Page 1 of 2

Internet security and e-commerce

Posted: Tue Mar 02, 2004 2:47 pm
by pudding
I had an idea for an e-commerce web service, but I do not know all the risks associated with internet security and e-commerce, and I do not know what would be needed to overcome these risks.

One problem is with money transactions. I have looked around at several sites providing payment gateway services, but I do not know if there is any risk of information leaking out to potentially malicious people (account numbers, etc). I was also wondering how a payment gateway works, exactly.

On the server I want to store a massive amount of account information for users of the service. There would be a lot of sensitive information that I would like to stay secure, but I don't know the risks of people hacking the database or accessing information in other ways.

Because of the nature of the business I wish to construct, maximum security is a must ... but I do not know much about internet security nor secrure money transactions.

Thanks.

Posted: Wed Mar 03, 2004 3:11 am
by McGruff
This is the kind of knowledge that only comes with time and experience. I'm afraid if you have to ask you're not ready.

Posted: Wed Mar 03, 2004 10:57 am
by voodoo9055
From my personal experience, it is better leave the payment processing to the an independent online merchants. There are many reputable processors out there Paypal, 2checkout, etc.

Re: Internet security and e-commerce

Posted: Wed Mar 03, 2004 11:09 am
by Roja
pudding wrote: On the server I want to store a massive amount of account information for users of the service.

Because of the nature of the business I wish to construct, maximum security is a must ... but I do not know much about internet security nor secrure money transactions.
If the second statement is true - if maximum security is a must - then the first statement is false (You do NOT want to store a massive amount of account information).

In fact, under the california privacy act passed (last year-ish?), any online business even doing business with a california resident must stringently protext that information. I won't try to provide legal guidance about what you need to protect, and to what level, but the penalties are *huge*.

The short answer is - let experts do it for you. Paypal, ibill, and similar companies make a business out of doing secure online bill payment/transaction processing. The risk space between your server and theirs is a relatively low risk zone, because you shouldnt have to pass hardly anything to them (most of those systems have the user fill out forms directly on their site - not yours).

Massive account information = valuable to attackers = likely to be attacked.

That equation, when combined with (lack of knowledge = lack of defenses) means that you will definitely end up with an easy-to-attack target that is attacked often.

Start from your second point - maximum security is a must. Everything else will follow from that - including not storing "massive" amounts of account information that would be a fantastic target for an attacker.

Posted: Wed Mar 03, 2004 11:22 am
by penguinboy
Security & paranoia go hand in hand.

Sure these other companys like paypal say they're secure,
but how do you really know?

Maybe they are secure to the outside world,
but what if some employee becomes disgruntled
and decides to steal a few accounts?

If you're a paranoid freak, like me, the best option is to host your own server and make it as secure as you feel is necessary.

Posted: Wed Mar 03, 2004 11:40 am
by voodoo9055
Put it this way, I know that Paypal would do a better job at keeping and securing that type of information than I would try doing on my own. No sense in trying to reinvent wheel.

Posted: Wed Mar 03, 2004 1:10 pm
by penguinboy
Paypal provides a service not a product.
Therefore it isn't 'reinventing the wheel'.

I'm not trying to say everyone should ditch paypal and make their own secure payment system,
but if you want the responsibility of security laying on your shoulders;
you would have to make your own system.

Basically the only 'insecure' thing about paypal is;
the employees are people you do not know.

Posted: Wed Mar 03, 2004 1:35 pm
by Roja
penguinboy wrote:Security & paranoia go hand in hand.

Sure these other companys like paypal say they're secure,
but how do you really know?
Independent audits. Multi-million dollar daily transactions. No currently-filed major lawsuits against them for financial misconduct.

You don't know they are secure. You know that they:

- Appear to be secure
- Are willing to back that premise up with financial protections
- Are well-known and constantly under scrutiny.
penguinboy wrote: Maybe they are secure to the outside world,
but what if some employee becomes disgruntled
and decides to steal a few accounts?
The same thing that happens at Ford, or AT&T, or any other forbes 1000 company - they prosecute the employee, and correct the financial losses (whether from insurance or otherwise).
penguinboy wrote: If you're a paranoid freak, like me, the best option is to host your own server and make it as secure as you feel is necessary.
No. Hosting your own server ensures that you are spending at best a tiny, miniscule fraction of what they spend each year on audits and penetration tests ALONE.

Not to mention the multi-million dollar infrastructure.

Take it from someone in the information security field - when you are paranoid, you outsource, and get strong contracts. Let someone else's rear be on the line.

