Re: trouble convincing client of ecommerce security requirements

More and more web sites are offering users the ability to complete an order 
(i.e., provide payment and other details) by using special toll free 
telephone numbers.  A user completes most of the order details on-line, 
except payment.  The user then calls a specific toll free number to provide 
payment details.

Why?

The problem is not potential monetary loss and all the hassles associated 
with it.  The problem is identity theft.  While a user provides contact 
information (name, address, telephone number) via a web site during the 
ordering process, it is the additional information (credit card details) 
which is often the skeleton key to identity theft.  Prudent merchants want 
no part of a possible liability chain when it comes to this so they now 
offer the toll free numbers to complete the transaction.

This is something to seriously consider when building a web site, or you 
yourself making a on-line purchase.  It is one thing to have transaction 
details intercepted and someone starts spending your money.  You may not be 
liable beyond the first $50, if even that.  And yes, it could take weeks, 
even months for everything to sort out.  But hey, it's *only* money!

Identity theft is another story.  A user can lose their credit rating, be 
subject to false police and prosecution (even jail time), be denied 
employment, credit, medical assistance, the sky is the limit.  This is not 
a Chicken Little scare tactic.  There are plenty of stories of innocent 
people losing their homes, their jobs, etc., and taking *years* to rebuild 
their reputations.  Is it any wonder the theft of large numbers of credit 
card information allegedly stolen by Eastern Europeans several months ago 
made scant news in the media but is under serious investigations by the FBI 
and the CIA?  It isn't the potential for monetary loss.  It's the potential 
for identity theft, including using stolen identities to gain access for 
other things, including September 11-type terrorism.

The ecommerce chain is only as strong as its weakest link.  Unless a system 
is designed, implemented and maintained with strict accountability (be it 
technical as well as human interactions), there is always a risk it will be 
compromised.

Finally, to assume only the "big boys" sites are the prime targets for such 
thefts, I beg to differ.  Large sites with considerable financial backing, 
written security agreements for staff and developers, along with 
accountants, lawyers and insurance companies to oversee the system are 
relatively secure.  (Yes, a crook will try them because stupidity has no 
bounds.)  Instead, the smaller sites, even down to "Mom and Pop" sites with 
ecommerce are the most vulnerable.  This is because of human nature.  It 
may be more "cost-effective" to hit a large ecommerce site in order to skim 
as much cash in as short a time as possible.  However, smaller sites are 
prime targets for identity theft because the thieves need the time and 
relative obscurity to collect the information, process it and eventually 
use it, or sell it to others.  By the time a victim finds their identity 
has been stolen, the damage is severe and the repairs are months to years 
in the making.

Web design and development used to be easy and fun.     Now look what's 
happening. :)



Kukla


_________________________________________________________
Do You Yahoo!?
Get your free (at)yahoo.com address at http://mail.yahoo.com

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA