Security Vulnerabilities in e-commerce Systems
An E-Commerce system is an electronic system that performs the secure exchange of goods and services over the internet automatically. The introduction of E-Commerce has helped many web-based companies to establish themselves and also give the opportunity to other companies to enter the web-based environment and perform automatic sales within global markers, thus increasing their sales quota.
E-Commerce systems, when designed and implemented correctly, can generate drastic reductions in administrative, sales and marketing overheads, and encourage more sales, larger sales, and repeat business.
The E-Commerce industry has made a considerable growth over the last few years and using an E-Commerce package can be a very discouraging decision. This is because it is difficult to find out whether the selected package will cater for both present and future needs and one of the most important factors to consider in an E-Commerce system is the security aspect.
Security in E-Commerce Systems
When using an E-Commerce system, the most important issue is how much secured the information of users and data are. This is a major concern when information in placed online. Customers have to trust the E-Commerce system which must keep information like credit card numbers, addresses and purchase records safe. Thus information must be kept unchanged. Moreover, the security procedures and systems must remain up-to-date throughout the site, and server, email and checkout systems should be checked consistently. Site security is one of the highest priorities in E-Commerce.
“Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail.” (McKegney, 2005)
Attacks against E-Commerce Systems
Attacks against E-Commerce systems involve the interaction of four different parties namely:
Any user that uses his browser to browse the products on a website which is operated by a merchant
Operates a website to sell products or services online and make profit
Third-party software vendors
Sell E-Commerce software to merchants
Those three are considered as legitimate parties and finally
Is the one who exploits the other three parties in order to proceed to illegitimate advantages / gains from them.
The attacker is considered as the illegitimate party.
The figure below shows an overview of the four different parties.
The attacker has the ability to cause several damages to the three legitimate parties which results in their system / resource exploitation. Threats and vulnerabilities are classified under confidentiality, integrity, and availability. A threat is considered as a possible attack against any of these parties and does not necessarily indicate that the system is vulnerable to the attack. “An attacker can threaten to throw eggs against your brick house, but it is harmless.” A vulnerability is a possible weakness in the system, but it does not imply that the attacker knows about this. “For example, only you know that you have left your front door unlocked.” Vulnerabilities exist at entry and exit points in a system. “In a house, the vulnerable points are the doors and windows. When the burglar threatens to break into your house and finds the vulnerability of the unlocked door, he is exploiting the assets in the house.” (McKegney, 2005)
Security features do not guarantee a secure system but they are important to build a secure system. For the E-Commerce system the following features will be considered:
Establishing identity by proving who you say you are. For example, it enforces that you are the only one allowed to logon to your Internet banking account.
Controlling user access; what that person is allowed to use, view, or alter. For example it allows users to manipulate resources in specific ways and thus preventing them from increasing the balance of their account or deleting a bill.
Deals with information hiding; that is convert data into a form, called a cipher text that cannot be easily understood by unauthorized people. For example, it ensures that you cannot spy on others during Internet banking transactions.
Provides a verifiable and trustworthy trail of actions related to the system or course of action. For example, merchants use auditing to prove that you bought a specific merchandise.
The attacker would thus focus on all the vulnerabilities of a system which are mainly the entry and exit points found within the system. The figure below shows the different areas that an attacker can mark as possible targets.
The possible target areas are:
- Shopper – where the attacker uses different ways to trick the shopper
- Shopper’s computer – where the attacker hacks into the shopper’s workstation
- Network connection between shopper and Web site’s server – where the attacker sneaks into the network.
- Web site’s server – where the attacker sneaks into / attacks the server
- Software vendor – where the attacker uses a rogue program to act as the software vendor
Security attacks methods
The different target areas of an attacker or hacker are described below:
Tricking the shopper
A term known as social engineering techniques is used to perform the easiest and most profitable attacks. It is based on tricking the shopper or user. It involves accessing the shopper’s behavior and gathers enough information to use against him / her.
“For example, a mother’s maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites.”
“A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value.” (McKegney, 2005)
“Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information.” (McKegney, 2005)
Sneaking into the shopper’s computer
Nowadays we have several computers added to the Internet daily and most of these computer users have average knowledge about the security issues that they may fell into. Moreover hardware and software vendors basically disable the security features in their products to increase compatibility with other products and many computer users do not attempt to check the security features before starting to use their computer. They rely greatly on these software and hardware vendors who unfortunately are more focused on sales and profits. This is great news for the attackers as they can easily perform their malicious acts.
Thus attackers can easily gain access to the shoppers’ / users’ computer by using programs to scan their port and finally detect an entry point and gain access to the user’s system. Personal information such as passwords can easily be retrieved.
Sniffing inside network
This is where the attacker will monitor regularly the data that is sent to and from the user’s computer and the server. The attacker will therefore be able to collect data about the user or steals personal information, such as credit card numbers.
Data is split up into packets and leave the user’s computer and is reconstructed at the server side. These packets travel through different routes to reach its destination. Therefore it is difficult for the attacker to access all the packets of a request and ultimately cannot decipher what message was sent.
