E-commerce Security and Threats


Published on

The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering e-commerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers.

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E-commerce Security and Threats

  1. 1. E-commerce Specific Solution in E-commerce Brian D. Palmer University of Maryland University College Dr. Chen INFA 620 August 7, 2012 1
  2. 2. E-commerce 2 The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering ecommerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers. Over the years e-commerce has become more popular and convenient for both companies and consumers. For companies, e-commerce reduces cost and creates new market opportunities (Brooghani, 2010). This service over the Internet offers consumers the ability to shop, transfer funds, and sell goods from home, mobile device, or on the go. With this luxury, also comes a growing concern with the security of consumers’ information such as account numbers, social security numbers, e-mail addresses, etc. The movement of data from a browser to a server and back is vulnerable to an attack by an outside threat (Brooghani, 2010). There has been an overwhelming fear by consumers if e-commerce sites are safe and can be trusted with private information. The invading of this private information through unauthorized means is a risk that will continue to exist. Security relates to the ability of a company to protect its consumers online and prevent online fraud through security measures (Mandic, 2009). Security controls are implemented by companies to prevent an attack, but at the same time continuously allow
  3. 3. E-commerce 3 controlled access to the network to authorized users (Brooghani, 2010). The common ebusiness security controls include but not limited to firewall software, intrusion detection systems, secure electronic payment protocol, secure sockets layer(SSL), etc (Otuteye, 2003). However, with any security control implemented come limitations that could cause a system to be vulnerable to securing the required assets. With that said, no system of security is fool proof, so there may be a need to add additional security software/hardware to compliment the existing security controls currently in place. Firewalls (software or hardware) are implemented to protect the network from attack by viruses and hackers. The two key components in regards to enterprise networks are all inside and outside traffic must pass through the firewall. In addition, only authorized traffic based on the enterprises’ security policy is allowed transit. The firewall itself must be immune to penetration in order support advanced authentication techniques such as smart cards and one-time passwords (Ahamed, Ansari, Kubendran,, 2011). The four main firewalls used are packet filters, application gateways, circuit-level gateways, and stateful packet-inspection. For example, a large company like Motorola, might place a firewall at the outside of the system, and connect it to a gateway computer, and then connect that machine to a router with packet filters, and finally connect the router to the internal computer network (“Firewalls”, 2012). However, firewalls have limitations as stated below: • “Firewalls cannot protect against what has been authorized. Firewalls permit the normal communications of approved applications but if the applications themselves have flaws, a firewall will not stop the attack because, to the firewall, the communication is authorized.
  4. 4. E-commerce • Firewalls are only as effective as the rules they are configured to enforce. An overly permissive rule set will diminish the effectiveness of the firewall. • Firewalls cannot stop social engineering attacks or an authorized user intentionally using their access for malicious purposes. • Firewalls cannot fix poor administrative practices or poorly designed security policies. • Firewalls cannot stop attacks if the traffic does not pass through them.” (Bragg, Rhodes-Ousley, & Strassberg, 2004, p.230) Below is an example of a firewall configuration: (“PCI Compliance”, 2012) 4
  5. 5. E-commerce 5 Secure Sockets Layer (SSL) encrypts data such as credit cards numbers as well other personally identifiable information, which prevents the unauthorized individuals from stealing information for malicious intent. An SSL protected page’s address begins with "https" and there is a padlock icon at the bottom of the page. The user browser cannot secure the entire transaction which is the reason e-commerce sites implement SSL certificate. The SSL certificate is used to encrypt the data and to identify the Web site. In addition, the SSL certificate helps to prove the site belongs to who it says it belongs to and contains information about the certificate holder, the domain that the certificate was issued to, the name of the Certificate Authority who issued the certificate, and the root and the country it was issued in (“SSL”, 2010). However, the limitations are that SSL can be weak and vulnerable to Man-in-the-Middle (MITM) attacks. With the increased use of SSL by companies, hackers are discovering more ways to hack or bypass this authentication technology (Kissoon, 2011). Below is an example of SSL webpage: (“SSL Certificate”, 2012)
