Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security


chickenmedia

Recommended Posts

Hi,

 

I am curious to know what security steps people have taken to protect access to vulnerable information ie credit card info, access to web server, etc.

 

I am looking at using SSH / SFTP to connect to my web host.

 

What steps have been taken in 2.2 to protect credit card data received?

How is the credit card data stored in 2.2? or is not?

What needs to be added / precautions taken?

 

I do not want to use a credit card processor/gateway as I prefer to do this by hand for fraud protection reasons.

 

How easy is it to have the credit card info, etc. PGP'd and sent to me by e-mail, and scrubbed from the system?

 

Where is PHP going to make me grab my ankles? What do you need to look out for?

 

After scouring this site, I think it would be helpful to have a specific area/doc addressing security issues.

 

John

John C. Kostiuk

big stogies

www.bigstogies.com

Link to comment
Share on other sites

Hi All,

 

Yes this very important subject!

My company of the credit card requires detailed information from me.

I shall be grateful if detailed information for safety in OSC 2.2 will here.

Support forum for osCommerce in russian language - from Ashkelon. Support since 2002.

Best regards,

Fredi

Link to comment
Share on other sites

In 2.2 (snapshot) the creditcard number is partially stored in the database, the other digits are e-mailed to an address (unencrypted).

The shop owner then matches the missing numbers from his/her e-mail with the online (in Admin) orders to manually process the creditcard orders.

 

There is a contribution to PGP the complete cc-nr and e-mail that I think.

 

I agree, there should be a security issues area, I'll post that in the Idea's section as well.

 

Mattice

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

I am looking at using SSH / SFTP to connect to my web host.

 

Perfect :)

 

This means nothing though if you navigate the Administration Tool in normal HTTP mode.

 

Change the http address from http:// to https:// and the links will all be secured.

 

What steps have been taken in 2.2 to protect credit card data received?

How is the credit card data stored in 2.2? or is not?

What needs to be added / precautions taken?

 

Is this something you really want to do? The cc payment module splits the credit card number - part of it is inserted in the database, the other part is emailed to a specific email address. This module is mainly used for manual credit card processing. Using live credit card processing modules such as Authorize.net or 2CheckOut etc will not store the credit card information in your database.

 

The credit card information entered by the customer is transmitted securely to the credit card processing gateway with the live processing modules.

 

I do not want to use a credit card processor/gateway as I prefer to do this by hand for fraud protection reasons.

 

That depends on what credit card processing gateway you choose. I am sure the penalties are much greater if your server or database is hacked :shocked:

 

How easy is it to have the credit card info, etc. PGP'd and sent to me by e-mail, and scrubbed from the system?

 

There is a contribution that does this.

 

Where is PHP going to make me grab my ankles? What do you need to look out for?

 

This isn't a matter of keeping PHP secure - its a matter of keeping your server secure. Is your server a dedicated server? If it isn't, I would not do manual credit card processing - the risk is just too great.

 

After scouring this site, I think it would be helpful to have a specific  area/doc addressing security issues.

 

I will say again to reconsider your plans. It is clear you are not security oriented otherwise you would have not posted these questions :? You shouldn't do whats best for you, but whats best for your customers.

 

Please don't take the the wrong way - I am only trying to help.

:heart:, osCommerce

Link to comment
Share on other sites

Is it worth adding an option to the orders section in admin that will scrub all confidential data (ie all credit card details)? With this, once the order has been completed, you click the button and all the data will be erased.

 

It could be useful retaining the data, to automatically populate the payment details for subsequent orders. Other sites (Amazon for example) do this at present.

 

Do the card authorities have any powers against you if your data is hacked, and ends up in the wrong hands? Or is there only option to close your account?

 

Jon.

Link to comment
Share on other sites

Is it worth adding an option to the orders section in admin that will scrub all confidential data (ie all credit card details)? With this, once the order has been completed, you click the button and all the data will be erased.

 

That could be worth looking at. Yet it will not result in more security, it will only shorten the time that risky data is possibly exposed.

 

It could be useful retaining the data, to automatically populate the payment details for subsequent orders. Other sites (Amazon for example) do this at present.

 

Yes, that is usefull. But Amazon and alike have security teams, protected data centres, I guess they even use crypto-file systems. This level of security can only be achieved with dedicated experts working on it. A general solution as osCommerce is will always have to find a balance between ease of use and security. Using a payment gateway moves the responsibilty for security to the hands of the gateway provider. Which IS an advantage IMHO.

 

Do the card authorities have any powers against you if your data is hacked, and ends up in the wrong hands? Or is there only option to close your account?

 

Many card authorities do not accept you at all if you cannot show that you use a certified secure solution. And in case the fraud can be tracked down to your insecure installation you are in big trouble. Read the contracts you have signed on details about this or contact your local agent.

 

In germany many merchandisers have seen their accounts closed and are now forced to use secure methods.

 

HTH

You can't have everything. That's why trains have difficulty crossing oceans, and hippos did not adapt to fly. -- from the OpenBSD mailinglist.

Link to comment
Share on other sites

The painfull truth is most (manual processing) e-commerce sites will use SSL connections for their clients while just plain e-mailing the cc-details to themselves or even worse store them in the database.

