Flaws in Outsourced E-Commerce Systems
by Dean Swift
I have been asked to write about flaws in e-commerce systems, in particular, systems for which I have written my shopping basket software.
The general trend that I have discovered is that any web site that has third-party credit card processing may be subject to a particular class of implementation flaw. I discovered this accidentally when interfacing my software to third-party credit card processing software.
Few people write interfaces for e-commerce systems because numerous solutions have been written already. While it's productive to re-use existing software, potential flaws in a system are left unchecked. A flawed system can become popular because new users may assume that previous users were satisfied with criteria such as security.
I had written a shopping basket to the exact requirements of a clothing web site. One of the requirements was that the existing workflow (FTP'ing web pages) could continue. Another requirement was that the existing search engine listing could be maintained or improved. Another requirement was that any changes would preserve the level of compatibility. A further requirement was that it should be cheap to host. I was unable to find prior art which met the requirements, so I proceeded to write the software to specification.
This was the first version of MTECS - the Multiple Tier E-Commerce System.
The system is encapsulated into a number of stages or tiers. Unlike many layered systems, all of the tiers described are presented to the end user as web pages. Each tier can be hosted on a different web server or outsourced to a different party. MTECS Tier 1 is an optional program. It transparently modifies the web site to propagate a session key in the absence of cookie functionality in the web client.
MTECS Tier 2 is the shopping basket; a construct to allow more than one type of product to be accumulated before purchase. It was intended that further tiers would be added for payment, although Tier 2 functions as a standalone program using the "Print 'N' Post" ordering system.
After architecting and implementing this solution, the customer decided not to deploy the software, which left me with software surplus to requirements. I was determined to use the software and it was re-purposed for digital books (www.great-books.com), hydroponics (www.esoterichydroponics.com, seeds (www.pukkaseeds.com, power tools (www.hunter-tools.com), my personal web site (www.gandalf.user.xirium.com), and other websites.
Each web site required the software to be adapted or required utility software. Fortunately, the requirements were not so demanding that other software would have been suitable. More fortunately, the initial websites did not require credit card processing and depended on the standalone "Print 'N' Post" ordering system, which is more affordable and low in risk.
This changed after the success of Esoteric Hydroponics (www.esoterichydrponics.com). After adding MTECS Tier 2, without credit card processing, return on investment for the entire web site occurred within two months. (It must be stated that the web site was fairly active with 44,000 hits per month before the e-commerce software was added. The web site is fairly large and the URL of the web site is advertised in ongoing, targeted, print media advertising campaign. Additionally, the web site is distributed to potential customers as a platform independent CD-ROM.)
Esoteric wanted to add credit card processing to obtain more revenue and to keep ahead of competitors. A successful system would also be referred to Pukka Seeds (www.pukkaseeds.com) and Hunter Tools (www.hunter-tools.com). We evaluated the cost of processing credit card transactions and soon discovered that for small volumes, it would be cheaper, easier, and more secure to outsource.
Obviously, it was sensible to choose a company with established procedures and it was desirable to choose a company with low charges. There was also the stated requirement that the company should be based in the same country. This would reduce risk, simplify payment and minimize potential problems and associated cost. The market leader in the U.K., Netbanx, was immediately eliminated, due to excessive charges and direct experience with the company.
We agreed upon Worldpay (www.worldpay.com), due to perceived technical competence and low initial costs. I was required to interface my software to Worldpay immediately. Worldpay has a 24-hour sign up process, although delays were encountered. Worldpay reduces costs by leveraging bank authentication processes and requires that signatures of representatives are confirmed by a bank. This requires a meeting with your bank manager and additional paperwork before Worldpay approval. Worldpay also requires a Direct Debit to be established before approval, presumably to ensure continued payment for service.
Worldpay also performs their own due diligence, at cost to the customer. This means that an organization failing this process does not get a full refund. Fortunately, some of the administration can be processed while web site development occurs. Two weeks later, after much paperwork and two days of programming and testing, it was done. Unfortunately, the software did not accurately reflect the business rules: haggling.
Esoteric Hydroponics allows discounts (on large volume purchases only). Of course, this would have to be provided securely so that it would not be open to abuse. I began writing a passworded utility to allow the insertion of a negative price, although this, quite sensibly, was not accepted by Worldpay. Then I considered writing a utility to dump the existing catalog as a web page that would allow prices to be changed. This would sidestep the fixed pricing restriction of the shopping basket.
MTECS Tier 2 (the shopping basket) already has a utility to dump catalogs as HTML. After the catalog has been uploaded, a CGI script can return a section or all of the catalog as a web page. This can be modified and inserted into the web site as required. All that was required was an additional format for the output.
Unfortunately, this would be a massive security flaw. If the output was obtained, it would allow anyone to purchase anything at any price. With trivial modification, it would 1so be possible to order nonexistent items or ems with subtle changes in description. This remains a problem because anyone with sufficient information and expertise may be able to implement such an attack.
Fortunately, Esoteric is already alert to such practice. I had demonstrated how easy it is to change prices with "Print 'N' Post". This facility is little more than a conf struct to ensure a legible order is received by snail mail. If someone accidentally or maliciously modifies the products and prices when placing an order by mail, it makes little difference whether the order is written or printed. Obviously, it requires more skill and effort to maliciously modify a web page, but this shows that computer output should not be trusted.
This left the matter of third-party credit card processing. It is hard to obtain specific details from Worldpay. Indeed, I was unaware of some of the best technical features when Worldpay was selected. Nevertheless, with a growing client base, it is only a matter of time before such an attack would be attempted on a successful web site such as Esoteric Hydroponics. I immediately informed the client of the implications of the security flaw.
"That can't be right: we use the same system as VictoriaWine." Well, 35 minutes later, I was able to purchase wine and pay the amount of my choice. This is quite worrying because VictoriaWine (www.victoriawine.co.uk) is a well known brand in the U.K. What is more worrying is that VictoriaWine doesn't use Worldpay, as previously stated. VictoriaWine uses DataCash (www.datacash.com).
Yes, we had cracked two credit card processing systems within an hour. How many organizations have this problem? How many other systems have this flaw? I attempted to find other customers of these systems without much success. Both companies are discreet about clients. Attempts to discover hyperlinks to the flawed CGI failed. (The search engines AltaVista (www.altavista.com) and Infoseek (infoseek.go.com) allow searches by URL and by hyperlink, but do not record hyperlinks to CGI scripts or "secure" web pages.) Attempts to search for references were dismal. Most organizations tend to omit the fact that credit card processing is outsourced.
As of May 2000, the VictoriaWine web site (www.victoriawine.co.uk) redirects to a web site that has frames, JavaScript, and Macromedia Flash. You must enable JavaScript to complete transactions. Purchases may only be made by registered users. This is automated but requires a valid email address and the completion of a survey. Every order requires your email address, so if you don't have one, or you are not willing to supply your email address with your postal address and credit card details, you will be unable to purchase anything.
The demographic survey must be completed before purchases can be made. It is quite lengthy and intrusive and likely to discourage real customers. Fortunately, for our purposes, I have created a test account:
Despite statements on the web site about detection of suspect activity, this account was active and used for private demonstration to various parties over a period of three weeks. Should this account not work, any account can be used to purchase test items. When I first used this system, I placed some items in the shopping basket and then proceeded to credit card payment. From the shopping basket, I accessed a "confirmation" web page that served no apparent purpose and after a pregnant pause I was presented with the form to enter credit card details.
Let's examine that in more detail. I skipped back a few web pages to the shopping basket. I was unable to view the URLs in my web browser because it was a framed web site. To overcome this, I opened the content frame in a new window. Repeating the process I discovered that the credit card form was on the DataCash web site. This would be transparent to the customer during normal use.
With the frame isolated, it was apparent that two intermediate web pages were accessed before credit card details were requested. They both appeared to be blank, one with a VictoriaWine URL the other with a DataCash URL. I decided to investigate each page in turn. I was dumbfounded to discover that the first web page consisted of a form of hidden fields, including the total price, email address, and a session key, automatically submitting to DataCash with JavaScript. This is appalling practice. Nevertheless, I saved the page, modified the price and accessed it with my web browser.
I was briefly startled before I realized that the web page was scripted to automatically submit the form to DataCash. I was presented with the price of my choice on the DataCash web site. Now we are at the credit card processing stage. When I showed this to staff at Esoteric Hydroponics, they were alarmed that a transaction could proceed so far. Furthermore, what would happen if a stolen or fictitious credit card is used? This was the most prominent concern: is there any verification?