  6. 6. E-commerce 6 Secure electronic payment protocol is an open, vendor-neutral, non proprietary, license-free specification for securing on-line transactions developed by International Business Machines (IBM) and MasterCard. This security tool takes input from the negotiation process and causes payment process to occur via a three-way communication among the cardholder, merchant, and acquirer. There are four major business requirements addressed by SEPP which are: 1. “To enable confidentiality of payment information. 2. To ensure integrity of all payment data transmitted 3. To provide authentication that a cardholder is the legitimate owner of a card account. 4. To provide authentication that a merchant can accept MasterCard branded card payments with an acquiring financial institution” (Ahamed et al., 2004, p.1306). However, the privacy of non financial that is not addressed in the SEPP protocol as well as the negotiation and delivery is a limitation. Below is an example of a SEPP transaction between the cardholder, merchant, and acquirer: “The operation of the Secure Electronic Transaction (SET) protocol relies on a sequence of messages. In the first two, the consumer and merchant signal their intention to do business and then exchange certificates and establish a transaction ID number. In the third step, the consumer purchase request contains a signed hash of the goods and services order, which is negotiated outside the protocol. This request is accompanied by the consumer's credit card information, encrypted so that only the merchant's acquiring bank can read it. At this point, the merchant can acknowledge the order to the customer, seeking authorization later (steps five and six) or perform steps five and six first and confirm authorization in step four. Steps seven and eight give the consumer a query capability, while the merchant uses steps nine and ten to submit authorizations for capture and settlement” (Sirbu, 1997, p.1)
  7. 7. E-commerce 7 Hackers are the main threat to the e-commerce environment, however they are responsible for unleashing potential sub-threats such as Man-in-the-Mobile(MITMO), Main-in-the-Browser(MITB) through Trojans(Zeus, Silion, Torpig, and Yaludle), and Man-in-the-Middle(MITM). Phishing attacks can be used as part of the process with the previously mentioned attacks to steal financial information from consumers. The Man-inthe-Middle attack, also known as session hijacking is used by hackers to intrude into an existing connection to intercept the exchanged data and inject false information. It involves eavesdropping on a connection, intruding into a connection, intercepting messages, and modifying data (“Man-in-the-Middle”, 2008, p.1). If a hacker were to capture the cookie that is used to maintain the session state between a consumer’s browser and the genuine website they are logging into, the hacker could present that cookie to the web server and impersonate the connection. The consumer’s financial information is now at risk of being compromised (Sanders, 2010). Below is an example of a normal transmission and MITM attack: A normal transmission where the user logs on to an e-commerce website where the user’s credentials are verified and user gains access to website. (Sanders, 2010)
  8. 8. E-commerce 8 During the session hijacking attack, the hacker is intercepting the communication of a user logging into their account. Using this intercepted communication the hacker will impersonate that user and access the account from their attacking machine (Sanders, 2010) The Man-in-the-Browser attack is an enhancement of the Man-in-the-Middle attacker by using Trojans such as Zeus, Silon, Torpig, Yaludle, etc. The malicious software will modify the content in the victim's browser when they visit the log-in page adding additional form fields to the legitimate Web page. The idea is to phish for information that may be used as a secondary authentication mechanism (Prince, 2010). As a result, MITB enables hackers to steal consumer information such as login credentials, account numbers, and other financial information. During an MITB attack, the fraudulent website will look identical to the legitimate company website, but when the customer enters their account details and one-time-password, the malicious software used will immediately connect to the geniune website and use the details to impersonate the customer and make a fraudulent transaction (Murdoch, 2008). Below is an example of a MITB attack:
