index page

Security breach at Buy.com

Date: Tue, 06/28/2005 - 07:49
Submitted by benjaminz6 on Tue, 06/28/2005 - 07:49
Posts: 256
Credits:
[Donate]

I was reading an article about a security breach that occurred at an E-Commerce site called Buy.com. This is concerning because I do so much shopping online. It was kind of a wake-up call because I always take for granted that our information will be secured by the site's security system. This security breach suggests something otherwise. This e-commerce site was negligent in securing the information of its consumers.

According to Wired News, a security hole on buy.com's website exposed the personal information of customers who returned products to the company. Based on the lax security system on Buy.com's website, visitors were able to look through the names, addresses, and phone numbers of customers. This security breach that lasted for several hours affected hundreds to thousands of customers.

The security breach occurred because the website server stored each customers information on URLs based on customer numbers. But if someone changed the customer numbers in the URL, they would be able to view other customers' return labels. I don't know if this makes sense to you, but to put it simply, this security was very lax. it would be the equivalent of me being able to tap into your information on this site by simply typing in a new number on the URL.

This is an abomination because Buy.com claims that, "your personal and account information is secure, consistent with current industry standards."
If that is the case, then we are all in trouble if we decide to use any E-commerce sites.


As a result of the internet facility, shopping has been made very easy and we are able to purchase anything at any time. The services extend from buying an airline ticket to ordering a flower bouquet.
Endlessly, it offers some handsome deals and bargains which can't be found in a store or by mail. So it is very important to know the risk factors first before we involve ourselves completely into it.
[list=1]

  • It is very important to use a secure browser from where we will be shopping. It is through this browser your online transaction is done and your information is sent. Secure browsers use Secure Sockets Layer (SSL) to comply with industry security standards. There are many browsers which can be downloaded from the internet so be careful in choosing the safest one.

  • It is always recommended to shop with only those companies who have good business standards in the market. If you are particularly not familiar about a company's policy, read it in their website first

  • It is always detrimental if your password is leaked. Never use the numbers which are very common to you like your birth date, driving license number, social security number etc. It is advised to use a combination of letters, symbols, and numbers while creating your password.

  • Always pay by credit or by a charge card. Doing this, you will be protected under the Fair Credit Billing Act. You can always dispute a particular entry which requires investigation by the creditor. There are many companies in the market which ensure that you will not be held responsible for unauthorized charges made online.

  • As said, it is always very important to keep a record. Take printouts of your purchase order and confirmation number of your commodities for records.

  • Big companies have their websites and they enable you to see your account status and make payments. Before you sign up for such services, it is necessary to evaluate how the company will secure your financial and personal information. They have their security policies posted in the website.



    Always apply the ABC METHOD before you shop out in the internet.
    About me ??? Keep your privacy protected. Make sure about the information the company collects from you and check if it's secured.

    Benefits ??? whatever information the company has collected from you, think how it is going to benefit you.
    Choices ??? think about your choices when the company has taken your information

    Regards
    Roxette


    • Submitted by roxette on Thu, 06/30/2005 - 15:03

    roxette

    ( Posts: 4009 | Credits: )


    Another example of a security-less webmaster. I think you'll find this more common than you may be willing to accept. Webservers (and their services) are inheriently vulnerable ... ESPECIALLY if they're running Microsoft IIS (versus something like Apache).

    What I find amazing about this example is how something so simple, predictable, and relatively "old news" could be left vulnerable. Obviously if you are surfing to date by URL it should be authenticating you by some means. If not, then there is much more to be concerned about. A bot could be used to run GET requets on that server for those 2 hours and download the entire database. SCARY! Unfortunately, most consumers aren't "knowledgable" on network/web security and don't know what to look for (or even where to report a problem if they find one). Awareness would really help solve a lot of these sorts of problems!


    Submitted by cryptowizard on Sat, 09/10/2005 - 13:31

    cryptowizard

    ( Posts: 116 | Credits: )