Friday, April 19, 2013

e-ShopLifting: An Introduction


Dictionary defines shoplifting as “To steal merchandise from a store that is open for business”. E-shoplifting is the act of stealing articles/modifying pricing or similar fraud done by a malicious user (an e-shoplifter) from an online shopping store.
With advancement of technology and e-commerce, the online business has grown exponentially. Unfortunately, with same pace or has advanced the malware and attacks on the internet. E-Shoplifting is  majorly used to buy a product in a price lesser than mentioned in the website. It also refers to stealing the customer details such as his/her credit card number, which could further lead to much more than stealing from a particular shopping transaction.
The e-shopping works around four entities:
1. The online store - which lists the items for sale.
2.The customer - who intends to buy the items, adds them to his 
shopping cart and finally enters details to make the payment.
3. Payment Gateway - It receives from the online store, the payment details provided by the customer,  communicate to his bank, enables the money transaction and once transaction is done, sends an acknowledgement to the online store.
4. Bank - Bank verifies the information sent by the payment Gateway and completes the transaction.
In case of e-shoplifting, there comes one more entity:
5. The E-shoplifter aka hacker, who tampers the customer’s details before it reaches to the payment gateway.
Among various measures used by the online stores, most famous are,  sending checksum with other details to make sure the data is not tampered and verifying the amount debited in the acknowledgement from payment gateway. These measures are not enough and provide only limited security. The checksum used here can be calculated by the hacker and even if the store uses a private key, seeing the modern computer’s processing power, it is possible for the hacker to guess the key too. Furthermore, the verification of the bank acknowledgement also does not guarantee security, as the e-shoplifter who tampered all details being sent to bank can also change the amount in the acknowledgement to match it with his tampered version.

 E-shoplifting may not be 100% avoided even with complex security measures but can be reduced to a great extent only by implementing and adopting few security best practices in the online store website and in e-shopping workflow.  

 If you are from an e-commerce domain, or are associated with online business in any manner, it is imperative to you to make sure that your business and your customers information is in safe hands. With HACKViDHi penetration testing services, you can find out the vulnerabilities of your online business and using our consultation, can work towards fixing them up so that you can save your business and customers information from e-shoplifting. To know more, contact us by e-mailing us to contactus@hackvidhi.com or register to our website for a free trial at http://www.hackvidhi.com and we will get back to you.


Check our presentation on E-Shoplifting @ http://www.slideshare.net/hackvidhi/e-shoplifting-hackvidhi.

3 comments:

Friday, March 15, 2013

Login CSRF Prevention - White Paper

Here is our first very first white paper - "Login CSRF Prevention – A Proposal"

 Here is the abstract -

 Cross site request forgery stands at 8th position in OWASP top 10 list of 2013. CSRF exploits trust relationship between an authenticated user and the website which provided the authentication. This papers aims at providing basic introduction of CSRF and, its special type, login CSRF along with preventive measures that are commonly being used. This paper will also introduce a new proposal of Login CSRF defense mechanism, a mechanism which aims at addressing the shortcomings with currently used approaches. This proposal can also be used to prevent standard CSRF attacks, there are certain trade offs though.

 Please download complete white paper from here - http://hackvidhi.com/WhitePapers.php.

 Please do share your feedback and comments, we will be happy to hear you!

 -Archana
1 comment:

Thursday, March 14, 2013

HACKViDHi Course in Web Programming and Ethical Hacking


Hello friends,

After a break from blogging, we are back to share some good news with all of you. This week, the HACKViDHi Course in Web Programming and Ethical Hacking has received more than 150 enrollments. We are looking forward to many more curious guys and gals getting benefited from this free course. Keep spreading the word.
http://www.hackvidhi.com/courses.php

See you all in summer !!

 - Richa
2 comments:
Subscribe to: Posts (Atom)