  9. 9. E-commerce 9 (Murdoch, 2008) The Man-in-the-Mobile attack uses a Trojan called SpyEye to steal funds during online transactions. The trojan injects fields into the webpage and asks the user to input their mobile phone number and the for International Mobile Equipment Identity (IMEI) of the phone. The user is then told the information is needed so a "certificate", actually the Trojan, can be sent to the phone and is informed that it can take up to three days before the certificate is ready (Heyman, 2011). The message is a cover up to convince the user that the Trojan is a legitimate certificate and to prevent any suspicion. According to Zorn (2011), Managing Editor of Help Net Security, “the trojan is signed with a developer certificate. Developer certificates are tied to certain IMEIs and can only be installed to phones that have an IMEI that is listed in the certificate. This is why the malware author(s) request the IMEI in addition to the phone number on the company’s website. Once they receive new IMEIs, they request an updated certificate with IMEIs for all victims and create a new installer signed with the updated certificate. The delay in
  10. 10. E-commerce 10 getting the new certificate explains why the SpyEye-injected message states it can take up to three days for the certificate to be delivered" (Zorn, 2011, p.1). The MITMO attack targets BlackBerry, Android, Symbian mobile devices. The regions affected are the United States, Europe, Middle East, and Asia. However new targeted countries have emerged such as Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and Peru (Kirk, 2011). To the contrary of the SpyEye example, there are other MITMO which use similar malicious software to steal a consumer’s financial information. Below is an example of a MITMO attack: (1.) “The user is infected by a Trojan when visiting a compromised website. The site scans the user’s computer for vulnerabilities and, when it finds one, it injects a Trojan. (2.) By monitoring the user’s online activity, the Trojan collects and transmits login credentials, phone numbers and other sensitive data to the attacker. (3.) The attacker sends a phishing SMS to the victim’s cell phone using the number stolen at Step 2. The message is intended to persuade the user to click on a link that will (4.) Upload a mobile Trojan to the user’s cell phone. (5.) The attacker performs an unauthorized funds transfer using the stolen login credentials. (6.) The bank sends an SMS with confirmation code to the compromised cell phone. (7.) The cell phone silently sends this code to the attacker, which is then used to confirm the transaction (8.) Steps 5-8 can be repeated many times, because the Trojan masks true funds amount and displays only the online banking page the user expects to see” (“Online Banking Trojans”, 2012, p.1)
  11. 11. E-commerce 11 The following security controls are recommended solutions for e-commerce companies as additional security to thwart any cyber attacks. The recommended security controls are offered by Trusteer, a private held corporation. The security software offered by Trusteer such as Pinpoint, Mobile and Rapport will assist e-commerce companies in mitigating the discussed threats to ensure a safe online environment. According to Trusteer (2012), Trusteer Cybercrime Prevention Architecture “is the technology foundation of Trusteer’s sustainable security solution, enabling organizations to protect their employees and customers against malware and phishing attacks. It prevents credential theft, account takeover, and sensitive information theft. Trusteer Intelligence Center experts extract emerging Crime Logic (i.e. attack tactics) from threat information gathered by tens of millions of protected endpoints. Trusteer’s clientless and endpoint protection layers are constantly updated to secure users against the evolving threat landscape” (Trusteer, 2012, Cybercrime, para. 1). Below is an example of Trusteer’s Architecture:
  12. 12. E-commerce 12 (Trusteer, 2012) Trusteer’s Pinpoint application allows e-commerce companies to detect and mitigate malware attacks and account takeover activity with easy integration with the company’s online site and fraud prevention processes. Trusteer Pinpoint can alert fraud teams on possible infections or feed risk score to the web application or risk engine to mitigate potential fraud. Trusteer Pinpoint is clientless, completely transparent to end users and does not require any installation of software on the endpoint. The application enables companies to focus fraud prevention processes based on malware risk factors and initiate malware removal with the Trusteer Rapport on infected endpoints. In addition, Trusteer Pinpoint's analysis provides details on the specific malware kit used to generate the malware variant and the malware’s Crime Logic (Trusteer, 2012). In addition, e-commerce companies should implement Trusteer Rapport which can prevent future infections, allowing users to safely execute online monetary transactions (Trusteer, 2012). To protect customers from MITM and MITB attacks, the Rapport software locks down customer browsers and creates a tunnel for secure communication with the e-commerce website. This software prevents attacks such as MITB and MITM by securing user credentials and personal information, stops financial fraud and account takeover. Employees’ endpoints, managed and unmanaged, are protected against advanced malware and spear phishing attacks. Rapport prevents keylogging, screen capturing and application tampering credentials and sensitive data are secured from theft by Cyber criminals (Trusteer, 2012). Software vulnerabilities in mobile operating systems, such as Apple’s iOS and Google’s Android, allow malicious software to infect and take over devices. The MITMO
  13. 13. E-commerce 13 malware aims to steal credentials, tampers with financial transactions and out-of-band authentication and compromises mobile e-commerce applications. To address these issues, Trusteer Mobile provides layered protection against malware attacks by performing real time device risk analysis, end-to-end protection for sensitive transaction data and prevention of sensitive data leakage. Trusteer Mobile includes a secure mobile browser that is used after the device analysis is completed. The embedded browser blocks Man-in-the–Middle (i.e. Pharming) attacks by validating that online banking IP addresses and SSL certificates belong to the genuine site. Once users have logged in, the specific ecommerce company has the capability to leverage the risk score to restrict access to specific data or capabilities and decline approval of specific transactions. In addition, Trusteer Mobile Security SDK adds a protection layer to standalone mobile apps. As a result, developers can embed the Security SDK and use it to adapt their business logic to utilize device risk analysis and transaction protection provided by Trusteer (Trusteer, 2012). Below is an example of the Security SDK mobile app which detects malware on a user’s mobile device: (Trusteer, 2012)
  14. 14. E-commerce 14 Lastly, Trusteer Situation Room is an ongoing risk-assessment service that keeps track of fraudsters and their activities. It will present e-commerce companies with a clear and elaborate picture of threats at various levels including organizational, regional and industry wide. Using Trusteer Situation Room, companies can immediately identify new attacks targeting their systems and customers, and receive accurate analysis of these attacks, their implications, and suggestions for addressing them. Trusteer Situation Room features ongoing reports describing the change in threat over time and the effectiveness of various controls that e-commerce companies has in place against them. It is supported by a professional group of fraud and malware analysts who closely monitor financial fraud activities around the clock (Trusteer, 2012). Below is an example of Trusteer Situation Room: (Trusteer, 2012)
  15. 15. E-commerce 15 The four recommendations mentioned make up Trusteer’s Cybercrime Prevention Architecture (TPCA). Combined with Trusteer’s Intelligence Center, around the clock detection and blocking of new attacks are monitored. Furthermore, e-commerce will benefit from the above mentioned solutions because of the real-time intelligence which can automatically feed into layered fraud prevention and security systems. As a result, ecommerce companies are more knowledgeable of cyber crime attacks against themselves and their consumers. The Trusteer recommended solutions will allow e-commerce companies to proactively protect their e-commerce customers from becoming a victim of identity theft. By receiving real time alerts, e-commerce companies will be able to investigate emerging threats such as suspicious computers, reconnected infected computers, phishing attacks, and new zero day threats. The security software provided by Trusteer will assist ecommerce companies with securing their customers’ browsers from financial malware attacks and fraudulent websites (Trusteer, 2012). The implementation of the discussed recommended solutions will increase e-commerce companies’ visibility of unauthorized intrusion.