“A good example would be a shopper in Toronto purchasing goods from a store in Los Angeles. Some packets for a request are routed through New York, where others are routed through Chicago. A more practical location for this attack is near the shopper’s computer or the server. Wireless hubs make attacks on the shopper’s computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user’s computer.” (McKegney, 2005)
This situation is shown in the figure below
Password guessing is another way to attack a user. This is a manual or automated style of attack. Using the manual way, password guessing is more is more difficult and takes much time but is only successful if the attacker has a hint about the password or knows something about the user. For example, if the user / shopper use the name of a member of his / her family as the password, the attacker would try these keywords first.
Automated attacks have a higher percentage of success, because the probability of guessing a user ID or password becomes more significant as the number of tries increases. There are tools that exist that use all the words in the dictionary to test user ID or password combinations, or that attack popular user ID or password combinations. The attacker can visit several sites at one go automatically using such programs. This type of attach is also called dictionary attack.
Denial of service attacks
The denial of service attack is one of the best examples of impacting site availability. In a regular connection, a user sends a message to a server requesting authentication. The server then sends back the authentication approval to the user. The user then acknowledges the received approval and finally is allowed access into the server.
In a denial of service attack, the user sends many messages to the server requesting authentication. The server has thus a queue of authentication requests to deal with. All the authentication requests sent have false return addresses and the server cannot find recipients to send authentication approvals. The server enters in a wait state, about a minute or so and if nothing happens closes the connection. When the server closes the connection, the attacker sends a new batch of fake authentication requests again and the process starts again and making the service unavailable or entering a wait state again and again.
This typical connection process and the denial of service attack are shown below:
An example can be: “If everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request“(McKegney, 2005)
Using bugs found on servers
The attacker can use any bugs present on a server by analyzing where defects are available on a particular server. With millions of servers online nowadays, the probability for a system administrator to forget to apply a patch is high. Thus the attacker can find what patches were created for a particular software, devise a way to exploit a system without the patch. He may proceed to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system.
Using server root exploits
This exploit is when the attacker gain super user access to the server. If this attack is successful, the attacker gains infinite possibilities. This is because if a user is attacked, it is only one computer that has been exploited, thus affecting only one individual. With a root exploit on the server, the attacker gains access to all the information of merchants, as well as those of the users or shoppers.
Even with the existence of computer attackers or hackers, the activities taking place online increase in numbers including E-Commerce. This is because many large companies are involved in E-Commerce activities and they will take any legal actions to protect their customers. The figure below shows several defenses that are available to cope against attacks.
It is very important to make the users be aware that their system will be secured as long as they know how to make their system become secure or how to keep their system secure. Education is the best way to ensure that your customers take appropriate precautions which are listed below:
- Installation of personal firewalls for the user’s machines.
- Encrypt confidential information.
- Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the e-Commerce Web site.
- Use password policies, firewalls, and routine external security audits.
- Use threat model analysis, strict development policies, and external security audits to protect ISV (Independent Software Vendors) software running the Web site.
“If a shopper chooses a weak password, or does not keep their password confidential, then an attacker can pose as that user. This is significant if the compromised password belongs to an administrator of the system. In this case, there is likely physical security involved because the administrator client may not be exposed outside the firewall. Users need to use good judgement when giving out information, and be educated about possible phishing schemes and other social engineering attacks.” (McKegney, 2005)
When your computer is connected to a network, it becomes prone to attacks. To protect your computer against attacks a personal firewall can be used and this will limit the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords.
Secure Socket Layer (SSL)
“Secure Socket Layer (SSL) is a protocol that encrypts data which is transmitted between the user’s computer and the site’s server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents.
The SSL certificate is issued to the server by a certificate authority authorized by the government. When a request is made from the shopper’s browser to the site’s server using https://…, the shopper’s browser checks if this site has a certificate it can recognize. If the site is not recognized by a trusted certificate authority, then the browser issues a warning as shown in Figure 7. “(McKegney, 2005)
As an end-user, you can determine if you are in SSL by checking your browser. For example, in Mozilla® Firefox, the secure icon is at the top in the URL entry field as shown in Figure 8.
In Microsoft® Internet Explorer, the secure icon is at the bottom right of the browser as shown in Figure 9.
A firewall function is to make sure that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines.
A DMZ (demilitarized) zone can be set up using two firewalls. One firewall which will form an external firewall will have ports open to allow ingoing and outgoing HTTP requests. This allows the client browser to communicate with the server.
A second firewall sits behind the E-Commerce servers. This firewall is heavily fortified, and only requests from trusted servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts.
Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected.
The figure below shows an overview of firewalls and honey pots.
It is important to ensure that password policies are enforced for shoppers and internal users. A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the table below.
Account lockout threshold
Consecutive unsuccessful login delay
Matching user ID and password
N (no, they cannot match)
Maximum occurrence of consecutive characters
Maximum instances of any character
Maximum lifetime of passwords
Minimum number of alphabetic characters
1 alphabetic character
Minimum number of numeric characters
1 numeric character
Minimum length of password
Reuse user’s previous password
N (no, cannot be reused)
The policies may differ based on the user accessing the system. For example, an administrator may be locked out after 3 failed attempts instead of 6 attempts in the system. This example is a way to counter dictionary attacks and also ensure that passwords are sufficiently strong enough in order to make guessing difficult. The account lockout capability ensures that an automated scheme cannot make more than a few guesses before the account is locked.
