General discussion


Know the risks of using online payment systems

By debate ·
Does your organization have an Internet use policy? Does it address using online payment systems? Do you agree that allowing employees to use these systems can put the network at risk? Share your comments about the risks of online payments systems, as discussed in the Dec. 13 Internet Security Focus newsletter.

If you haven't subscribed to our free Internet Security Focus newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by dafe2 In reply to Know the risks of using o ...

We promote the use of acceptable use policies and Intranets to broadcast "tips & tricks", security information & the like. We do not promote or permit the personal use of corporate infrastructure.

It has been my experience that educating users about Policy and Security is the best line of defense against (internal) incidents. They seem to appreciate the communications.

In discussions with the average user they seem to be more aware of things like chain e-mail, clicking ok on an obscure pop-up and answering "surveys" while on-line.

Acceptable use policies are reviewed by HR and the employee during orientation and signed off by both the employee and His/Her immediate Supervisor.

In your scenario,(above) I wouldn't be concerned expanding the external attack surface but would be concerned with having someones identity stolen - when they where paying their bills instead of typing that memo.

Collapse -

Liberal policies

by saphil In reply to Unacceptable

My company has very liberal policies for certain public-access PCs, but at the same time, known porn sites or spyware sites are filtered at the router and each machine has a software firewall. A tcp/ip scan cannot find us at all. We have experienced no successful attacks, though our logs show there are several attempts every week. We are seeded with spyware cookies and registry entries quite often but a daily scan removes those.

Collapse -

This can lead to theft

by dafe2 In reply to Liberal policies

There's nothing wrong with being your case you seem to know your users & you appear to use responsible techniques. IMO there should still be some form of written policy. Due diligence. (Maybe you have one, you don't mention it)

In some countries, you may need to be aware of (and abide by), Governmental issues such as Sarbanes/Oxley (US) and PIPEDA (Ca)

In some enterprises you may have thousands of users, politics, and all manner of (user) sophistication..........Yes, there's porn, music and just plain surfing. Then there's E-Mail.....

In most, well in my opinion ALL computing environments - Threats come from within. They can be intentional and/or accidental.

Absolutely - There is nothing wrong with a liberal policy but the rules MUST be in writing, clear and uniform.

I'll give you a for instance:

A supervisor notices an employee doing a lot of surfing. He requests an internet useage report on the employee. The report shows the employee has surfed for more than 43 hours in the past 22 working days. It was clearly not work related surfing. When confronted, the employee says, "I'm sorry, I wasn't aware of any policy." There's really nothing you can do.

If he/she works a 40 hour week, this employee was given a weeks pay, the employer received nothing in return. Some businesses call this theft. (I know I do). An Employee does not own the computers or the infrastructure. They are TOOLS an employer supplie to either produce or account for income. A simple view I'm sure.

On the flip side, I wonder what this same employee would say about the company or OUR security if he where a victim of identity theft...

No doubt it wouldn't matter that he/she was in some way responsible......just that it was found to happen at his office. All he/she thinks is: "I was at work! How could the IT group let this happen!"
And they'd tell anybody who'd listen...

IT is not "Corporate Internet Police", but all I'm saying is we should be doing all we can to educate our users, protect corporate asetts (using due diligence) and also protect users, in some cases, even against themselves.

Collapse -

Outsourcing security services

by panrio In reply to Know the risks of using o ...

Security affairs become increasingly complex and more hazardous to both employees and companies, including online payment. Won't it be appropriate now to outsource security affairs?

Collapse -

Online Payment Risks

by mwojcik In reply to Know the risks of using o ...

We do have an Internet use policy, but it does not address using online payment systems. The majority of our hardware and software are purchased using the Internet and a credit card. We have credit cards assigned to Administrative staff for purchasing and only once in the three years that we have had the cards has someone's account been compromised. It was compromised by giving the credit card number over the telephone. The person who took the information over the phone went directly out and purchased three very expensibe handbags, the very same day. Personlaly I have been using online banking and purchasing over the Internet for years and feel more comfortable than giving it verbally or handing it to someone. I educate and keep the users up to date on security issues on a weekly basis. I do believe that educating users keeps the network safe.

Collapse -

Email Scams

by mb11010 In reply to Know the risks of using o ...

You mention worms, and fraudulent payment systems ... I won't tounch on those in this, but you also mention email scams.

Email scams can be easily avoided with a bit of education (which you also mention). What you didn't mention is HOW to avoid them. It's extremely simple. DON'T give credit card, or any personal information for that matter, in responce to an email.

If you recieve an email asking for ANY information, go to the merchant/bank's website and get their customer service number (do not use the number in the email w/o verifying it at the web site). Then you call customer service and explain the situation. Most sites will tell you that they will not ask for passwords/card #s/or other private information via email. If they call you, then you ask for their name and extension # then GO TO THE SITE, get the phone #, and call them back.

If they ask you to email them any private information, then you ask to speak to their supervisor. If they still require you to send it via email, then you tell them that you wish to cancel your transaction. They are required, by law, to allow you to cancel a pending transaction. DO NOT EVER send private information via email, you're phone line is dramatically more secure.

Following those guidelines, you are extremely unlikely to fall victim to email based fraud/identity theft attempts.


Collapse -

by Jaqui In reply to Email Scams

you forgot to mention:
NEVER follow a link in an email requesting confidential information.

just took a phishing awareness quiz, before even looking into phishing.
got 80% with no real knowledge of phishing.
spent the time since looking into it.
teaching people and associates how to spot it all the time now.

best way to stop the risk, education.

Collapse -

The sky is falling

by Konza In reply to Know the risks of using o ...

I think the article over-states the risks. For the most part, people who respond to fraudulent emails only endanger their own credit, not their company's. With all the press that fraudulent emails and scams have gotten, if you have an employee that responds to one of them---without question---with sensitive company information, perhaps you have the wrong person in that position. And if your company's IT department is doing their job, current antivirus and malware software and user education, a virus or worm should not be an issue.

I've been banking and purchasing online for quite some time now and the only instance of fraudulent use of my credit information can be directly traced to an employee of a physical retail store where I used my card.

I can't say that financial transactions on the internet have no risk, I just think that you can get scammed anywhere, the risk is the same across the board.

Collapse -

Too funny..........

by dafe2 In reply to The sky is falling

The problem with the press is that "security" "patch" and virus alerts are so GD poorly written and articulated like some kind of massive emrgency every second week is that nobody listen to the BS anymore........and IMO is usually absurd and blown way out of proportion.

Now that I have that out my system -

As stakeholders, it is our JOB (IT / BIS) to make sure that we keep in touch with these things, evaluate any threats then take corrective action where and when it's required.

I agree with your views, the best defense is an educated user base. A competent (and slightly paranoid, IT / BIS group helps too)

IMO the only role the Press and Pundits play in your world and mine is comic relief. grrr

Collapse -

Emergencies are how they get to keep their jobs

by jdclyde In reply to Too funny..........

It is just like the TV reports of watch tonight on news 6 at 6 to keep from getting killed while making a sandwich.

Same for security. There is someone every four secondes trying to break into your computer. oooooh.

Get a firewall and 98% of the threats are gone, and all you have left is the porn surfing CEO that you have to worry about. (for anyone who has been following current discussions)

Getting a policy is all nice and fine, but most IT staff are not in a position to enforce the policy and the last thing I want is to become the IT Nazi.

Secure the systems.
Do backups.
Go on with your life.

Related Discussions

Related Forums