After a long telephone call to Worldpay and finally speaking to a representative of authority, it was discovered that no credit card verification is performed other than checking known stolen numbers. Worldpay collects addresses from customers, but does not currently crosscheck this information. It is not possible to confirm the card holder's address via Worldpay. Such a system is scheduled for April 2001. The system will be supplied by NatWest. NatWest is also associated with Netbanx, so I assume that the situation would be the same with Netbanx. We attempted to provide our own verification because third-party checking was not Ms of a sufficient standard. We investigated various procedures but were unable to obtain sufficient information from Worldpay.
In general, card processing companies are differentiated by transaction volume. Some companies are suitable for small volumes, others are suitable for larger volumes. Very large volumes are typically done in-house. Additional hardware and software required varies widely, as does initial costs. High initial costs may be unsuitable for low volumes, but generally lead to lower ongoing costs. Ongoing costs are typically 2-10% per transaction, although many charge a fixed rate for debit cards. We were unable to find a company that guaranteed payment. For every company encountered, it is the merchant that incurs the cost of fraud. A card number approved by a card processing company may be an unreported stolen card.
Indeed, in any e-commerce dispute between the customer, the credit card company, card processing company, and the merchant, it is the merchant that invariably loses. At present it is possible for any unscrupulous U.K. credit card holder to purchase goods and then deny knowledge of the purchase. The merchant then receives a "chargeback," which may occur at any time up to 30 months after the purchase. So, an initially profitable enterprise may become unviable if the level of fraud is too high.
Every transaction may be fraudulent. For example, within 24 hours of the Esoteric/Worldpay system going live, a suspect order, slightly less than 2000 pounds, was placed. The order was suspect because unnecessary items, were duplicated to obtain the total. The card was approved by Worldpay. Worldpay was contacted by telephone for confirmation. The origin of the card could not be determined but Worldpay recommended that the transaction proceed, presumably due to vested interest of an eight percent commission (160 pounds).
Furthermore, Pukka Seeds was rejected by Worldpay. If you saw a Worldpay application form, you would be very surprised. There is a question asking how an organization would be classified. Staff was unable to find a suitable category. There is a category for pyramid schemes, multiple categories for sex, but nothing suitable for collecting seeds. Worldpay either has a very skewed customer base or knows from direct experience that such companies are lucrative. One would be quite reasonable to assume that the application form was merely a formality for such an overtly tolerant company.
This made the rejection even more of a shock. The whole affair has made my clients disillusioned with e-commerce, despite the fact that each of the two companies has a profitable web site. Staff find it unbelievable that card processing companies provide such a bad service, without risk. The CD-ROMs sent from Esoteric Hydroponics to potential customers could be tied to the online e-commerce system and credit card payment were it not for a lack of confidence in the system.
By accident, a Worldpay client was encountered during domain name registration. The company is called JustNames (www.justnames.co.uk). The web site uses PHP and is so badly written, that it fails to work on Netscape Communicator 4.72 and presumably other web browsers too. During an attempt to register a domain, it was discovered that JustNames uses Worldpay and that the price to pay appears in the web page.
It is becoming too easy to fraudulently purchase products online. Many e-commerce websites are relying on manual procedures to detect problems, if at all. Many organizations are detecting suspect activity, but only because e-commerce orders are scrutinized.
The problem is that most shopping baskets and credit card payment systems are loosely integrated. The credit card payment system is usually on another server and merely receives the total to obtain from the customer. Card processing companies are taking a path of least resistance approach to integration, so as not to dissuade potential clients. In many cases, the integration method is insecure. In some cases, secure methods are employed, while insecure methods remain open. There are many solutions to the problem, none of which have been implemented. Credit card processing companies are taking fat commissions for insufficient service. Worldpay, DataCash, NatWest, and competitors have some explaining to do.
Basic security is being ignored. Numerous websites have common flaws. Critical data is being passed via client software where it can be tampered with. This information is being trusted by the servers of card processing companies. There are other lapses of security.
For example, some companies are not verifying customers sufficiently. This occurs knowingly and action to rectify the situation is tardy. In every case, the merchant pays the price when mistakes occur.