Data hack makes cyber-shoplifting easy


Data hack makes cyber-shoplifting easy

Cliff Saran

Fraudsters could skim millions of pounds from retail websites this Christmas because retailers do not have adequate security.

Most online retailers use a payment provider to process payments by verifying the card details and checking against the billing address, rather than all the details of the transaction. A cyber-shoplifter only needs to perform a relatively simple hack to manipulate the amount to pay.

Security tester NTA Monitor found that, manipulating form variables on a website or back-end payment gateway, hackers can change the amount debited from their account or change the purchase currency, resulting in paying less for the items in their shopping basket.

The payment provider will take the amount logged on the card against purchases. The retailer is left to pick up the difference.

Roy Hills, technical director at security audit firm NTA Monitor, said: "Internet fraud is on the increase and 'cyber shrinkage' looks set to get worse in the lead-up to Christmas unless retailers get their shop in order."

How to protect against online fraud

Put procedures in place to check items against the amount paid and currency before they are dispatched. Anything sent by the browser should not be trusted and should be verified before the item is dispatched, with all user data received by the server validated on the server side.

Perform input validation on all client input using character white lists to limit common problems such as XSS & SQL injection.

Perform high level testing of online applications to identify weaknesses hin the business logic, in addition to regular PCI and OWASP testing.

source: NTA Monitor

Expert opinion: e-tailers should copy online fraudsters' tactics >>

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy