What are the security risks of utilizing a marketing vendor that uses a reverse proxy?

Our Marketing dept has contracted with a outside marketing company (without the IT department's knowledge) which pulls our web site url through their servers whenever someone clicks on one of their ads.  They capture page views, emails, and other information.  What is to prevent them from capturing our credit card numbers (we are an e-commerce site) as well?  And what would prevent criminal elements from using this as a means of stealing credit card information?
Who is Participating?
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Ok. If they are also wrapping your HTTPS traffic, then you have a security issue. A lot depends on how you are processing CC or other PCI information, but effectively you are subject to a known man-in-the-middle attack against your site (if you are using a payment processor that handles such details themselves, then you may not be responsible for the result (but they may well take exception to "your" traffic always coming from another host; correspondingly, if you are knowingly allowing a third party to intercept CC traffic, then you could well be liable if that CC traffic goes astray.

I would first check to see if any PCI sensitive data IS going via these marketing servers. IF they are, then go to marketing and say you need signed paperwork from both the marketing company AND your payment processor that they are ok with this setup and accept all liability arising from this happening - otherwise you will block all HTTPS at the firewall from that IP range, and leave them to sort out the fallout.  
jhoekmanConnect With a Mentor Commented:
I'll let someone who knows more about security than I speak to the actual technicalities, but if I were you, I would just stop serving ads on secure pages like your shopping cart when you are trying to get people to complete their purchase.  The less distractions you have during your conversion funnel, the less likely they are to get distracted, increasing the chances they will complete their purchase.  

And regarding the information they need from your site, they don't need to know anything more than page views and impressions served in order to fulfill the necessary data to the publishers they represent.  If they are collecting anything outside of that, I would be very concerned and again would not serve their information on those secure pages.

They have no reason to ask for email, etc.  They just need to know impressions and clicks so that they can measure ad performance.  

Can you tell us what ad provider you are using?
Dave HoweSoftware and Hardware EngineerCommented:
I think your first step should be some sort of traffic log analysis - you should see the traffic from the reverse proxy as all coming from a single or range of addresses; if that includes https traffic, then you have a significant problem and should contact whomever your ecommerce merchant account is with for advice. If it is http only, then you should move to *only* accepting customer info securely, even if that increases server load.

But it all starts with you finding out what is happening, rather than speculating how their "wrapper" works.  You will find a lot of banner add companies do clickthough tracking (after all, they are paid based on how many they get, or at least need to supply clicks-per-campaign info) and will usually use cookies and other similar mechanisms to establish unique impressions (again, for metrics) but can reasonably defend that practice based on the fact that your *own marketing department* is asking for said metrics. You can also (if you wish) use the source IP to define a unique landing page for your redirected visitors; using many more absolute (full url) links for things like user login/signup (fairly normal if you are forcing redirect to https anyhow) can get users transparently back onto a "direct" channel to you (which you can then monitor, again via the logs) unless the ad vendor is also deliberately rewriting your target urls (which is possible; certainly Novell's reverse proxy products could do that routinely) - but again, your first step (and indeed, every other step :) is log analysis.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Bible_on_stageAuthor Commented:
This company describes their services as enables us to track all activity generated from your ad without ever needing to contact your webmaster.  Netcraft.com identifies their server's OS as Citrix Netscaler.  All traffic, including https. is going through their server, and our logs show the traffic then coming to our server  The url they write replaces our host name with theirs and everything beyond that is identical to our web site's paths.  Their ssl certificate is encrypting the https traffic and Fiddler shows it as being passed to our server as http on port 443.  From a technical side I don't like it but apparently Marketing does.  But what I'm trying to understand is if this is a possible security vulnerability that effects our PCI compliance.  And what would prevent a criminal enterprise from doing something similar. I haven't read anywhere of this type of technique as being identified as a security exploit, but it seems as something that would be reasonably easy to duplicate - so I feel there must be something I am missing and don't understand.
Dave HoweSoftware and Hardware EngineerCommented:
Normally, the only protection you have against a criminal enterprise doing this is your domain name - this is a classic Phishing / MITM attack, and is usually done from a spoofed or typo domain so that the https traffic looks legit.

On the bright side, if all the traffic is going to be going though some other provider and senior management are signing off on it, you can stop having to find the cash for a https cert from your CA - just use a self signed one, its not like this advertising company will care ;)
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.