[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Lame or no site logout -- AKA: How to steal credit card numbers without really trying

From: "Jon R. Kibler" <Jon.Kibler@xxxxxxxx>
Subject: [WEB SECURITY] Lame or no site logout -- AKA: How to steal credit card numbers without really trying
Date: Thu, 23 Feb 2006 10:14:01 -0500

------------=_1140707649-15168-547
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Greetings,

Please pardon this rant, but I am really fed up with a MAJOR security issue that many (most?) ecommerce sites implement in the guise of 'ease of use': that is, the 'remember me' function as default. Probably the biggest offender is Amazon.com, where they do not even have an explicitly logout function -- you have to click on the link that says 'I am not XXX' to simulate a logout.

Want to steal credit card numbers? It's simple: Just go to any library or other location that offers public Internet access. Then go to any ecommerce site, such as amazon, any of the major travel sites, hotel sites, car rental sites, airlines sites, or financial services sites, such as banks, credit unions, stock trading sites, etc. When you go to these sites, you will most likely be logged in as the last user of the site and have full access to all of that user's personal information entered, including credit card numbers. Why can you get away with this? At least 4 reasons come to mind:
   1) Many sites do not provide an explicit logout function -- leaving you logged in 'forever' by putting cookies on your HDD that keep the login alive even after you exit the browser.
   2) Many sites that do have logouts automatically select a 'remember me' check box when you first login that creates a cookie on your HDD that automatically logs you back in the next time you visit the site.
   3) Almost no ecommerce site has an inactivity timeout after which you have to reenter your password to continue to use the site.
   4) Use of applications such as PIE that keep cookies alive, even if the user thinks they deleted the cookie.

I am sure the members of this maillist can come up with even more lame web application design issues that result in the implementation of 'ease of use' capabilities at the detriment of security.

What needs to be done? Implement and enforce some common sense web application design standards. If credit card companies were to enforce such minimum common sense standards before they would permit a vendor to accept credit cards in their web apps, it would go a long way to increasing user security. My $0.02 worth of common sense ideas would include:
   1) Any time the browser is exited, the user must reenter their password when returning to the web site.
   2) After a relative brief (5 to 10 minutes?) inactivity time, the user must reenter their password to continue using a site.
   3) Before accessing any part of a site that contains sensitive information (name, address, phone #, credit card info, etc.), the user must reenter their password.
   4) Applications should block caching of sensitive information so that the browser's BACK button cannot be used to access sensitive information without the user first reentering their password.
   5) After the completion of a transaction where the credit card is used, or sensitive information is entered or edited, the user must reenter their password to continue using the site. 
   6) Every site must provide an explicit 'logout' button.
   7) Every site that requires some type of authentication should have a login failure lockout mechanism. The mechanism should lock out accounts after 3 or 4 consecutive login failures without a successful login, regardless of the time lapse between login attempts. After account lockout occurs, the user must contact the site's support group to have a new password emailed to their default email account (this could be totally automated). The user must then change their password on the next successful login.

Anyway, thanks for putting up with my rant. I know that most/all of this has been said before. However, a visit to amazon.com earlier today just really got my blood boiling over the site's inability to easily logout.

My only remaining question is: "What is it going to take to force organizations to make security a higher priority than ease-of-use and functionality on their web sites?

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



------------=_1140707649-15168-547
Content-Type: text/plain; charset=us-ascii

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
------------=_1140707649-15168-547--

Follow-Ups:
- Re: [WEB SECURITY] Lame or no site logout -- AKA: How to steal credit card numbers without really trying
  - From: Chip Mefford

Prev by Date: [WEB SECURITY] Whitepaper by Amit Klein: "HTTP Response Smuggling"
Next by Date: Re: [WEB SECURITY] Lame or no site logout -- AKA: How to steal credit card numbers without really trying
Previous by thread: [WEB SECURITY] Whitepaper by Amit Klein: "HTTP Response Smuggling"
Next by thread: Re: [WEB SECURITY] Lame or no site logout -- AKA: How to steal credit card numbers without really trying
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site