerce platform: put your ecommerce site on a platform that uses a sophisticated object-orientated programming language," says Shawn Hess, software development manager

  2. Use a secure connection for online checkout–and make sure you are PCI compliant. “Use strong SSL [Secure Sockets Layer] authentication for Web and data protection,” says Rick Andrews, technical director, Trust Services, Symantec.

  3. Don’t store sensitive data. “There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes,” says Chris Pogue, director of Digital Forensics and Incident Response at Trustwave.

  4. Employ an address and card verification system. “Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges,” says Colin O’Dell, lead Magento developer for Unleashed Technologies.

  5. Require strong passwords

  6. Set up system alerts for suspicious activity. “Set an alert notice for multiple and suspicious transactions coming through from the same IP address,” advises Deric Loh, managing director at digital agency Vault Labs.

  7. Layer your security: “Start with firewalls, an essential aspect in stopping attackers before they can breach your network and gain access to your critical information.” Next, she says, “add extra layers of security to the website and applications such as contact forms, login boxes and search queries.” These measures “will ensure that your ecommerce environment is protected from application-level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS).”

  8. Provide security training to employees. Employees “need to know they should never email or text sensitive data or reveal private customer information in chat sessions as none of these communication methods is secure,”

  9. Use tracking numbers for all orders. “To combat chargeback fraud, have tracking numbers for every order you send out,”

  10. Monitor your site regularly–and make sure whoever is hosting it is, too. “Always have a real-time analytics tool,”

  11. Perform regular PCI scans. “Perform regular quarterly PCI scans through services like Trustwave to lessen the risk that your ecommerce platform is vulnerable to hacking attempts,”

  12. Patch your systems. “Patch everything immediately–literally the day they release a new version,”

  13. Make sure you have a DDoS protection and mitigation service. “With DDoS [Distributed Denial of Service] attacks increasing in frequency, sophistication and range of targets, ecommerce sites should turn to cloud-based DDoS protection and managed DNS services to provide transactional capacity to handle proactive mitigation and eliminate the need for significant investments in equipment, infrastructure and expertise,”

  14. Consider a fraud management service. “Fraud does happen. And for merchants, the best resolution is to make sure you are not holding the bag when it does,”

  15. Make sure you or whoever is hosting your site is backing it up–and has a disaster recovery plan. “Results from a recent study by Carbonite revealed businesses have big gaps in their data backup plans–putting them at risk for losing valuable information in the instance of power outage, hard drive failure or even a virus,”

  16. Let Third-party Providers Handle Credit Card Information

  17. Encrypt, Encrypt, Encrypt
    Always encrypt your passwords and other sensitive information as a precaution, in case the data falls into the wrong hands.

  18. Use Updated Software and Solutions
    Make sure that you’re only using solutions with the most updated security practices. A good example for this is your shopping cart. According to Slade, merchants must ensure that their shopping carts have modern security standards.