HackWatch: Business: Web Commerce In Ireland

E-Commerce
E-Commerce & Selling On The Net
Dateline 1434 Hrs 13 Jan 1999

The internet is a dangerous place full of pirates, crackers and credit card thieves. There are people out there who will take your money. It is way too dangerous for any form of commerce without the benefit of 40 bit ultrasecure encryption and the latest E- Commerce webserver. If you want to put your business on the internet, then it just has to have the latest in secure transactions.

Sounds like a sales pitch doesn't it? Largely it is distilled from the hype in some of the E-Commerce sales brochures. Like all sales pitches it relies on the expectations and fears of the customer. It accentuates the bad things that could happen if the customer does not buy and it highlights the benefits of doing the right thing - buying the product. There is an element of truth but you have to look hard to find it. And the 40 bit ultrasecure encryption - it is not secure.

E-Commerce is a nebulous concept. In fact the only agreed part is that the primary aim is to sell on the internet. It could be argued that E-Commerce is just a fancy buzzword like "pro-active" that makes the user sound clever. In true internet style it seems to be mutating - some are now referring to it as I-Commerce or Internet Commerce.

It does sell though. Adverts for overpriced and intellectually underpowered seminars on E-Commerce are tossed about like so much confetti. The speakers at most of these seminars rarely have any real experience in marketing on the internet. The truth is that most of the real experts are too busy selling.

High priced E-Commerce solutions are available from suppliers and consultants with a few months of involvement are all to eager to share their inexperience at a high cost. Sometimes you have got to wonder if the pirates, crackers and credit card thieves are the real threat.

Even myths have some basis in reality. In the US, some crackers have been convicted of trying to sell creditcard numbers to undercover FBI agents. These are typically files of thousands of creditcard numbers and details that have been extracted from ISPs and other places. Trafficking in stolen creditcard numbers is a serious crime in any jurisdiction. With the availability of programs to generate what appear to be genuine credit card numbers, small transactions on the internet can be fraught with some financial danger for businesses on the internet. The typical incident will be for a low value product ordered via the WWW. Most companies on the net would have a mail order type transaction limit. If the value of the transaction is higher than this limit, the company would have to ring the creditcard company for authorisation for the transaction. The company sends the item via the mail and only finds out a few days later, or if the transaction is for a foreign card a few weeks later, that the card number was false. Most businesses on the WWW have experienced this type of fraud and it often costs more to resolve the matter than to absorb the loss. The result is that the companies absorb the cost.

The problem with programs for any potential cracker is that they are not as useful as having real creditcard data. Obtaining this information is a lot more difficult though there has been a number of incidents where the creditcard details of ISP customers have been obtained due to breaches of security. Any transaction over the internet is effectively a card absent transaction. This means that the goods have to be sent to the address of the cardholder. It is up to the company to check the details and obtain the proper authorisation in this case.

In September 1998, HackWatch News reported a security hole in a prominent Irish E-Commerce site. Previously the same week, C|Net News had reported a massive security hole in another E-Commerce site that allowed anyone with the right knowledge to gain access to the full creditcard details of customers of the sites affected. The hole in the Irish E-Commerce site was discovered by Mark O'Neill of Delphium Technologies (www.delphium.com). While ordering a product on the site, he discovered that by manipulating the URL, he could get full access to the customer database username, the database password. He e-mailed the company informing them of the problem with their security. It took a few weeks for the problem to be addressed. It was clear that the problem was due to the incorrect setup of the software.

The software, Mercantyle had been supplied by a company in the UK called Triptych Software Limited. However when the software is properly used, and the permissions are set correctly so that certain files can be executed but not read, it is safe. The problem was that the permissions were not set correctly so that with a manipulation of the URL, it was possible to read the username and password from the file that was meant to be executed to read and write to the database. Such cases are relatively rare but given the growing E-Commerce market in Ireland, this one will not be the last one.

The problem with the installation was one of being blinded by science. Many companies operating in the web design business just do not have the mentality required to evaluate security. They fall into the trap of thinking that just because the front door is secure, then there is no need to worry about the back door. In this case the website had SSL (Secure Sockets Layer) for the customer's creditcard transactions - the frontdoor was secure. However the backdoor was effectively unlocked.

For any company contemplating business on the internet, the lesson is clear - make sure that the security is tested frequently and efficiently. If any security problems come to light then act on it immediately. The reality of the situation is that an Irish company doing business over the net with creditcards is effectively liable and at least stands to lose the products if they are shipped. The customer on the other hand can dispute the charge with the credit card company.