Posted: Wed Mar 03, 2004 1:39 pm
by Roja
penguinboy wrote:Paypal provides a service not a product.
Therefore it isn't 'reinventing the wheel'.
You are trying to do the same thing they have done - thats reinventing the wheel. Whether its a service or product is debatable, but it doesnt change the meaning of the phrase.
penguinboy wrote: I'm not trying to say everyone should ditch paypal and make their own secure payment system,
but if you want the responsibility of security laying on your shoulders;
you would have to make your own system.
The last part of the statement I agree with - IF you want the responsibility entirely on your shoulders - then yes, you would make your own system. Thats not what the original poster asked for. He said he wanted maximum security - not maximum responsibility.
penguinboy wrote: Basically the only 'insecure' thing about paypal is;
the employees are people you do not know.
And everything ELSE that isn't completely insecure on paypal (lesser-known vulnerabilities, poor infrastructure, bad design, network weaknesses, etc etc) can and probably will all be present if you "do-it-yourself". I'd say the tradeoff there isn't worth it - especially when they cover transactions with insurance.

Posted: Wed Mar 03, 2004 1:44 pm
by pudding
All those statements are very valid, and, of course, I have concidered numerous online transaction services. The thing is, I wanted to create an automated system where businesses using my service are instantly sent their payment -- without me having to fill out checks or send emails (paypal works this way, correct?). I have hopes the scale of this service would be considerably large, and such work would definately be a conciderable problem.

The information being stored in the databases is to ensure the payments are being sent to the proper recipients. Also there was going to be settings for personallizing the user's account.

The "massive amounts" I mentioned earlier should perhaps be clearified. I hope to have numerous users. The sum total of information being stored would then be directly proportionate to the number of users the site has.

I did not wish to create this system entirely on my own. I know how risky it can be, so I plan on hiring some professionals to do most of the dirty work (although I do have a fair amount of experience with computers). I just was wondering how a system like such could be set up, as a few details seem vague in my mind.

-Thanks

Posted: Wed Mar 03, 2004 1:55 pm
by Roja
pudding wrote:All those statements are very valid, and, of course, I have concidered numerous online transaction services. The thing is, I wanted to create an automated system where businesses using my service are instantly sent their payment -- without me having to fill out checks or send emails (paypal works this way, correct?). I have hopes the scale of this service would be considerably large, and such work would definately be a conciderable problem.
You are the business. Your customers pay you. Thats how paypal works.

Your statement ("I wanted to create an automated system where businesses are sent their payment") makes it very unclear who the businesses are getting paid BY. You? Some third party?

A better description would clarify things much.
penguinboy wrote: The information being stored in the databases is to ensure the payments are being sent to the proper recipients.
And it also gives an attacker a wealth of information - billing address, names, account numbers, and presumably, accounts that have large quantities of liquid assets - being used online. All very valuable to an attacker.

Ensuring transactions is exactly what the mass infrastructure of a Visa, or iBill, or (yes, even) Paypal is built around.
penguinboy wrote: Also there was going to be settings for personallizing the user's account.
There is always a trade-off between functionality and security. You get to pick where the balance goes.
penguinboy wrote: I did not wish to create this system entirely on my own. I know how risky it can be, so I plan on hiring some professionals to do most of the dirty work (although I do have a fair amount of experience with computers).
It might be incredibly risky, or it might be as simple as including a few links on your site, and paying a monthly fee to iBill or Visa. All depends on your needs, your implementation, and the design.
penguinboy wrote: I just was wondering how a system like such could be set up, as a few details seem vague in my mind.
Clarify more details about what the site would DO, and we can clarify HOW to do so. :)

Posted: Thu Mar 04, 2004 5:23 pm
by pudding
Ok, forget about the money transaction part of it, let's just focus on preventing attacks on data stored on the server.

Would a system like the following be secure:
Internet -> Firewall -> Public FreeBSD Server -> Firewall -> Private FreeBSD Server

This way no data can be accessed directly. Would this be fairly secure? Or would it need more? Something special?

Posted: Fri Mar 05, 2004 10:03 am
by Roja
pudding wrote:Ok, forget about the money transaction part of it, let's just focus on preventing attacks on data stored on the server.
Excellent. Focusing on specific issues really does help - it lets you get a specific answer to a specific situation. Asking the general question "Will I be secure" is always a bad start.
pudding wrote: Would a system like the following be secure:
Internet -> Firewall -> Public FreeBSD Server -> Firewall -> Private FreeBSD Server
Here you have seperated access and priveldge - thats a great step to take. By putting the confidential data on the private server, you've ensured that you can "lock" access to just the Public server. By doing so, you are increasing the complexity of the attack - the attacker now needs to gain some level of access on the public server.

Firewalls are popular, and they arent bad, but think of them as what they are - a filter. They reduce the NUMBER of ports and the NUMBER of source/destination pairs. That makes it much easier to reduce the potential number of attacks. However, it makes the need for a solid Intrustion Detection System much higher.

