On Thu, 13 Apr 2000, Dan Hansgen wrote:
> The question I have is that I heard some time back that hackers had accessed
> some credit card information from an internet site. Does anyone remember
> who the site was and why their configuration allow this to happen? Could
> this have been avoided with a better firewall?
The 'obvious' way is to not store credit card data on the web server.
Mechanisms I have heard mentionned in the past include one way serial
links, net cards with rx lines cut, and so forth.
Ie, you have a complete block on all internet connectivity from the
machine that does your credit card processing. This is inconvenient
if the transaction fails for some reason, so you might back off to
using a very very cut down protocol over a duplex-link. Small amounts
of very heavily audited code with a very well defined format spec.
serial IP IP
<Processing Machine>----<web-server>-----<firewall>----<the world>
|
|
<dialup to cc auth comp>
> If you can remember who it was, was there follow-up information on what the
> site did to insure this could not happen again.
Probably the stock press release for 'we think we found the problem,
and made a change that we hope means that particular hole can't be
used again'
The above is pretty paranoid. I know a lot of site just roll out an
'out of box' ecommerce package and pray. At least as a user, my
CC company covers me from fraudulent use of my card.
Mark
+-------------------------------------------------------------------------+
Mark Cooke The views expressed above are mine and are not
Systems Programmer necessarily representative of university policy
University Of Birmingham URL: http://www.sr.bham.ac.uk/~mpc/
+-------------------------------------------------------------------------+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
