E-commerce Security


Published on

Published in: Economy & Finance, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E-commerce Security

  1. 1. E-COMMERCE SEC. 1Running Head: E-COMMERCE SEC. E-commerce Security Lindsey Landolfi Towson University Network Security Professor Charles Pak July 2011 1
  2. 2. E-COMMERCE SEC. 2 E-commerce or commerce done via electronic means has become an increasingly popularmethod of shopping; its prevalence will become mainstream for much of society as electronicforms of payment become preferred over physical cash or checks. The convenience and speed ofe-commerce must be accompanied by the required security and protection of the transactions andpayments. Every new opportunity for a retailer also becomes a new opportunity for an attacker;as more money is exchanged over electronic means it will attract more attackers hoping to reap aprofit. This document will provide an overview of the risks presented by e-commerce, howproper network security will mitigate these risks, and provide real world examples of howtechnology and policies failed to protect the consumer. As technology has progressed so has the way consumers use that technology whenmaking purchases. Stores have begun transitioning from the traditional brick-and-mortar,physical, stores to having an online presence. Some companies have started without the presenceof a brick-and-mortar store, offering a shopping experience available exclusively online. Asretailers begin making these transitions, consumers have abandoned physical currency in favor ofelectronic payment means. Several electronic payment systems are currently in widespread use.Credit and debit cards are the most prevalent form of electronic currency and have been in usefor several years. Online wallets such as PayPal that allow you to pay directly from an onlineaccount or charge a credit card have also become popular. A new payment technology still in itsinfancy is Near Field Communications (NFC) for mobile phones. NFC devices will allow aconsumer to hold their mobile phone over a reader to process the payment, allowing theconsumer to stop carrying cash or credit cards altogether. While these new payment methods allow for unprecedented convenience to the consumerto pay for services and goods, for a network security person they present new challenges and 2
  3. 3. E-COMMERCE SEC. 3threats. The industry has established standard security compliance requirements to protectnetworks, customer data, and brand reputation. The Payment Card Industry Data SecurityStandard (PCI DSS) requires annual compliance validation for organizations conducting e-commerce. See appendix, figure 1 for PCIDSS control objectives and requirements. Many of thesame security tools used to protect a computer network may also be employed to defend thenetworks that process payment transactions. Firewalls may be used to prevent systems holding orprocessing transactions from accessing any system other than those necessary to carry out itsfunction. Firewalls should be configured to allow systems to only access other systems directlynecessary to complete the transaction. Intrusion Detection Systems (IDS) and IntrusionPrevention Systems (IPS) may be used to detect or stop an attack in progress should an attackerget through the firewall, mitigating any damage or compromise of data the attacker may attempt.IDS and IPS should be deployed behind the firewall and should monitor traffic in multiplelocations. In this way, the IPS/IDS is capable of reporting if any one part of the network shouldbecome compromised. Encryption may be employed to render any stored data indecipherable toan attacker, but care must be taken to use strong encryption algorithms and keys. Encryptionkeys should be carefully protected and only accessible to those who require access. Finallypolicies must be in place that will direct employees on how to properly maintain a secureenvironment. An employee training program that educates employees to recognize an attack andcommon attack methodologies should be standard. Additionally, it would prove beneficial torequire refresher classes to be held yearly. Employees should also have easy access to a technicalsecurity team to report any suspicious activity, files, or e-mails. No one of these tools individually will be a "magic bullet" and successfully prevent ormitigate an attack, but if properly combined together into a comprehensive security plan and 3
  4. 4. E-COMMERCE SEC. 4defense they may be used to avert an attacker towards an easier target. When not implementedproperly, security tools may leave the company at risk for an information breach. Data breachesmay lead to lawsuits, loss of consumer trust, loss of revenue, and make the victim target forfuture attacks. One example of how incorrectly implemented technology failed to providesufficient security was in the case of the TJ Maxx payment processing center in 2005. TJ Maxx, a discount store, utilized Wi-Fi networks in its stores to connect the Point OfSale (POS) systems to a central server for the retail location. This central server was responsiblefor forwarding requests for credit card authorizations to TJ Maxxs central payment processingcenter. The payment processing center would then contact the customers bank, obtainauthorization, and return the payment authorization to the POS server and register. While thissystem was sucessful at accomplishing the goal of processing sales transactions, it lacked anumber of important safeguards and contained several security vulnerabilities. While TJ Maxxnever revealed the technical