e-Commerce security: Attacks and preventive strategies - V

The criminal incentive

Attacks against e-Commerce Web sites are so alarming, they follow right after violent crimes in the news. Practically every month, there is an announcement of an attack on a major Web site where sensitive information is obtained. Why is e-Commerce vulnerable? Is e-Commerce software more insecure compared to other software? Did the number of criminals in the world increase? The developers producing e-Commerce software are pulled from the same pool of developers as those who work on other software. In fact, this relatively new field is an attraction for top talent. Therefore, the quality of software being produced is relatively the same compared to other products. The criminal population did not undergo a sudden explosion, but the incentives of an e-Commerce exploit are a bargain compared to other illegal opportunities.

Compared to robbing a bank, the tools necessary to perform an attack on the Internet is fairly cheap. The criminal only needs access to a computer and an Internet connection. On the other hand, a bank robbery may require firearms, a getaway car, and tools to crack a safe, but these may still not be enough. Hence, the low cost of entry to an e-Commerce site attracts the broader criminal population.

The payoff of a successful attack is unimaginable. If you were to take a penny from every account at any one of the major banks, it easily amounts to several million dollars. The local bank robber optimistically expects a windfall in the tens of thousands of dollars. Bank branches do not keep a lot of cash on hand. The majority is represented in bits and bytes sitting on a hard disk or zipping through a network.

While the local bank robber is restricted to the several branches in his region, his online counterpart can choose from the thousands of banks with an online operation. The online bank robber can rob a bank in another country, taking advantage of non-existent extradition rules between the country where the attack originated, and the country where the attack is destined.

An attack on a bank branch requires careful planning and precautions to ensure that the criminal does not leave a trail. He ensures the getaway car is not easily identifiable after the robbery. He cannot leave fingerprints or have his face captured on the surveillance cameras. If he performs his actions on the Internet, he can easily make himself anonymous and the source of the attack untraceable.

The local bank robber obtains detailed building maps and city maps of his target. His online counterpart easily and freely finds information on hacking and cracking. He uses different sets of tools and techniques everyday to target an online bank.

e-Commerce security: Attacks and preventive strategies - IV

Security features

While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories:

• Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to your Internet banking account.
• Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill.
• Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions.
• Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise.

e-Commerce security: Attacks and preventive strategies - III

The players

In a typical e-Commerce experience, a shopper proceeds to a Web site to browse a catalog and make a purchase. This simple activity illustrates the four major players in e-Commerce security. One player is the shopper who uses his browser to locate the site. The site is usually operated by a merchant, also a player, whose business is to sell merchandise to make a profit. As the merchant business is selling goods and services, not building software, he usually purchases most of the software to run his site from third-party software vendors. The software vendor is the last of the three legitimate players. The attacker is the player whose goal is to exploit the other three players for illegitimate gains. Figure 2 illustrates the players in a shopping experience.

Figure 2. The players
 

The attacker can besiege the players and their resources with various damaging or benign schemes that result in system exploitation. Threats and vulnerabilities are classified under confidentiality, integrity, and availability. A threat is a possible attack against a system. It does not necessarily mean that the system is vulnerable to the attack. An attacker can threaten to throw eggs against your brick house, but it is harmless. A vulnerability is a weakness in the system, but it is not necessarily known by the attacker. For example, only you know that you have left your front door unlocked. Vulnerabilities exist at entry and exit points in the system. In a house, the vulnerable points are the doors and windows. When the burglar threatens to break into your house and finds the vulnerability of the unlocked door, he is exploiting the assets in the house.

e-Commerce security: Attacks and preventive strategies - II

Security overview

A secure system accomplishes its task with no unintended side effects. Using the analogy of a house to represent the system, you decide to carve out a piece of your front door to give your pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You have created an unintended implication and therefore, an insecure system.

In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement.

Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail.

e-Commerce security: Attacks and preventive strategies - I

Introduction

This article presents an overview of security and privacy concerns based on our experiences as developers of WebSphere® Commerce. WebSphere Commerce is business middleware that accelerates the development of any business transaction-oriented application, from the smallest online retailer to B2B portals, to supply chain management applications. For many of our clients, WebSphere Commerce provides an integrated platform that runs both their customer facing online shopping sites, and their internal distributor or supplier portals as shown in Figure 1.

Figure 1. Common WebSphere Commerce business model

Secure eCommerce Tops the B2C Marketing List for eBusiness

Business to consumer Internet customers need to know their private information is secure when provided over a website eCommerce portal.

