|
| |
|
|
Joe Hussar
Posts: 241
From: Chuluota, FL 32766, USA
Status: offline
 |
web site security issue - 8/6/2004 6:15:01
I've have had my Front Page web site hosted with a very reputable server for several years. I have a shopping cart which is secured via SSL technology (Thawte).
Starting about 3 weeks ago I've had a number of instances where the customer credit card is denied by the credit card company when I process the order. The reason turns out to be that the credit card number was stolen and used fradulantly. This is all a very recent development. Of course there are always bad credit cards submitted, but the sheer number of instances and the almost identical circumstances is like a "run on the bank", highly unlikely to be just random timing, etc.
Sometimes the customer finds this out after I advise him/her that the credit card was denied; they then call the credit card company to find out what's going on. Sometimes the customer is advised directly by the credit card company (before I've even had a chance to call). In almost all of these cases the customer tells us they did NOT go anywhere else and use their card. They are convinced something is happening at my end (web site).
One problem I've had in trying to find out the cause is they have not been able to provide any specific information.........one customer told me she had to have a subpoena to get the details, and since the credit card company doesn't charge her for what is admittedly fradulant, she just didn't want to bother with it.
I have fire walls, and all the usual security protection. I have ruled out employee theft. I can find no place where my site is "leaking" but it's just too much of a coincidence.
Does anyone have any suggestions? Can anyone tell me where I could find a computer security "expert" that could really help me get to the bottom of this issue? It's a potential disaster.
Thanks!
Joe Hussar
candywebster@aol.com
http://www.candylandcrafts.com/
|
|
|
|
Reflect
Posts: 4769
From: USA
Status: offline
|
RE: web site security issue - 8/6/2004 7:42:10
Hi Joe,
I feel your pain!
I see you are using Danise cart. I found some things on this cart, it is rather dated (from 2000 through Oct. 2003) but ...
"While Dansie could issue a patch to customers to disable the backdoor, Harris said prudent users will uninstall the software and find a new shopping cart provider"
Referenced from here ...
http://www.internetnews.com/ec-news/article.php/4_340591
So first question is, are you running the patch?
Another dated find...
http://www.theregister.co.uk/2000/04/15/shoppingcart_back_door_gives_author/
Another dated find...
http://www.securityfocus.com/archive/1/Pine.LNX.3.95.1000411171050.24527G-100000@animal.blarg.net
And a less dated reference...
http://cgi.resourceindex.com/detail/01711.html
And a less dated reference than the last...
http://www.net-security.org/vuln.php?id=3027
So the latest reference that I found is from October 2003. To be fair on that note I searched several SEs to see if he had made some counter statements, I found nothing.
Now on the flip side on one E-Comm site that I did I had a bad run two years ago. I had a string of around 10 fraud orders. They were almost sequental which in my small mind suggested a CC companies DB somehow got raided. When working with CCC they waived a lot of the return fee %s. I thought this was curious as they had never done that in the past. I kept pressuring them on the CC numbers being almost in numerical order. They never did verify any of it but again I never had the CCC waive the return/credit fee/%.
So you have to expect fraud, it just depends on how you handle it and how quickly. Some sites will get targeted out of the blue. Normally though it is once people find a venerability.
HTH,
Brian
_____________________________
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
