Ever wondered how do hackers steal credit cards from ecommerce sites and why the problem is not going away any time soon.
Firstly there is no good reason why any ecommerce site should store credit card numbers in their databases. The reason most do it is to avoid credit card company charges for storing card details.
How do hackers get credit card numbers from websites?
1. through over trusting store owners who do not have a technical understanding of how their site is set up.
I meet lots of store owners who don’t know where they are hoster, who registers their domain or what the last development company did on their website. It never ceases to be amaze me when we audit a site to find the finger prints of numerous developers on a site from different companies. The store owner has no clue who these people really are and has let them with unfettered access to their admin areas. Lots of FTP accounts left lying dormant with no cleanup done after developers have been in and around sites.
2. through insecure admin usernames and passwords.
If you use admin as a username that’s 50% of the security thrown away in 1 username. Test123 and various other stupid passwords are not secure. Once a hacker can get into your admin they can plant files on your site. These may trigger now or later. They usually sit dormant and then trigger off during peak seasons.
3. through un-official addons.
Have you got a free facebook addon or social media share addon running on your site. Chances are its actually a backdoor script to your system. You may upload this script and later it installs another script remotely and replaces your payment gateway. The gateway works perfectly but its making copies of the data on your checkout page and sending them to the hackers database. This is becoming the favorite way to gain access to hack a website. All addons you install should have 100% visible code. Be manually searched for suspicious scripting. If it is very easy to install and its free and its giving you alot of functionality then ask yourself why would someone give away all this work for free ?
4. from internal technical staff
Yes the worst nightmare where internal staff develop custom code to divert credit card numbers on a website to another location.
We at willows consulting perform security audits of opensource ecommerce sites. PCI if followed to the letter will cover most breaches, however if the PCI auditor is the coder then there is nothing to prevent a false declaration on a SAQ to prevent this. It should be said false declarations and informations on SAQ’s is illegal in all countries and against the rules of all credit card processors.
5. from an attack on your hosters
Be sure your hosters are running regular security updates. Many hosters do not update their servers unless requested to by customers. We always recommend a fully managed dedicated server to run your ecommerce on. Dedicated secure ecommerce hosting is the best way to go. Your site is 100% yours and there are not other sites belonging to others on the same server.
Remember if you have credit card details of your customers stolen or intercepted on your website it is a data breach and must be reported to the Data Protection Commissioners office with in 72 hours of discovery, as well as notifying the affected customers too.
Using 3d secure for payments protects the store owner from fraudulent cards. However it also adds an extra step to the checkout and kills conversions. 3d secure is often insisted on by the Merchant Card Account companies.
Read our GDPR for Ecommerce Page.