With all the inroads and growth in eCommerce in recent years, security concerns still tops the list for both B2B business customers and B2C consumers. B2C businesses should be putting forth security of personal data as their chief customer service concern. Identity theft and other forms of online theft is a huge problem today, and while secure browsers are being built to improve security in online transactions, this is only the tip of the iceberg in eCommerce security issues.

Implement Secure Shopping Cart Software

This is at the heart and sole of the online shopping world and it is important to investigate how security is being handled for ebusiness. There are numerous open source free software and paid shopping carts available with new ones added everyday. Some hosting services actually have shopping cart software built right into the services provided. Check with your hosting service provider.

Payment gateways must also be secure. Payment gateways are external services that enable internet merchants to accept online payments via credit cards, Paypal, and other electronic funds transfer services using a Secure Sockets Layer SSL and digital SSL certificates. Read this excellent overview ofGuide to Merchant Accounts, providing information on payment gateways, Internet merchant accounts, 3rd party credit card processors, and eCommerce solutions.

When a secure page is navigated to and implemented in a Web browser window, a little closed (secure) lock  will appear on the Web browser (typically lower right or upper right) and is usually an https:// file name. Take a look at this secure web page example. When in this secure mode, any information shared on that site can not be viewed by others on the Internet.

Have a True Privacy Policy

Privacy policies are an e-commerce area in which customer trust is most certainly abused. While most ebusiness sites have a stated legal privacy policy, the actual policy may not be legally private at all. See:Privacy Policy - Yea, Right! Include a tight privacy policy that does not rent, sell, or share E-mail addresses or any other private information.

Build An Ethical Business Foundation

Ethics in business is an area that is passed over way too quickly. It is at the heart and soul of the matter, and should be up at the top of a companys' employees requirements list. Information can so quickly be extracted from any business database with-in an organization, and bought and sold in the market place. Don't let this happen in your business. Implement an ethics policy for the entire company.

Build your company with good marketing ethics and include a system of checks and balances. Guard customers' private e-commerce data as though it were your own.

Tell It Like It Is

As e-business continues to advance online, provide privacy and security information for your customers to easily understand. Do not wrap it up in legalese.

Market Your Business Online

Once you have the secure foundation in place, then promote your business online. Get your business found on the Internet. Internet marketing with Professional Web Services today will gain your business more sales tomorrow.

How to secure an e-commerce Web site

First, it is important to start with a secure Web server configuration. This requires hardening the Web server for its role on the Internet. The U.S. National Security Agency produces an exhaustive hardening guide, and the free Benchmarks and Scoring Tools guidelines are available from the Center for Internet Security. Both are useful in evaluating your configuration. These tools are updated as new vulnerabilities are discovered, so they can be used regularly to monitor the effectiveness of your configuration. Windows-based servers can also be tested against Microsoft's free Baseline Security Analyzer.

Next, you will need to make sure that your Web server is protected at least by a firewall. The best way to choose a firewall is to create or update your existing security policy so you can identify and evaluate which firewalls have the functionality to enforce your policy's rules. Although routers and network-layer stateful packet-filtering firewalls can ensure only approved transmission ports and protocols are open or allowed, I recommend looking at an application-layer filtering firewall. Application-layer filtering firewalls can enforce security policy for both valid connection states and valid application layer communications. In order to provide multiple, overlapping, and mutually supportive protection, you should also deployintrusion detection, antivirus and antispyware systems.

Once your Web server is secured, you will need to confirm that your e-commerce application and other services do not create holes in your network security. You should have policies in place to ensure the business processes and design requirements of your application are validated and sanity-checked. Formal code reviews should include testing of the source code. You will also need to develop procedures for completing component-level integration testing, system integration testing and application function and deployment testing. From an operating system perspective, the Web applications themselves should be granted only limited ability to access system resources. When building an e-commerce site, you will also need to install a Web server digital certificateso that any confidential data, such as credit card numbers, can beencrypted while in transit between the server and the client.

Even if your Web applications are relatively secure when first deployed, eventual changes to the system's infrastructure or configuration, along with the advent of new threats, will always threaten the applications' security. Web applications in particular will remain vulnerable to attack despite perimeter defenses. It is essential therefore that your security policies are regularly reviewed for relevance and effectiveness. You should develop, maintain and monitor a list of sources that review current security problems and software updates relevant to your system and application software.