You still here site such and such got blackmailed because hundreds of cc nrs were stolen.

 

Personally I think the most ideal solution is to have your 'dangerous' details in a seperate database on a computer that is NOT connected to the internet at all. This will allow you to do recurring charges etc while your data is safe. Get this data from your shop into the db through encrypted e-mail or any automated process.

"Politics is the art of preventing people from taking part in affairs which properly concern them"

Link to comment
Share on other sites

Assuming you are running a UNIX derivative OS, GPG makes for a fine way to to implement credit card security in the event you are not using a real-time credit card processing gateway. Hopefully the following code will help some of you:

 

putenv('GNUPGHOME='.PATH_TO_GPG_DIRECTORY_CONSTANT);

$ciphertext = shell_exec('echo '.escapeshellarg($string_to_encrypt).' | gpg --comment '.

''OS Commerce http://www.oscommerce.com' '.

'--always-trust --batch -ea --quiet --no-secmem-warning '.

'-r '.KEY_OWNER_EMAIL_CONSTANT);

 

The above code encrypts the sensitive information inside $ciphertext which can then be included in the email sent to administrators.

 

This code can be used to import new public keys (perhaps allow end-users an upload button and then use this code to import the public key that was uploaded)

 

shell_exec('gpg --batch --quiet --delete-key '.escapeshellarg(KEY_OWNER_EMAIL_CONSTANT));

shell_exec('gpg --batch --quiet --import '.escapeshellarg($path_to_tmpfile_uploaded));

 

See gpg man page for more details

Link to comment
Share on other sites

"That depends on what credit card processing gateway you choose. I am sure the penalties are much greater if your server or database is hacked shocked.gif"

 

I would not be keeping credit card info on the site but offline.

 

"This isn't a matter of keeping PHP secure - its a matter of keeping your server secure. Is your server a dedicated server? If it isn't, I would not do manual credit card processing - the risk is just too great."

 

There is a inherent risk on passing on information to a 3rd part that stands between you and the credit card company. Information is shared. PHP has its faults like any other script or language.

 

"I will say again to reconsider your plans. It is clear you are not security oriented otherwise you would have not posted these questions icon_confused.gif You shouldn't do whats best for you, but whats best for your customers."

 

The whole idea of posting questions and solicting advice is to get some second opinions while developing a plan. I am early in the game yet at this point. I have not even made a final decision on wether I am even going to switch to oscommerce at this point.

 

The person who does not solict the opinions of others who have experience with another product is missing the oportunity to learn from others.

 

If you use a payment gateway, in general, you are billing the customer right away. You are trusting the process to a 3rd party.

 

I like to verify certain info myself, along with the usual billing address, against info available on the Internet, blacklists (our own and others), phone number checks, etc. ie make my own final acceptance or refusal.

 

There is no such thing as 100% security, nor a "perfect way" to conduct commerce. I am thinking about my customers.

 

You do not know me - don't be so quick to judge.

 

Sincerely,

 

John

John C. Kostiuk

big stogies

www.bigstogies.com

Link to comment
Share on other sites

I like to verify certain info myself, along with the usual billing address, against info available on the Internet, blacklists (our own and others), phone number checks, etc. ie make my own final acceptance or refusal.

 

Then a live processing gateway is out of the question :) Unless ofcourse there is a service available that sends confirmation on the vadility of the credit card and holds the information waiting for processing confirmation from the store owner - anyone know of such a service? CCVS?

 

You are right that using PGP/GnuPG would be the way to go - perhaps even utilizing some native php openssl functions.

 

I am thinking about my customers.

 

Thats what I like to hear :D

 

You do not know me - don't be so quick to judge.

 

I did say not to take my post the wrong way - I am only providing my views as help.

:heart:, osCommerce

Link to comment
Share on other sites

Hi,

 

I have my own "old fashioned" retail machine for processing cards, and we pick up the phone and call to verify number and billing address info before we do anything.

 

Things to consider from our experience (why manual can be cool):

 

- Sometimes customers change their minds (surprise!!!) after placing an order. This avoids the refund/credit back route.

 

- Sometimes you think something is in stock and find out that your supplier gave you faulty information ie supply is not consistent or reliable.

 

- Some customers get that fuzzy warm feeling and like the fact that they can still place an order by phone knowing that you are not just going to turn around and punch it into a computer (hooked up to the net) when you hang up the phone.

 

John

John C. Kostiuk

big stogies

www.bigstogies.com

Link to comment
Share on other sites

Payment Gateways, in my opinion provide the safest method to accept payments online. The customer is protected because you do not have access to their CC details. I have used SecureTrading in the UK because they offer the following.

  • Refund transactions - either completely or partially
    Repeat a transaction
    Reverse an authorised transaction
    Specify settlement dates
    Modify the payment amounts to be settled.

    •  
      Everyone worries about SSL and encryption when emailing/storing CC details online, but how secure is your phone line? And what encryption method does a pen and paper use?

Link to comment
Share on other sites

Isn't there a way to have the database encrypt the CC # like mySQL does passwords? Then with Public key crypto you can decrypt the CC #?

 

MySQL passwords dont use a public/private key mechanism.

 

It encrypts passwords with the provided seed.

 

encode with:

update table set password = encode("mypassword", "seed");

 

and decode with:

select decode(password, "seed");

 

I guess its easily crackable with a bit of time.

Link to comment
Share on other sites

I guess its easily crackable with a bit of time.

 

There is also the issue of securing the communication from database server to web server (or application) - if the database is on a different server than the web server.

 

I believe MySQL 4.0+ supports SSL encryption.

:heart:, osCommerce

Link to comment
Share on other sites

There is also the issue of securing the communication from database server to web server (or application) - if the database is on a different server than the web server.

 

I believe MySQL 4.0+ supports SSL encryption.

 

I would say 99% of mysql servers are on localhost, so most people dont have to worry about that.

 

You can always setup an SSH tunnel a though :)

 

If you have a shop big enough to require a different mysql server, there should be a good sysadmin that is able to deal with the communication between them.

Link to comment
Share on other sites

I would say 99% of mysql servers are on localhost, so most people dont have to worry about that.

 

On a shared server at some big ISP you will see that the mysql-server is a dedicated machine on a local network that cannot be reached from outside. Not localhost, but something like db4.myisp.net or whatever.

 

In that case (examples: puretec, pair, strato, host-europe) there is a security issue as network traffic is mostly unencrypted.

 

On a dedicated server you are probably right.

You can't have everything. That's why trains have difficulty crossing oceans, and hippos did not adapt to fly. -- from the OpenBSD mailinglist.

Link to comment
Share on other sites

"Everyone worries about SSL and encryption when emailing/storing CC details online, but how secure is your phone line? And what encryption method does a pen and paper use?

"

 

Ever taken an order by phone? Somepeople still offer that choice these days.

John C. Kostiuk

big stogies

www.bigstogies.com

Link to comment
Share on other sites

After readin this thread im a lil worried.

 

Doesnt the CC number only goes to the CC online proccessors like authorize.net or any other service with your shop having SSL?

 

Why store the customer's CC on your server's DB?

 

I know many customers would like some feature where if they buy another product then it would be billed with the same CC number (if the choose so) but isnt it safer to only let the CC services handle that?

 

Is there a features where the customer pays for something with a CC and then whenever its proccessed/paid its sent back to you as the payment confirmmed?

 

I know (not sure) theres some laws on manual CC accepted orders where your not allowed to send a payment confirmation or recipt or somethin like that.

Link to comment
Share on other sites

John,

 

Just a little note..

 

Here is what I am doing... I have a Production web server that hosts osCommerce and then a Production MySQL Server that is physically connected to my Web server by way of a crossover cable between to NICs. Win2k NT Security, Ip Sec Policy, IP Filtering, IP Restriction, Non-Routable IP Addresses and a firewall.

 

This is the best I think I could come up with Oh BTW NICs are 66MHz 64-Bit 1GBps for awesome throughput!

 

Only the webserver has internet connection so DB is totaly isolated!

 

I ahve even though of useing Netbeui between the two nics of even IPX/SPX

 

I will give each a fair shot later...

 

But the physical seperation and segregation I think was priority on my mind..

 

If anyone know of any probs with this kinda of set up let me know..

 

Speed seems not to be an issue.. Its very fast!!

 

Oh everything is also dual proc Athlon MP 2000+ with 1 GB Ram for cacheing..

 

It might sould like overkill but I am an extremist!! :D

 

Shawn

Link to comment
Share on other sites

Shawn, your DB may indeed be isolated from the internet, directly that is. But still, if I can hack your machine running the software, your DB is connected to that machine, so I can still access the data. What prevents me from accessing it if I can hack into your account?

 

I think it makes you feel great that it is isolated, but it isn't.

Steve

Link to comment
Share on other sites

John,

 

Only the webserver has internet connection so DB is totaly isolated!

 

Shawn

 

I agree with sfatula, It is not really isolated.

 

Here is a couple of tips that would aid you in further securing your boxs.

 

I would lock down the DB server to have nothing on it but a DB and all ports shutdown accept a odd port where you would have access to your DB.

 

The sad truth is as long as your not completely disconnected from the internet you are not isolated...you may be protected but not isolated :(

 

Good luck

Link to comment
Share on other sites

I would lock down the DB server to have nothing on it but a DB and all ports shutdown accept a odd port where you would have access to your DB.

 

This is already the case.

 

In fact without really disclosing some of our precations [for obvious resaons]

 

I think it would be safe to say that the only way I can think of anyone being able to compromise the DB server would be by using the osCommerce web interface. How this could be done I am not shure, with out having more experiance with osCommerce.

 

If you [anyone] suggest that the access could b gained by compromising the webserver directly, this has been taken into consideration and comensated for.

 

I am curious however if there is anything that anyone has done to encrypt the data that is stored in the DB. From my limited understanding of MySQL the data is stored plain text. Only a problem should the DB server become compromised.

 

I am still concerend about illegitimat access to the DB gained by use of the osCommerce application itself...anyone??

 

 

Shawn

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...