details of how the attack progressed I was able to draw someconclusions based on news reports and the way the hackers were able to extract the confidentialdata. TJ Maxxs Wi-Fi "was using a security protocol know as Wired Equivalent Privacy(WEP)" (Berg, Freeman, Schneider, 2008) at some of its retail sites. Even a properly configuredWEP is relatively easy to crack; WEP weakness is evident in the authentication sequence due tothe lack of key management. WEP encryption is so insubstantial that "researchers at DarmstadtTechnical University in Germany have demonstrated that a WEP key can be broken in less than aminute." (Berg, Freeman, Schneider, 2008) This use of weak encryption allowed the attacker toeasily break the encryption cipher, join the retail locations wireless network, and access themachines processing payment transactions. There have been reports that some POS system 4
  5. 5. E-COMMERCE SEC. 5passwords were "set to blank" (Goodwin, 2008), or employees "posted the password andusername on a post-it note" (Goodwin, 2008) to the computer for easy access. TJ Maxxs retaillocations did not use firewalls between the POS server and the payment processing center, nordid it include IDS or IPS systems at either the POS server or the payment processing center.They did not conform to the PCI standards for data retention policy by deleting data after a shorttime after the transaction was processed. See appendix, figure 2 for a comparison between dataretained by TJ Maxx and the PCI retention standards. Finally, they did not have or did notenforce policies on secure network practices. This lack of comprehensive security allowed theattacker to war-drive to find the retail stores wireless network and gain entry to the retaillocations local network. Wardriving software uses radio signals to locate and collect informationon Wi-Fi network sources using weak or no encryption. Once inside the retail locations wirelessnetwork the attacker was able to gain entry to the payment processing center where he installed apacket sniffing program that collected confidential data that was exchanged between the POSand central server. Stolen information included private data such as credit and debit cardnumbers, Personal Identification Numbers (PINs), social security numbers, and drivers licensenumbers. This information was then periodically uploaded to servers "leased in Latvia andUkraine" (Zetter, 2010). This process continued over the course of 18 months prior to detection,and the attacker was able to siphon off about 80 gigabytes worth of data. While any one of theseissues alone may have allowed an attacker to gain entry to the network, when combined theyallowed the attacker unprecedented access to millions of credit and debit card numbers, socialsecurity numbers, and bank account numbers. These issues could have been avoided with theproper application of security technology and adherence to security policies. 5
  6. 6. E-COMMERCE SEC. 6 The retail Wi-Fi networks should have required configurations with a strong encryptionsuch as Wi-Fi Protected Access 2 (WPA2) or been physical connections such as Ethernet. Usinga directional antennae and reduced signal strengths which limit the ability for the wireless signalto leave the building would have required the hacker to gain close physical proximity making itmore difficult to access the Wi-Fi network and possibly deterring an attacker who desires toremain anonymous. Firewalls should have been deployed at both the POS server and thepayment center that limited communication between the cashing terminals, in turn blocking anyother systems from accessing one another. An IDS or IPS deployed at the POS server and thepayment processing center could have alerted administrators of the attack in progress or thatconfidential data was leaving the facility and being sent to outside countries that the serversshould never communicate with. While TJ Maxx claims that some transaction data was beingdeleted after a short time, some vital data was still being archived. Confidential data that hadserved its purpose and was no longer needed should have been deleted or if stored should haveemployed strong encryption to prevent access. Passwords to access systems that processconfidential data should have used higher complexity requirements such as the Microsoft’spassfilt.dll file criterion, in order to lower the risk of a security breach. Finally TJ Maxx did nothave, or did not enforce a security policy with guidelines on protecting systems that processedconfidential data, policies guiding proper password selection and protection of passwords,policies on performing log analysis, or policies specifying communication guidelines to theoutside world from machines that processed confidential data. Much of the research I foundconcentrates on what technology TJ Maxx did not have deployed, but without policies statingwhat how the technology should act and enforcements to ensure humans are configuring thetechnology correctly it will not provide proper protection. 6