Ecommerce Security Issues - II

Transactions

Sensitive information has to be protected through at least three transactions:

• credit card details supplied by the customer, either to the merchant or payment gateway. Handled by the server's SSL and the merchant/server's digital certificates.
• credit card details passed to the bank for processing. Handled by the complex security measures of the payment gateway.
• order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company. Handled by SSL, server security, digital certificates (and payment gateway sometimes).

Practical Consequences

1. The merchant is always responsible for security of the Internet-connected PC where customer details are handled. Virus protection and a firewall are the minimum requirement. To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage service. Always keep multiple back-ups of essential information, and ensure they are stored safely off-site.

2. Where customers order by email, information should be encrypted with PGP or similar software. Or payment should be made by specially encrypted checks and ordering software.

3. Where credit cards are taken online and processed later, it's the merchant's responsibility to check the security of the hosting company's webserver. Use a reputable company and demand detailed replies to your queries.

4. Where credit cards are taken online and processed in real time, four situations arise:

1.     You use a service bureau. Sensitive information is handled entirely by the service bureau, which is responsible for its security. Other customer and order details are your responsibility as in 3. above.

2.     You possess an ecommerce merchant account but use the digital certificate supplied by the hosting company. A cheap option acceptable for smallish transactions with SMEs. Check out the hosting company, and the terms and conditions applying to the digital certificate.

Ecommerce Security Issues - I

Keeping your site and customer data safe.

Customer Security: Basic Principles

Most ecommerce merchants leave the mechanics to their hosting company or IT staff, but it helps to understand the basic principles. Any system has to meet four requirements:

• privacy: information must be kept from unauthorized parties.
• integrity: message must not be altered or tampered with.
• authentication: sender and recipient must prove their identities to each other.
• non-repudiation: proof is needed that the message was indeed received.

Privacy is handled by encryption. In PKI (public key infrastructure) a message is encrypted by a public key, and decrypted by a private key. The public key is widely distributed, but only the recipient has the private key. For authentication (proving the identity of the sender, since only the sender has the particular key) the encrypted message is encrypted again, but this time with a private key. Such procedures form the basis of RSA (used by banks and governments) and PGP (Pretty Good Privacy, used to encrypt emails).

Unfortunately, PKI is not an efficient way of sending large amounts of information, and is often used only as a first step — to allow two parties to agree upon a key for symmetric secret key encryption. Here sender and recipient use keys that are generated for the particular message by a third body: a key distribution center. The keys are not identical, but each is shared with the key distribution center, which allows the message to be read. Then the symmetric keys are encrypted in the RSA manner, and rules set under various protocols. Naturally, the private keys have to be kept secret, and most security lapses indeed arise here.

:Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. To vastly simplify matters (as throughout this page), a plain text message is run through a hash function and so given a value: the message digest. This digest, the hash function and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient decodes the message with their private key, and runs the message through the supplied hash function to that the message digest value remains unchanged (message has not been tampered with). Very often, the message is also timestamped by a third party agency, which provides non-repudiation.

What about authentication? How does a customer know that the website receiving sensitive information is not set up by some other party posing as the e-merchant? They check the digital certificate. This is a digital document issued by the CA (certification authority: Verisign, Thawte, etc.) that uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants and web-servers.

:Secure Socket Layers

Information sent over the Internet commonly uses the set of rules called TCP/IP (Transmission Control Protocol / Internet Protocol). The information is broken into packets, numbered sequentially, and an error control attached. Individual packets are sent by different routes. TCP/IP reassembles them in order and resubmits any packet showing errors. SSL uses PKI and digital certificates to ensure privacy and authentication. The procedure is something like this: the client sends a message to the server, which replies with a digital certificate. Using PKI, server and client negotiate to create session keys, which are symmetrical secret keys specially created for that particular transmission. Once the session keys are agreed, communication continues with these session keys and the digital certificates.

:PCI, SET, Firewalls and Kerberos

Credit card details can be safely sent with SSL, but once stored on the server they are vulnerable to outsiders hacking into the server and accompanying network. A PCI (peripheral component interconnect: hardware) card is often added for protection, therefore, or another approach altogether is adopted: SET (Secure Electronic Transaction). Developed by Visa and Mastercard, SET uses PKI for privacy, and digital certificates to authenticate the three parties: merchant, customer and bank. More importantly, sensitive information is not seen by the merchant, and is not kept on the merchant's server.

Firewalls (software or hardware) protect a server, a network and an individual PC from attack by viruses and hackers. Equally important is protection from malice or carelessness within the system, and many companies use the Kerberos protocol, which uses symmetric secret key cryptography to restrict access to authorized employees.