  16. 16. E-commerce 16 References Ahmadi-Brooghani, Z. (2010). Security Issues in E-commerce: an Overview. International Review on Computers & Software, 5 (5), 575-580. Retrieved August 4, 2012 from Academic Source Complete. Ahamed, Dr. S., Ansari, A., Kubendran, Dr. V. (2011). Transaction Based Security Issues and Pathways to Effective Electronic Commerce: From Tactics to Strategy. Internatoinal Journal of Engineering Science & Technology, 3(2), 1304-1310. Retrieved August 5, 2012 from Academic Search Complete. Bragg, R., Rhodes-Ousley, M., & Strassberg, K. (2004). The Complete Reference: Network Security. Emeryville, California: McGraw-Hill/Osborne Digicert (2012). Extended Validation EV SSL Certificate. Retrieved August 4, 2012, fromhttp://www.digicert.com/ev-ssl-certification.htm. Ektron Knowledge Base (2012). Info: Understanding PCI Compliance. Retrieved August 4, 2012 from http://dev.ektron.com/kb_article.aspx?id=26304 Firewalls (2012). Firewalls. Retrieved August 4, 2012 from http://www.referenceforbusiness.com/small/Eq-Inc/Firewalls.html Heyman, A. (2011). First SpyEye Attack on Android Mobile Platform now in the Wild. Retrieved August 4, 2012, from http://www.trusteer.com/blog/first-spyeye-attackandroid-mobile-platform-now-wild Kirk, J. (2011). SpyEye Trojan defeating online banking defenses. Retrieved August 4, 2012 from http://www.computerworld.com/s/article/9218645/SpyEye_Trojan_defeating_ online_banking_defenses
  17. 17. E-commerce 17 Kissoon, J. (2011). Secure Socket Layer-An Overview. Retrieved August 4, 2012 from http://www.cleverlogic.net/articles/secure-socket-layer-overview. Mandic, M. (2009). Privacy and Security in E-commerce. Trziste/Market, 21(2), 247-260. Retrieved August 4, 2012 from Business Source Complete Database. Murdoch, S. (2008). 2FA is dead. Retrieved August 5, 2012, from http://blog.cronto.com/index.php?title=2fa_is_dead Online Banking Security (2012). Online Banking Trojans. Retrieved August 4, 2012, from http://www.safensoft.com/print.phtml?c=758 Otuteye, E. (2003). A Systematic Apporach to E-business Security. Retrieved August 4, 2012 from http://www.ausweb.scu.edu.au/aw03/papers/otuteye/paper.html Prince, B. (2010). Understanding Man-in-the-Browser Attacks Targeting Online Banks Retrieved August 4, 2012, from http://securitywatch.eweek.com/exploits_and_attacks/understanding_man-in-thebrowser_attacks.html Sanders, C. (2010). Understanding Man-in-the-Middle Attacks. Retrieved August 4, 2012, from http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-AttacksARP-Part3.html Sirbu, M.(1997). Credits and debits on the Internet. Retrieved August 4, from http://spectrum.ieee.org/telecom/internet/credits-and-debits-on-the-internet/4 ToolBox (2008). Man-in-the-Middle. Retrieved August 4, 2012, from http://it.toolbox.com/wiki/index.php/Man-in-the-Middle_Attack
  18. 18. E-commerce 18 Trusteer (2012). Cybercrime Prevention Architecture. Retrieved August 4, 2012 from http://www.trusteer.com/Products/trusteer-cybercrime-prevention-architecture Trusteer (2012). Rapport. Retrieved August 4, 2012 from http://www.trusteer.com/Products/trusteer-rapport-pc-and-mac-security Trusteer (2012). Mobile. Retrieved August 4, 20112 from http://www.trusteer.com/Products/Trusteer-Mobile-for-Online-Banking Trusteer (2012). Pinpoint. Retrieved August 4, 2012 from http://www.trusteer.com/Products/trusteer-pinpoint-clientless-fraud-prevention Trusteer (2012). Pinpoint Malware. Retrieved August 4, 2012 from http://www.trusteer.com/products/malware-detection Trusteer (2012). Pinpoint Phishing. Retrieved August 4, 2012 from http://www.trusteer.com/Products/phishing-detection Webopedia (2010). SSL: Your Key to E-commerce Security. Retrieved March August 4, 2012 from http://www.webopedia.com/DidYouKnow/Internet/2005/ssl.asp. Zorn, Z. (2011). SpyEye-Fueled Man-in-the-Mobile Attack Targets Bank Customers. Retrieved August 4, 2012 from http://www.net-security.org/malware_news.php?id=1683