  7. 7. E-COMMERCE SEC. 7 A second case that illustrates the problems of lacking proper policies is that of RSA andits SecurID tokens. RSA SecurID tokens are used to authenticate a user based on the ‘somethingyou have’ principle. The ‘something you have’ human authorization approach requires a tangibleobject such as a hardware token or an i.d. card. The second aspect of RSA SecurID’s two-factorauthentication is the ‘something you know’ approach, such as password. RSA is “the onlysolution that automatically changes your password every 60 seconds.” (RSA SecurID, 2011) Thetokens generate a random number based on the current time and a seed value set at the factory.So long as the seed value and algorithm to generate the random number are kept secret, it isimpossible for an attacker to calculate the current or next random number in a sequence. Thesecurity offered by SecurIDs led many large corporations and the US Government to use RSAtechnology to secure their own networks and Virtual Private Networks (VPN). As a companyspecializing in security products, RSA was an industry leader in maintaining a secure localnetwork including defensive countermeasures such as firewalls, IDS/IPS, secure passwords, andencryption. RSA fell victim to an Advanced Persistent Threat (APT) in 2011; an ATP typicallyprogresses through different phases each customized to achieve the maximum effect. RSAs network initially came under a social engineering attack when low levelemployees received "two different phishing emails over a two day period" (Rivner, 2011)containing Excel spreadsheet attachments harboring malicious code. The employees did not havethe necessary security training to advise them not to open the attachments or to forward them to asecurity department for examination. When the infected attachments were opened a Trojan wasexecuted that began an escalation of privilege until the attacker was able to access accounts ofindividuals with credential to access to the database containing the seeds used for initializing theSecurID tokens. See appendix, figure 3 for a visual of the various stages of the ATP attack 7
  8. 8. E-COMMERCE SEC. 8strategy on RSA. Additionally, the algorithm used to generate the random number from the seedwas also compromised rendering the SecurID tokens vulnerable. Shortly after the RSA attack,"several large defense contractors" (Diodati, 2011) were attacked and had confidential dataremoved from their systems. RSA utilized the latest in security technology enabling the companys Computer IncidentResponse Team to detect and stop the attack quickly, but not quickly enough to stop the attackersfrom obtaining confidential data. In RSAs case it was not a lack of technology but instead a lackof policy on training employees to recognize threats and procedures for non-technical employeesto confirm or report those threats that lead to the data breach. A policy defining the amount oftraining employees receive, what types of threats they should be trained to watch for, and waysfor non-technical employees to report suspicious e-mails could have prevented the initial attack. Companies must be prepared for the transition to cyberspace. New e-commerceopportunities for online retailers will also bring new opportunities for cybercrime andcybercriminals. For companies offering e-commerce these case examples should be used tounderstand the risks of placing networks open to the internet. If companies are not properlyprepared for the internet threats of tomorrow they will lose money, reputation and consumerconfidence. For retailers that wish to thrive in this new environment a proper network defense,strongly enforced security policies, and proper training will allow companies to defend againstnew attacks that will be attracted when money changes hands on the internet. Security it notsimply technology, it is the human implementation, enforcement, and management of thattechnology supported by security policy which enables strong defense. 8
  9. 9. E-COMMERCE SEC. 9 ReferencesBerg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx data security fiasco. The CPA Journal, 34-39. Retrieved from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htmDiodati, M. (2011, June 2). The seed and the damage done: RSA SecurID [Web log post]. Retrieved from Gartner: http://blogs.gartner.com/mark-diodati/2011/06/02/ the-seed-and-the-damage-done-rsa-securid/Goodin, D. (2008, May 27). TJX employee fired for exposing shoddy security. The Register. Retrieved from http://www.securityfocus.com/news/11520Rivner, U. (2011, April 1). Anatomy of an attack [Web log post]. Retrieved from RSA: http://blogs.rsa.com/rivner/anatomy-of-an-attack/RSA SecurID. (2011). Securing your future with two-factor authentication. Retrieved from EMC Corporation website: http://www.rsa.com/node.aspx?id=1156Zetter, K. (2010, March 25). TJX Hacker Gets 20 Years in Prison [Web log post]. Retrieved from WIRED threat level: privacy, crime and security online: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/ 9
  10. 10. E-COMMERCE SEC. 10 AppendixFigure 1:Payment Card Industry (PCI) Data Security Standard (DSS)Control Objectives and RequirementsBuild and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applicationsImplement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder dataRegularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processesMaintain an Information Security Policy Requirement 12: Maintain a policy that addresses information securityPCI Security Standards Council 10
  11. 11. E-COMMERCE SEC. 11Figure 2:Suspected TJX Data Retention Practice Compared with PCI Standards Data Retained by PCI Retention Data Item TJX Standards Primary Account NumberCardholder Data (PAN) Yes Yes Cardholder Name * Yes Yes Service Code* Yes Yes Expiration Date* Yes YesSensitive Full Magnetic Stripe Yes NoAuthenticationData† CVC2/CVV2/CID Yes No PIN/PIN Block Yes No* Must be protected if stored in conjunction with PAN.† Sensitive authentication data must not be stored after authorization (even if encrypted).(Berg, Freeman, Schneider, 2008)Figure 3:The Various Stages of the ATP Attack Strategy on RSA(Rivner, 2011) 11