Why? Because now the traffic is "normalized". It all looks very similar. All coming from the public server, to the private server. Probably all on one or two ports. Same IP, same ports. Even if it were un-encrypted, the data is likely to look extremely similar - even for an attack! So you will definitely want some form of IDS.

There are competing schools of thought on whether it should be host-based, or network-based, or both. Each has strengths and weaknesses. The key for you is that the weak point of your diagram is the public server. It's the beachhead that MUST be defended. If I was implementing it, I would definitely have a Network-IDS (NIDS) on the red-zone firewall (outside the public server). I would also have a Hostbased-IDS (HIDS) on the public server. Snort, and tripwire would work just fine, and cost you nothing.

I'm sure someone will talk about OS choices, and let me give you my stock answer. You should run the OS you are most familiar with. The native security of a completely-locked-down windows box and an OpenBSD box are not equal, but with a competent administrator, they can approach a similar security level. However, ANY box that you are not familiar with will be inherently less secure regardless of security features, architecture, or anything else.
pudding wrote: This way no data can be accessed directly.
Slight correction - the data isnt being accessed directly from the internet to the data. You've put obstacles in the way. Thats good - security is mostly about making the cost of the attack much higher than the value of the compromise. In the case of a credit database with multi-million dollar account totals (ala PayPal), they are willing to spend millions to protect it.

The extra steps are good, but with some caveats..
pudding wrote: Would this be fairly secure? Or would it need more? Something special?
You didn't mention much about the firewalls. I would highly suggest that they be a non-freebsd firewall. If possible, a firmware-driven solution, that is harder to change.

Why? Because that way the attacker needs to know more than just FreeBSD. If the firewalls were also FreeBSD, and he knew an exploit that you didn't, he would have control of every piece of the roadmap!

However, if the firewalls were say, Linux, or Windows ISA servers, then suddenly the attacker needs to know two somewhat different systems to 'completely' fool you. There is an element of difficulty there - again, we are raising the cost. Now, he needs to know an exploit for FreeBSD, AND a Linux exploit - both of which that you DONT know. On top of that, he has to figure out how to get to the data in the private system (which might be easy or not).

Even better would be to deeply vary everything. Have OpenBSD for the Firewalls, have Linux for the private server, and FreeBSD for the public server. Now he has to know three very different unix-like OS's. Possible, but challenging, for sure.

There are plenty of "extras" you could add. Encrypt the data on the public system with a dual-key system. You have to have the key from the public server AND the private system to decrypt it. Tricky to implement, wonderful security though.

You could ensure that you used SSL for each point-to-point connection. That way even if they get the firewall, they cant sniff traffic.

You could do stringent IP blocking on the firewalls - thats an implementation detail that shouldnt be assumed by saying "I have a firewall". Firewall design alone can take years to get right.

All in all, there are dozens of things you could add. But in general, yes, the architecture you described is an excellent start towards a secure infrastructure for storing private data.

All of that being said - its a horrible thing to choose to do. One breech of your security, and the law can literally bankrupt you. Read up on California Information Practices Act - SB1386. Its groundbreaking stuff, and it really sticks it to business owners that don't protect customer data properly.

There are businesses that will outdo anything you can design, and for far less money.. a monthly fee in exchange for no chance of a lawsuit is an excellent security and business decision.

Posted: Fri Mar 05, 2004 11:23 am
by no_memories
This may be a little out of context but I have been following the security issues within this forum. They seem to arise quite often, especially after the fact the site is up and functioning.

I'm new to PhP, just over a month of messing with it, and I was given some very good advice by an on-line friend who knows quite a lot about PhP/MySQL interactions and security.

He basically told me to learn how to secure your site first, not later. I'm seeing the benefits of just such an approach to learning PhP.

But then again, I'm not under pressure to secure a e-commerce site at the moment. But before I do start consulting/job hunting in regards to building a secure e-commerce site, the first and foremost concern would be securing data as best as possible from the git-go; basically building the site around security instead of the other way around.

Just my .02 cents

Posted: Fri Mar 05, 2004 12:03 pm
by penguinboy
I think Roja is over complicating things.

Assuming
your public server is your webserver and
your web interface is secure and
your private server is your database.

Your set up looks just fine.

If you forward only http & https through the public firewall you'll have a good start.
If you then forward only your database connection through the private firewall you'll have a rock solid setup.

Your weakest link will be the public firewall;
disabling remote administration would secure it.

This setup would require console access;
in other words, you would need someone at the sever location
24hrs/day in the event that something went down.

You should find popluar websites;
covering the os, firewall, webserver,
scripting languages etc. that your using.

And you should visit them daily to keep up with bugs, exploits & vulnerabilities.