weak links in online shopping security

[wabmester]

Given the "secure data" incident du jour, I figured you might want to know how secure online shopping really is.   I've been out of the loop for years, so please feel free to correct me if my picture is stale.

Here's where your credit card and personally identifying information goes when you buy something online:

1) The connection between your computer and the shopping site.

As long as your browser initiates a secure connection to the host (and you see that little lock icon in your browser), this is pretty secure.   I wouldn't worry about a breach at this level.

2) The shopping site's internal network.

Once you submit your credit card info to the host, it travels from their public front-end to their private back-end.    This is a potential vulnerability, but most big name sites will do this right.    Smaller sites probably won't get it right and may store your sensitive data on a machine accessible from the internet.    Many security breaches happen on these smaller sites all the time.

3) The shopping site's transaction database(s).

Assuming your data makes it securely to a firewalled back-end, it's stored in their database.     There are *many* internal security holes at this level, even for the big name sites.    For example, they may store the data unencrypted.   Or they may give access to low-level customer service employees with no security audits or criminal background checks.   Or they mirror the transaction database for data mining by other low-level employees or a QA crew.

4) The connection between the shopping site and their payment gateway.

Your credit card info is passed to a payment gateway which handles a variety of payment types.    This connection is usually secure, but you might be surprised to learn that it's often less secure than the connection from your PC to the online store.

5) The payment gateway's databases.

You'd think that payment gateways would be super-sensitive about security.    You'd be wrong.   Although things have improved in recent years due to several reported breaches.

6) The connection between the gateway and the card processor.

The gateway talks to various card processors depending on which card you're using.   This connection is generally secure.

7) The card processor's databases.

Now we're deep down in the bowels of the payment processing system.   You'd think things were REALLY secure in here.    You'd be wrong again.   Google "CardSystems" for example.

8 ) The connection between the card processor and VISA/MC, etc.

The card processors talk directly to VISA et al.   These guys understand security, but I wouldn't be surprised to hear about a breach at this level.

9)  Credit card reporting agencies.

Your issuing bank reports your credit card transactions to Equifax, Experian, TransUnion, etc.     You'd think that this process was *very* secure, but again, you'd be wrong.    I think it was Citibank who recently "lost" a bunch of *unencrypted* tapes enroute to one of these guys.

10) Your online credit report.

Probably pretty secure, but we're talking about very sensitive information available over a public network.   Assume it will be breached someday.

Bottom line: there are *many* weak links in the chain.   If you shop online, check your credit card records often, or use one of those one-time card number generators that many of the issuing banks support these days.   (I usually use the version available from DiscoverCard.)

 

[Nords]

Scott Adams had a Dilbert cartoon about secure online shopping. Dilbert and his friend/date were discussing the topic at a restaurant and Dilbert was paying for the meal with a credit card.

Around the panel where he was making the point how secure online shopping really was, their waitress came back with his credit card... and was also wearing a new mink coat.

 

[Outtahere]

My company does online sales, the credit card companies and processors take security very seriously.

 

[wompo]

I have been shopping online for 11 years now. (First purchase online was in 1995) I have never had a problem with online purchases in that time. My wife and I have had our numbers stolen while at restaraunts durning that time. We check our credit cards daily for activity and also have an alert on our credit so if someone checks we are notified.

If you have a credit card you should keep a very close watch on it no matter where or how often you use it.

 

[Leonidas]

If you have a credit card you should keep a very close watch on it no matter where or how often you use it.

That's good advice and I watch mine closely. But I think that identity theft is like termites are around here, it's not "am I going to get hit" but "when I get hit". A couple of years ago I went to in service training on investigating ID theft and the head of the unit asked for a show hands from the audience (all cops) for who had already been victimized. About 30% raised their hands, including the instructor and he commented "it's just a matter of time before they get the rest of you."

 

[Nords]

Well, Leonidas, you've been here a couple weeks and, as the man said to Dirty Harry, "I gots to know".

I can see why someone in law enforcement would choose a centurion as an avatar. But of all the centurions who went on to lead happy & productive lives, what made you settle on Leonidas? Especially considering where you're at in life now?!?

 

[wabmester]

it's just a matter of time before they get the rest of you

True. And probably the biggest risk is from somebody stealing mail from your mailbox. Get a PO box.

 

[BigMoneyJim]

As Nords alluded to with the Dilbert strip, real-life CC transactions have over half those troubles, too.

It's ridiculous, but I do the best I can and deal with large merchants, make sure the lock icon is there and do other things to protect my PC.