Intrusion detection and audits of security logs
Preventing attacks and detecting potential threats from an attacker is one of the main foundations of an effective strategy. This helps understand the nature of the system’s traffic, or as a starting point for litigation against the attackers.
Suppose a password policy is implemented, such as the FIPS policy described above. Thus is a user makes say 6 failed logon attempts, his account is locked out at once. The company sends an automatic email to the customer, informing him/her that his/her account is locked. This particular situation must be logged in the system, either by informing the administrator through email, writing the event to a security log, or both.
Also any unauthorized access to the system must be logged. If a user logs on, and attempts to access resources that he is not entitled to see, or performs actions that he is not entitled to perform, then this indicates the account has been co-opted and should be locked out. Analysis of the security logs can detect patterns of suspicious behavior, allowing the administrator to take immediate action.
In addition to security logs, use business auditing to monitor activities such as payment processing. These logs can be monitored and reviewed to detect patterns of inappropriate interaction at the business process level.
Security policies and standards
There exist several policies and standards for avoiding security issues. However, they are not required by law. Some of these basic rules are:
- Never store a user’s password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction.
- Employ external security consultants (ethical hackers) to analyze your system.
- Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies.
- Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system.
- When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed.
- Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CC seems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure in e-Commerce sites.
Web site designers always have issues to maintain a secure session with users while they perform requests to the server. Because HTTP is stateless, unless some kind of session token is passed back and forth on every request, the server has no way to link together requests made by the same person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a cookie and read on every request. Cookies are used to store user preference information, such as language and currency. This simplifies Web page development as there is no concern about passing information back to the server.
Different types of cookies are:
- Temporary cookies: Valid only for the lifetime of the current session, and are deleted when browser is closed. These are usually the good type. They are mostly used to keep your session information.
- Permanent cookies: These are for a time period, specified by the site, on the user’s computer. They recall the previous session information.
- Server-only cookies: They are usually harmless, and are only used by the server that issued them.
- Third-party cookies: These are usually used for tracking purposes by a site other than the one you are visiting. Your browser or a P3P policy (Platform for Privacy Preferences Project)can filter these cookies.
If you do not want to store cookies, here are other alternatives:
- Send user ID/password on every request: This was popular 5-10 years ago, but now recognized as an insecure technique. The user ID/password flowing under non-SSL is susceptible to attacks. This alternative is not practical for a high volume site. Pages that run under SSL would slow down site performance.
- SSL client side authentication: This is the most secure, but it is cumbersome for shoppers to install on their browsers. You have to pay for a company to verify who you are and to issue a certificate. The popularity of this technique for client-side authentication has decreased in recent years. It remains very popular on server sites.
- URL rewriting: This is a popular alternative to cookies. Each HTTP link on the page is specially encoded, but it is expensive for the site to implement. It interferes with the performance of the site because the pages cannot be cached and reused for different users. This alternative is susceptible to attack if it is not used under SSL.
Cookies marked as secure (storing encrypted data and passing to the user only under SSL) remain the most popular method of providing a secure online experience.
Using threat models to prevent exploits
The threat model is used to identify all the possible security threats than can occur when developing a server. For example, “think of the server like your house. It has doors and windows to allow for entry and exit. These are the points that a burglar will attack. A threat model seeks to identify these points in the server and to develop possible attacks.” (McKegney, 2005)
Threat models are particularly important when relying on a third party vendor for all or part of the site’s infrastructure. This ensures that the suite of threat models is complete and up-to-date.
The figure below shows an over of the threat model.
Using an online security checklist
The following checklist can be used to be protected as a user:
- Whenever you logon, register, or enter private information, such as credit card data, ensure your browser is communicating with the server using SSL.
- Do not shop at a site when the browser does not recognize the server’s SSL certificate. This check is done by your browser the first time your URL becomes HTTPS for the site. If the certificate is not recognized, then your browser presents a pop-up message to inform you.
- Use a password of at least 6 characters, and ensure that it contains some numeric and special characters (for example, b3004y4).
- Avoid reusing the same user ID and password at multiple Web sites.
- If you are authenticated (logged on) to a site, always logoff after you finish.
- Use a credit card for online purchases. Most credit card companies will help you with non-existent or damaged products.
- A bricks and mortar store with an online brand is most likely a legitimate site. However, the site may still have vulnerabilities.
Many E-Commerce Systems are prone to attacks nowadays with technology at the hand of many people. Though E-Commerce Systems are the target for several attacks, they offer robust and secure attributes that make then widely used. Today we have the technology to offer secure site design but it is not enough. This is because it is the responsibility of the development team to be both proactive and reactive when it comes to deal with security threats and also the responsibility of the users to be careful when doing business online.
Cite This Work
To export a reference to this article please select a referencing style below: