The question for Day 25 is: What security concerns do you associate with ecommerce and how would you test them?
The concerns I see would be:
account theft
credit card data theft or fraud
other payment fraud
data leaking out (of customers or the company)
data loss
malware in ads from advertising networks
phishing and other social engineering attacks
hijacking the second authentication factor
spam including malicious links in comments or reviews
malicious injections
There is probably more and I’m skipping the “how to test” part for now - security testing is an area I know very little about and I’d rather do decent research on it as part of the bonus challenge than wing it right now
Some things I would definitely check for with my current knowledge are:
that there is clear information on security-relevant actions e.g. when confirming a transaction with an SMS code (insecure in itself), what transaction the confirmation refers to, so that the user has a chance to notice when a scam or hijacked confirmation request comes in,
Fraud / Stolen Identities: this is really a big deal. Not only because it might affects the end user in a very bad way, but also the companies who has to fight this kind of crimes. Here is crucial to assure the maximum protection to the end user and many things could be done but the essential is to test the security assuring for example that cross sites scripting are not able to retrieve any personal / confidential data. Here I assume that fraud / Stolen identities involves a lot of fields like “account theft, credit card theft, credit card fraud”.
Malware adds in websites: this more than a trouble, is annoying. How many times you were surfing the web and you find out those annoying pop ups warning you that you have a virus and when you open them, TA-DA! is a virus itself! So the best practice here is to warn the end-users to DO NOT OPEN anything that is not related to the website itself. Besides, the website itself should be prepared against those kind of frauds and a way of testing it is to have anti-malwares active and assure that are working properly, creating fakes malwares and trying to break the security of the website.
Viruses / Scam : Installing minimal securities to your infrastructure should be fine. It would be great to have some knowledge on viruses and how to create them and prove the hardeness of the systems. This last thing could be very challenging as the system should be prepared to receive any attack. A way to test it is to do a performance, stress and load testing, and some scripting testing which includes x-sites scripting and so on.
I will keep reading the security concerns! This topic is really interesting!
I think if you had a venn diagram with functional testing in one circle and security testing in another, then the list in this article would be in the intersection. A lot of these have to do with exploiting the websites functionality in order to get something for free. Some of the examples here are just functionality, some are shady, and some are downright fraud.
Shipping address manipulation after order placement
Just this weekend my bank called me because I ordered a washer and dryer ($1500 total) to be shipped to my new address. The new address didn’t match my billing address, so the system was alerted and the bank wanted to verify. GOOD BANK. However, if I’m able to change the ship to address to be different than billing without triggering the system, we have a problem.
Getting cash back/refunds even when the order is canceled
This is really a functional test, and this could go wrong without the buyer even intending to commit fraud. But if someone with less morals than say, myself, were to get wind of it, it becomes a security issue.
Coupon and reward management flaws
Coupon redemption, even after order cancellation
Bypass of a coupon’s terms and conditions
Bypass of a coupon’s validity
Use of multiple coupons for the same transaction
Predictable coupon codes
Failure of a re-computation in coupon value after partial order cancellation
Illegitimate use of coupons with other products
Again, some of these are functional. Creating tests around these should be pretty straight forward!
Check the article for more examples. It looks like a great starting point.
Also heard cases where people earned money by buying and filing the product as faulty - ended up using the product as well as earned the refund. Depends on how companies work.
