Fraudsters could skim millions of pounds from retail websites
this Christmas because
retailers do not have adequate security.
Most online retailers use a payment provider to process payments
by
verifying the card details and
checking against the billing address, rather than all the
details of the transaction. A cyber-shoplifter only needs to
perform a relatively simple hack to manipulate the amount to
pay.
Security tester NTA Monitor found that, manipulating form
variables on a website or back-end payment gateway, hackers can
change the amount debited from their account or change the purchase
currency, resulting in paying less for the items in their shopping
basket.
The payment provider will take the amount logged on the card
against purchases. The retailer is left to pick up the
difference.
Roy Hills, technical director at security audit firm NTA
Monitor, said: "Internet fraud is on the increase and 'cyber
shrinkage' looks set to get worse in the lead-up to Christmas
unless retailers get their shop in order."
How to protect against online fraud
Put procedures in place to check items against the amount paid
and currency before they are dispatched. Anything sent by the
browser should not be trusted and should be verified before the
item is dispatched, with all user data received by the server
validated on the server side.
Perform input validation on all client input using character
white lists to limit common problems such as XSS & SQL
injection.
Perform high level testing of online applications to identify
weaknesses hin the business logic, in addition to regular PCI and
OWASP testing.
source: NTA Monitor
Expert opinion: e-tailers should copy online fraudsters' tactics
>>