The Initech Novelty, Inc. Security Manager (SM) was recently contacted by a concerned consumer about the security of some its online Initech Novelty, Inc. payment transaction pages. The consumer reported that her credit card information had been stored in some cached Web pages on her PC.
The Security Manager decided to do an investigation and browsed to the Initech Novelty Inc. website, created an order, and completed the payment card transaction process.
The following observations were made:
1. In order to make a purchase on the web site, a user ID and password is required.
2. A valid 128 bit SSL EV (Extended Validation) certificate is used within the session from login to checkout.
3. Since, Initech Novelty Inc. does not store credit card information or preferences on behalf of its consumers, all transactions require input of credit card information.
4. Session state between the payment card input / transaction amount screen and the payment card / transaction amount confirmation screen is controlled via hidden fields.
5. Even though a portion of the of payment card PAN is masked on the confirmation page, the full payment card PAN can be viewed looking at the source of the confirmation page. Additional payment card information in hidden fields are the CVV2/CID/CVC2 values, expiration dates, and cardholder name information.
6. Utilizing a client-side web proxy, the Security Manager noticed that none of the response headers from the web servers contained “no store” or “no cache” directives.
7. The Security Manager was able to retrieve a copy of the confirmation page from his cache and view the entire payment PAN.
Other Given Information:
1. The daily average of online sales transactions (purchases) via the Initech Novelty, Inc. ecommerce site is 1000. The average transaction amount is US $43.
2. Initech Novelty Inc. is considered a Level 3 merchant by its payment processor, an agent of the processor’s acquirer.
3. Based off voluntary post-check out web surveys – 45% of all the transactions on the Initech Novelty Inc. ecommerce site are by consumers that regularly visit the site throughout a 3 month period. The remaining 55% of transactions are from consumers who only purchase one time or only frequent the site less then once every three months.
4. Based off voluntary post-check out web surveys – 65% of the survey respondents consider themselves “online security” aware.
5. Finally, 75% of survey respondents performed their Initech Novelty, Inc. transaction from their home or work PC. Of the remaining 25% of respondents, only 10% performed their transaction from a public terminal.
Task: Perform a risk assessment on this security issue utilizing the FAIR methodology. Summarize the risk associated with this scenario. Recommend some general risk mitigation approaches the application team can look at to mitigate the risk.
Posts 2, 3 and 4 to be published throughout this week.
Note: The purpose of the scenario is to provide enough information to conduct a risk assessment. It would be nearly impossible to write a scenario that would fit every environment (end user / provider), every web application platform, every use case, and every real-world variable. Please see my Scenario Pre-Read for additional information.