Security

Date: Jan-2008 (Revised)

Security tools and tips for Comersus shopping cart

A small business in the publishing industry decides to start selling retail on the web. The webmaster contacts the hosting service provider and is delighted to learn that the service includes a PHP shopping cart free of charge. He installs the shopping cart from the hosting control panel and within minutes he starts loading the catalog books and setting his preferences.

While the managers sign up for a Merchant Account and decide on a payment gateway, the webmaster configures an off-line credit card system in order to start selling right away.

They launch an ad campaign with banners and the Google AdWords system, and the store starts getting visits. The implementation turns out to be a huge success: sales amount to $1,150 the first month, much more than expected.

The following month the trouble starts: some customers call with complaints that after purchasing the books their credit cards received many additional charges; other people claim that they have been charged for books they haven't bought and that have been shipped to PO Boxes. At the same time notices related to fraudulent sales start pouring in: threats to ban them from getting card payments and letters from lawyers threatening to sue for fraud, privacy violation and lack of data protection. Just when they think nothing else can possibly go wrong, the whole catalog is suddenly deleted and the shopping cart home page is replaced with offensive messages stating that the store has been hacked.

The webmaster then uninstalls the shopping cart and hires a computer security consultant to diagnose the situation. The specialist's report states that the attackers have taken advantage of several vulnerabilities of the shopping cart.

First they launched a dictionary attack on the control panel login, gaining access to a list with customers' information. Since credit card numbers remained in the database after transactions, the attackers got hold of this data as well.

Later, other attackers did an SQL Injection deleting all products and inserting a product with offensive messages in the home page.

The shopping cart also had other flaws which allowed customers to change the prices of purchased products without the webmaster ever noticing the change.

The main mistake in this case was the lack of precaution when implementing the online store. While it is true that the installed PHP shopping cart had security flaws and lacked measures to prevent attacks, the main responsibility rested on the webmaster.

He could have avoided most problems by taking very simple measures such as:

1. Searching the web for vulnerabilities of the shopping cart in general and his version in particular
2. Contacting the cart developers for installation and customization advice related to increasing security, as well as patches for known vulnerabilities
3. Deciding, based on his findings, whether that shopping cart was the best choice to sell online
4. Consulting a computer security specialist as far as the budget allowed

A shopping cart is a tool designed to sell and increase profitability. Security issues deriving from flaws in the software itself go against this ultimate goal. Therefore it is very important for shopping cart developers to consider security measures and provide tips on how to avoid most common problems.

Comersus has developed its shopping cart software with several security measures in mind, including:

1. Dictionary attack prevention with profile blocking for the control panel
2. Prevention from SQL Injection attacks in high risk sensitive areas
3. Password and sensitive information encryption with RC4 and DES algorithms
4. Support for credit card record deletion after transactions are processed
5. Detailed recording of catalog stock operations
6. Snapshot of each sale to verify the amount charged for each product in each order
7. Support for blocking purchases from free e-mail addresses and orders with suspicious text strings
8. Support for blocking customers who have performed chargebacks and/or troublesome customers
9. Recording and viewing the last login at the control panel
10. Recording customers' IP with each order
11. Global customer password resetting when threatened by intrusion
12. Support for closing the store with one click and avoiding checkouts in order to diagnose trouble
13. Delivery of database error reports to the administrator by email or SMS
14. Admin password verification test

We can then ask ourselves whether choosing a shopping cart with a series of security measures is enough to guarantee a secure implementation. The answer is plainly: no.

Security requires constant action and is not limited to taking measures during implementation. Imagine a vulnerability is discovered in your Web Server or your database. The attacker could access sensitive information without ever touching your shopping cart. If a flaw is exploited in the payment gateway you use, your business would be exposed and this would not be related to the shopping cart. Even if a user chooses Comersus but doesn't read the documentation and security advice, installing the free version with default settings, they would be putting their e-commerce implementation at risk.

Choosing a security-minded shopping cart is important but not enough. Store administrators should follow security advice during installation, stay permanently in touch with software developers, and subscribe to lists with vulnerability reports. They should constantly monitor the use of the cart and perform regular controls in search of warning signs.

In conclusion, the right choice of shopping cart combined with a proactive and informed attitude is the key to years of uneventful online sales and excellent profitability.