[thelist] Free tip: securing your online store

Susan Wallace susanhw at webcastle.com
Wed Apr 24 21:11:08 CDT 2002 

Greetings!

I had a "new to me" situation happen yesterday that I thought I would share
here in case someone was looking for information on setting up an
e-commerce site.

One of my clients has a very small, not-used-often online store. The person
that processes orders noticed some addresses coming through that seemed
strange, so she alerted me to the issue. After investigation, it turns out
that someone was using our site to try and verify a list of stolen credit
card numbers.

Our site uses SSL, and is setup to use CyberCash/Verisign. What the people
with the stolen card numbers had determined was that our Processor does not
use AVS - Address Verification Services, and they also do not require those
3 extra digits from the back of the card. So, they put some items in their
cart, entered bogus address information and shipping information, and
proceeded through the list of numbers they had. Once an order went through,
they started over again. In reviewing our log files, we discovered that
they had a list of at least 50 different card numbers, fortunately they
were only able to verify 4 with our system. In working with the
investigators and authorities, the assumption is that they were just trying
to get a list for themselves of known good credit card numbers.

I found out today that the account that my client has in this case is not
currently setup to use AVS, although I am told that "it will be soon", and
they do not offer any way to verify those 3 digits on the back.

I have setup AVS  in some other sites, but so far have not been requested
to use the extra three digits from the back of a physical card. Are there
any merchant/processors that actually use this information yet, or is it
just one more way to keep the "honest people honest"?

I don't know yet if the offenders have been tracked down yet, but we do
have a lot of information about their actions, thanks to about 4 logs. :)

Anyway, this is one of those cases where "if they want it bad enough, they
will get it". Our site was not compromised in any way as far as someone
"breaking into" the server or modifying files, they just happened to have
the patience to go through the ordering system enough times to get what
they wanted - a validated card number.  The use of AVS would not have been
a guarantee in stopping them, but it may have helped.

I just thought I would share in case it will help someone.

Susan Wallace

More information about the thelist mailing list