For many users, their own PC may be the weakest link in the chain. If it's infected with spyware then it doesn't matter how secure the rest of the chain is; it's like somebodys looking over your shoulder with a videocamera to be double-sure.

 

[Leonidas]

Well, Leonidas, you've been here a couple weeks and, as the man said to Dirty Harry, "I gots to know".

I can see why someone in law enforcement would choose a centurion as an avatar. But of all the centurions who went on to lead happy & productive lives, what made you settle on Leonidas? Especially considering where you're at in life now?!?

Fair question, and one that runs with the general tone of conversation around here.

Actually, Leonidas was a king of Sparta who took a few hundred men to the pass at Thermopylae and faced off against Xerxes and the Persian army. The odds were something like 100,000 to 1 but Xerxes decided to give the Spartans a chance and ordered them to give up their weapons. Leonidas replied “Molon Labe” (Come and get them) and then proceeded to hold the Persians off for days. Everything the Persians threw at them was repulsed and the battle was fought on a mountain of Xerxes’ dead soldiers. In the end it was only because a traitor showed the Persians how to outflank the Spartans that they were able to surround them.

Leonidas and the Spartans continued to fight until their spears broke and they then used their swords until those broke and they resorted to sticks, rocks, fists and teeth. Leonidas was killed, but his troops fought by his body until the bitter end.

The Spartans held the Persians long enough for the rest of the Greeks to get their act together, defeat Xerxes’ fleet and eventually send him packing. It saved the nation that became the cradle of democracy.

What's not to admire is what I say.

Why I’m feeling so much affinity for brother Leonidas at this stage of my life is a little more complicated.

After I semi-retired I figured I had grabbed the brass ring financially and knew that I had everything I could want in family life. But I wanted a little more so I explored briefly with what I’ll call “government sponsored adventures” far from home. The risks weren’t that different from anything I had years of experience at, it just tended to be a little more compact spatially and chronologically. Yet, there was one moment when I thought we were in a real tight spot and all I could think of was “why am I here doing this?” That and the realization that since I wasn’t a government employee the G wasn’t going to ship my carcass home and I wondered if my wife would spring for FedEx “Next Day Delivery” or would the body come home on a slow freighter.

After my commitment was complete I turned down offers to stay and I shook the dust of that place off my heels. On the way home I reflected on my experience and at first I just chalked it up to that fact that the joys of being an adrenaline junkie had faded with age. And there is a grain of truth in that because the whole near death experience thing loses its glamour very quickly, and if you do it long enough it really starts to suck after a while. But I kept coming back to the same thought, what a stupid way that would have been to die. A violent death a year earlier would have been a sad consequence resulting from what I did for a living, but what had changed was that I didn’t do that job anymore. I didn’t need the money, my presence provided a little moral support and sense of security for a few people but not that much, and the adrenaline monkey could have been fed closer to home so I could sleep in my own bed each night. Being there for the reasons I thought I went for was just dumb.

I kept imaging my family and friends at the funeral all saying the same thing: “What a moron.”

After I was home I began to worry about my mistake and wondered if my pre-retirement way of thinking had created similar disconnection with reality in my retirement planning. I tore the plan apart looking for flaws by running numbers and wargaming a hundred different scenarios. There were a few things that I made some improvements on, but I couldn’t find anything really wrong. And that bothered me because by then I had convinced myself that I had to have screwed up somewhere. The fact that I couldn’t find the flaw was just proof that I was too stupid to start with.

Again, I had visions of everyone calling me a moron when I wound up flipping burgers at Mickey D’s in order to pay rent and buy cheap wine. Equally disturbing was the prospect of being the too cautious old guy sitting on more money than I can spend and living a life of regret for opportunities not taken.

It got kind of crazy after a while and I decided I needed to take a break because I couldn’t see the forest because of all the darn trees in the way. I grabbed a cigar, made a cocktail and snatched the first fiction book I found that looked interesting. It was a fictionalized accounting of Leonidas and the battle at Thermopylae.

The astounding thing about Leonidas’ plan was that while it was brilliant it required total commitment. He could only hope that his move would buy the Greeks enough time to get their act together. But, regardless of that outcome his head was going to wind up on a spike outside Xerxes’ tent. When he left home he told his wife to go find a good husband because he was not coming back.

Talk about an amazing degree of confidence.

And that is what my problem was. A minor glitch caused me to doubt the plan and myself and it sort of got out of control for a while. No doubt I would have figured it out soon enough for myself, but the handle is in honor of Leonidas and the luck that caused me to pick that book rather than the Harry Potter novel I was eyeing.

 

[Nords]

Excellent, thanks. Among Leonidas, Harry Potter, and Ted Geisel you have all the literary classics covered...