Data hack makes cyber-shoplifting easy

News

Data hack makes cyber-shoplifting easy

Cliff Saran

Fraudsters could skim millions of pounds from retail websites this Christmas because retailers do not have adequate security.

Most online retailers use a payment provider to process payments by verifying the card details and checking against the billing address, rather than all the details of the transaction. A cyber-shoplifter only needs to perform a relatively simple hack to manipulate the amount to pay.

Security tester NTA Monitor found that, manipulating form variables on a website or back-end payment gateway, hackers can change the amount debited from their account or change the purchase currency, resulting in paying less for the items in their shopping basket.

The payment provider will take the amount logged on the card against purchases. The retailer is left to pick up the difference.

Roy Hills, technical director at security audit firm NTA Monitor, said: "Internet fraud is on the increase and 'cyber shrinkage' looks set to get worse in the lead-up to Christmas unless retailers get their shop in order."

How to protect against online fraud

Put procedures in place to check items against the amount paid and currency before they are dispatched. Anything sent by the browser should not be trusted and should be verified before the item is dispatched, with all user data received by the server validated on the server side.

Perform input validation on all client input using character white lists to limit common problems such as XSS & SQL injection.

Perform high level testing of online applications to identify weaknesses hin the business logic, in addition to regular PCI and OWASP testing.

source: NTA Monitor

Expert opinion: e-tailers should copy online fraudsters' tactics >>


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy