See, I'd hazard a guess that shared hosting is going to be a much easier attack vector. If someone roots the hosting server you're screwed either way.
Indeed. I spoke with TSOHost who said that the only way to improve security on the DB is by having a dedicated hosting service. This way, they can add a firewall. However, we are talking about increasing costs here. And if we assume that we are dealing with 5-10 transactions per month, initially, this just doesn't seem worth it.
This just sounds like pure replication so just get MySQL to do that for you -
This not pure replication. Repication is good redundancy but useless when it comes to fraud detection.
By using the system which I am proposing, we have 2 DBs which in theory should contain identical data, at all times. If they do not then the admin is flagged.
Why might the 2 DBs have different data?
1. if 1 DB is "down", while the other is "online", only 1 DB will get updated.
2. if a hacker updates or alters 1 DB
In both cases, the admin shall be alerted. In case 1, the admin can make an "adjustment" to correct the difference, to prevent the same "error" from alerting the admin. In case2, the admin can lock the user's account and investigate what has gone on.
To clarify, if we use simple replcation, if the hacker decides to alter DB1, DB2 is automatically altered as well, thus defeating the ability to detect differences between the 2 DBs (as they are always identical).
To me this all seems to point to periodically auditing transactions against your payment gateways, of course, if that gets hacked you and a lot of other people have bigger problems.
I'm looking into this right now. I am going to use Paypal. Now paypal have an API to get transactions which have occurred. The easiest way is to have a program periodically get the transaction ids of transactions and then check the DB against them. If there are erroneous transactions, then we can alert the admin and lock the account. HOWEVER, this is only available on the Pro Account and seeing as I am going to be using Paypal Standard, this facility is not available.
Now, I have created a program which is able to read a webpage, so its still possible that I might get my program to load up Paypal's account page and then extract all the transactions which have occurred.
MSSQL can do transaction log shipping (I'm sure MySQL can but I have no idea what they call it) which is kind of like your email idea - it dumps the transaction details into a file which another server can read and apply to itself. You could have them dumped into a read-only VPN/FTP folder which the other server picks up and processes.
I may use emails to validate the transactions, but the problem here is that we are involving too many servers.
Server1. web host and DB1 host
Server2. DB2 host
Server3. email server
Server4. local server running my program which receives the email
The more servers we have the greater the chance of a point of failure. If somebody has paid money into their account, if any of the above 4 servers are out, their transaction will show as pending = not good. The only way that a transaction is considered valid, if is all the servers involved are working.
The best balance is to have 2 separate databases on Server1 (DB & web host) and Server2 (DB2).
Also consider that if somebody wants to withdraw money, there are additional checks which occur. So, lets assume that a hacker successfully bypasses all the security measures before withdrawal. He may still be caught by a human, at the time of withdrawal.
I shall also be using Paypal's IPN system (ie. when a transaction is successful or cancelled, paypal automatically generates a message which is sent to a url/server). This is another way to get hold of the details of the transaction and perhaps hold this information on a separate server.