Security problem with shopping cart

gonsman

Hello there,

I recently encountered some security issues with a shopping cart system that I built. Several hundred orders have been placed fraudulently with stolen credit card numbers. Fortunately, only three of the orders were accepted by our system because Authorize.net did not accept most of them. The numbers were not stolen from us because we don’t store them in our database. I have been contemplating ways to harden the security. If I block an IP address that was assigned by a DNS server it is possible that another user could get that IP address at some point and then be denied access to our store. But what is the likelihood of that happening? Enough to consider, I imagine. If I just block that users account number, they could just set up another one, although this would slow them down.

Does anyone have any good ideas on how to secure a shopping cart system that doesn’t interfere with valid users? So far, all users must login through our secure url and start a session to place an order. I also require the “http_referrer” to be specific on certain pages. Thanks for the help.

-Sean

spookweb

From your post, it sounds like there might be room for improvement in the registration process. Without knowing more specifics, though, it would be hard to offer specific suggestions.

For example, in one of my shopping cart systems, I require the CC number at the time of registration, and do a pre-auth to make sure the card is valid. The CC number is encrypted and stored in the database. Then, before any purchases can be made, the user has to respond to the confirmation email address. Finally the user is required to enter the security code from the card (located on the back) each time they want to purchase anything. This was at the request of a very paranoid client, heh.

gonsman

I like the idea of requiring a credit card at registration, although they could still register with one of the valid cards and then change it for each order. I also like making them verify their e-mail address, but my client does not want to do that and it is so easy to sign up on hotmail or yahoo without any information at all. I also like the fact that you encrypt and store the credit number on file. I don't know much about encryption though, so I opted to not store the entire credit card number.

The shopping cart system works like this:

-User adds items to cart

-User must login over SSL or create a new account, nothing is verified except that each field has a value and important fields like email, and phone number are formatted correctly

-User enters credit card info and Authorize.net checks address, http_referrer must be from same domain.