wabmester
Thinks s/he gets paid by the post
- Joined
- Dec 6, 2003
- Messages
- 4,459
Given the "secure data" incident du jour, I figured you might want to know how secure online shopping really is. I've been out of the loop for years, so please feel free to correct me if my picture is stale.
Here's where your credit card and personally identifying information goes when you buy something online:
1) The connection between your computer and the shopping site.
As long as your browser initiates a secure connection to the host (and you see that little lock icon in your browser), this is pretty secure. I wouldn't worry about a breach at this level.
2) The shopping site's internal network.
Once you submit your credit card info to the host, it travels from their public front-end to their private back-end. This is a potential vulnerability, but most big name sites will do this right. Smaller sites probably won't get it right and may store your sensitive data on a machine accessible from the internet. Many security breaches happen on these smaller sites all the time.
3) The shopping site's transaction database(s).
Assuming your data makes it securely to a firewalled back-end, it's stored in their database. There are *many* internal security holes at this level, even for the big name sites. For example, they may store the data unencrypted. Or they may give access to low-level customer service employees with no security audits or criminal background checks. Or they mirror the transaction database for data mining by other low-level employees or a QA crew.
4) The connection between the shopping site and their payment gateway.
Your credit card info is passed to a payment gateway which handles a variety of payment types. This connection is usually secure, but you might be surprised to learn that it's often less secure than the connection from your PC to the online store.
5) The payment gateway's databases.
You'd think that payment gateways would be super-sensitive about security. You'd be wrong. Although things have improved in recent years due to several reported breaches.
6) The connection between the gateway and the card processor.
The gateway talks to various card processors depending on which card you're using. This connection is generally secure.
7) The card processor's databases.
Now we're deep down in the bowels of the payment processing system. You'd think things were REALLY secure in here. You'd be wrong again. Google "CardSystems" for example.
8 ) The connection between the card processor and VISA/MC, etc.
The card processors talk directly to VISA et al. These guys understand security, but I wouldn't be surprised to hear about a breach at this level.
9) Credit card reporting agencies.
Your issuing bank reports your credit card transactions to Equifax, Experian, TransUnion, etc. You'd think that this process was *very* secure, but again, you'd be wrong. I think it was Citibank who recently "lost" a bunch of *unencrypted* tapes enroute to one of these guys.
10) Your online credit report.
Probably pretty secure, but we're talking about very sensitive information available over a public network. Assume it will be breached someday.
Bottom line: there are *many* weak links in the chain. If you shop online, check your credit card records often, or use one of those one-time card number generators that many of the issuing banks support these days. (I usually use the version available from DiscoverCard.)
Here's where your credit card and personally identifying information goes when you buy something online:
1) The connection between your computer and the shopping site.
As long as your browser initiates a secure connection to the host (and you see that little lock icon in your browser), this is pretty secure. I wouldn't worry about a breach at this level.
2) The shopping site's internal network.
Once you submit your credit card info to the host, it travels from their public front-end to their private back-end. This is a potential vulnerability, but most big name sites will do this right. Smaller sites probably won't get it right and may store your sensitive data on a machine accessible from the internet. Many security breaches happen on these smaller sites all the time.
3) The shopping site's transaction database(s).
Assuming your data makes it securely to a firewalled back-end, it's stored in their database. There are *many* internal security holes at this level, even for the big name sites. For example, they may store the data unencrypted. Or they may give access to low-level customer service employees with no security audits or criminal background checks. Or they mirror the transaction database for data mining by other low-level employees or a QA crew.
4) The connection between the shopping site and their payment gateway.
Your credit card info is passed to a payment gateway which handles a variety of payment types. This connection is usually secure, but you might be surprised to learn that it's often less secure than the connection from your PC to the online store.
5) The payment gateway's databases.
You'd think that payment gateways would be super-sensitive about security. You'd be wrong. Although things have improved in recent years due to several reported breaches.
6) The connection between the gateway and the card processor.
The gateway talks to various card processors depending on which card you're using. This connection is generally secure.
7) The card processor's databases.
Now we're deep down in the bowels of the payment processing system. You'd think things were REALLY secure in here. You'd be wrong again. Google "CardSystems" for example.
8 ) The connection between the card processor and VISA/MC, etc.
The card processors talk directly to VISA et al. These guys understand security, but I wouldn't be surprised to hear about a breach at this level.
9) Credit card reporting agencies.
Your issuing bank reports your credit card transactions to Equifax, Experian, TransUnion, etc. You'd think that this process was *very* secure, but again, you'd be wrong. I think it was Citibank who recently "lost" a bunch of *unencrypted* tapes enroute to one of these guys.
10) Your online credit report.
Probably pretty secure, but we're talking about very sensitive information available over a public network. Assume it will be breached someday.
Bottom line: there are *many* weak links in the chain. If you shop online, check your credit card records often, or use one of those one-time card number generators that many of the issuing banks support these days. (I usually use the version available from DiscoverCard.)