Problem Solved; Access by many without compromising information
(This is a true story about a real problem that was solved with current and readily available technology.)
While developing self-replicating sites for essentialoilsrus.com, I came up against an interesting problem.
Sites are purchased at essentialoilsrus.com by distributors of a certain line of products. Each replicated site has a common product database and a common shopping cart. However, the fulfillment company can not accept orders sent directly to their server. They must receive orders by telephone or by FAX.
Product distributors need to FAX or telephone their own orders.
Emailing orders to individual distributors so they can then FAX or telephone them to the fulfillment company would not be secure, thus not acceptable. Using PGP encrypted email would require training each distributor to use it. Again, not acceptable.
What's needed:
- Order information needs to be stored on a secure
server and retrieved by individual distributors
so they can then FAX or telephone them to the
fulfillment company. Retrieving from the secure
server must be done without compromising the
personal and financial information of other
distributor's orders.
- When the distributor retrieves orders from the
secure server, the environment of the distributor's
computer can not be known. It might be a computer
in a one-person office or it might be in an internet
cafe where others have access to the same computer.
As much security as possible needs to be implemented
for diverse computer environments.
It was a nice little problem, the kind I enjoy solving.
Security on the Secure Server
Distributors already have usernames and passwords to access the control panel for customizing their replicated sites. When a distributor's site receives a product order, the distributor receives an email with a unique order number. The username, password, and order number are all required to retrieve the order's payment and other information from the secure server.
Thus, even with a stolen username and password, unique order numbers must be known before an order's information can be retrieved.
Security in the Distributor's Computer Environment
Implementing as much security as possible in the distributor's computer environment required more thought than did the secure server solution.
When the distributor retrieves an order, the order must be presented in the browser ready to print for FAXing to the fulfillment company or for reading while telephoning the order.
Server side programming has its limitations. For example, while the order is on the screen, nothing can be done about others looking at it. And the printed copy's distribution can not be effectively restricted.
However, there were some things I could do.
- Instead of plain text, credit card numbers could be
displayed on the screen with graphics.
- If the distributor saves the page to his/her hard
drive, an extra step of saving the images must be
taken in order to save the credit card numbers.
The numbers on the images appear like the
surrounding text; not saving the images would
reduce such thoughtless security risk.
- The file names of the graphics could be
temporary. Once the page with the order
information is loaded into the browser,
the file names can be deleted.
- Because temporary, randomly generated file names
are used, image file names from any pages saved
to the distributors hard drive could not be used
for determining the credit card numbers of other
saved pages.
- The distributor could be requested to log off when
done. Logging off can delete all information on the
secure server related to the retrieved orders.
Currently, there are several dozen replicated sites at essentialoilsrus.com. The implemented solution will work okay when there are several hundred, and even several thousand, replicated sites.
Will Bontrager
