Introduction
Increasing credit card information leaks and their consequences
The number of credit card statements leaked from the EC site in 2019 was about 340,000, which is more than dual the number in 2018. The amount of damage caused by fraudulent use on e-commerce sites after the credit card number was pinched amounted to approximately 10.8 billion yen in the first half of 2019 alone.
If credit card information is leaked, it will have a great impact on the leaked company. Many sites have lost their social credibility and have been forced to suspend their services.
Direct expenses include impairments and outline refurbishment costs.
Damage compensation costs may be claimed not only for the amount of damage incurred but also for negligence due to the leakage itself. Depending on the content and number of cases, it can even reach tens of billions of yen.
As for the system repair cost, it is unlikely that the repair will be done only for the part that caused the information leakage. Since the recurrence of information leakage is irreversible, it is often the case that the system will be completely renovated, from applications to servers, networks, and security software.
Indirect effects include temporary service outages and a decline in sales due to a decline in social credibility.
We have no choice but to stop the service until the cause of the information leakage and the range of influence are identified, and during that time, the sales in EC will be zero. If you have food or other items with a limited time in stock, you may need to dispose of them.
In most cases, even after the service is resumed, sales will decline if social credibility is lost. The number of new users will decrease, and some existing users will be unsubscribed or unregistered.
In this way, if an information leak occurs, in addition to the costs that must be paid temporarily, future sales will be deprived, and the company may go bankrupt due to financial difficulties.
3 Mechanisms to Prevent Credit Card Information Leakage
How can we prevent credit card information leaks, which have a significant impact on corporate activities?
There are various causes, and it is of course necessary to take measures for middleware, OS, and network, but in this article, we will focus on how to build an application and introduce three mechanisms.
Do not embed vulnerabilities in programs
The first is not to embed vulnerabilities in programs as the basis of software development.
Be sure to address major vulnerabilities such as SQL injection, cross-site scripting, and OS command injection.
SQL injection is a vulnerability in which the database is exploited illegally by implanting a statement as SQL in the input-form, and the credit card information in the database is acquired. As a countermeasure, you can prevent invalid SQL from being executed by escaping the information in the input form (replace/delete symbols and character strings that have special meaning when executing SQL).
To comprehensively take measures against vulnerabilities, the “How to create a secure website” issued by IPA (Information-technology Promotion Agency) will be helpful.
Based on the vulnerability information reported by IPA, we will take up the ones with a large number of reports and the vulnerabilities with a large impact, and comprehensively explain the countermeasures. There are also failure examples and checklists, so let’s check if the vulnerability countermeasures are perfect before and after implementation.
In recent years, EC sites may be built with cloud services, but even in that case, it is safe to ask the cloud service company to fill in the checklist and take measures as necessary.
Enhanced login function with multi-factor authentication
There are cases where a malicious user impersonates another user’s ID and logs in illegally to steal credit card information. It is an attack method that is difficult to detect because it is indistinguishable from general users from the EC site side.
Password list attacks have become prominent in recent years as a method of unauthorized login.
A password list attack attempts to log in illegally using a list of IDs and passwords that the attacker obtained from somewhere. This is an attack method that utilizes the fact that many users use a common ID and password on multiple sites.
There is a measure to alert the user not to reuse the password, but it is not certain that the EC site can check the reuse and it is up to the user to reuse it or not.
One of the measures that should be taken on EC sites is to introduce multi-factor authentication.
Multi-factor authentication refers to authentication using two or more of the three elements of authentication (knowledge element, possession element, and biological element).
Of the three elements of authentication, the knowledge element is information that the person knows such as passwords and secret questions, the possession element is the one that the person possesses such as a smartphone or credit card, and the biological element is the person’s body such as fingerprints and facial features. Refers to authenticating a characteristic feature.
For example, if you combine a password, which is a knowledge element, with a smartphone, which is a possession element (confirm possession by SMS), you will not be logged in illegally unless password leakage and smartphone theft occur at the same time.
By combining multiple different elements in this way, you can prevent unauthorized login.
Combining all three elements is the most powerful solution, but it also adds to the user’s effort. Therefore, it may be introduced not when logging in, but when important operations such as viewing credit card information or ordering to a new address are performed.
Non-retention of credit card information
The third is the non-retention of the credit card information.
The “Credit Transaction Security Measures Council” in which the Ministry of Economy, Trade, and Industry and card brands participate will take measures to non-retail credit card information or comply with PCI DSS for member stores that use credit cards. I am requesting.
PCI DSS (Payment Card Industry Data Security Standard) is a security measure framework for credit card information protection operated and managed by five international card brands such as VISA and MasterCard. To obtain PCI DSS, it is necessary to undergo examinations such as visit examinations and site scans, and there are strict standards as such.
Since it is not easy for small and medium-sized e-commerce site services to implement a PCI DSS compliant level of security, it is now recommended to detain credit card information.
Non-retention specifically means that the card information is not “saved”, “processed”, or “passed” in the equipment/network owned by the company. Due to the non-retention, the company that operates the EC site is not subject to strict security standards, but instead, the payment agency, etc. protects the credit card information in compliance with PCI DSS.
In conclusion
We have introduced three measures to prevent the leakage of credit card information, but taking one of them does not mean that the risk will be zero.
To prevent information leakage related to the survival of a company, multiple layers of defense in depth are required. Let’s reduce the possibility of information leakage as much as possible while utilizing external diagnostic services such as vulnerability diagnosis.
If you ever want to know about similar things, check out the Facebook page Maga Techs.
