Fraudsters could skim millions of pounds from retail websites this Christmas because retailers do not have adequate...
Most online retailers use a payment provider to process payments by verifying the card details and checking against the billing address, rather than all the details of the transaction. A cyber-shoplifter only needs to perform a relatively simple hack to manipulate the amount to pay.
Security tester NTA Monitor found that, manipulating form variables on a website or back-end payment gateway, hackers can change the amount debited from their account or change the purchase currency, resulting in paying less for the items in their shopping basket.
The payment provider will take the amount logged on the card against purchases. The retailer is left to pick up the difference.
Roy Hills, technical director at security audit firm NTA Monitor, said: "Internet fraud is on the increase and 'cyber shrinkage' looks set to get worse in the lead-up to Christmas unless retailers get their shop in order."
How to protect against online fraud
Put procedures in place to check items against the amount paid and currency before they are dispatched. Anything sent by the browser should not be trusted and should be verified before the item is dispatched, with all user data received by the server validated on the server side.
Perform input validation on all client input using character white lists to limit common problems such as XSS & SQL injection.
Perform high level testing of online applications to identify weaknesses hin the business logic, in addition to regular PCI and OWASP testing.
source: NTA Monitor