E commerce Security

1
Chapter 12
E-Commerce Security
12.1 Opening Case
12.2 The need for security
12.3 Why Now ?
12.4 Basic Security Issues
12.5 Types of Threats and
Attacks
12.6 Security Risk Management
12.7 Security Technology
12.8 Managerial Issues

2
Brute Force Credit Card Attack Story
n The Problem
n Spitfire Novelties usually
generates between 5 and 30
transactions per day
n On September 12, 2002 in a
“brute force” credit card attack,
Spitfire’s credit card transaction
processor processed 140,000
fake credit card charges worth
$5.07 each (62,000 were
approved)
n The total value of the approved
charges was around $300,000
n Spitfire found out about the
transactions only when they
were called by one of the credit
card owners who had been
checking his statement online
and had noticed the $5.07
charge
n Brute force credit card attacks require
minimal skill
n Hackers run thousands of small charges
through merchant accounts, picking
numbers at random
n When the perpetrator finds a valid credit
card number it can then be sold on the
black market
n Some modern-day black markets are
actually member-only Web sites like
carderplanet.com, shadowcrew.com,
and counterfeitlibrary.com

3
n Relies on a perpetrator’s ability to pose as
a merchant requesting authorization for a
credit card purchase requiring
n A merchant ID
n A password
n Both
n Online Data’s credit card processing
services, all a perpetrator needed was a
merchant’s password in order to request
authorization
n Online Data is a reseller of VeriSign Inc.
credit card gateway services
n VeriSign blamed Online Data for the
incident
n Online Data blamed Spitfire for not
changing their initial starter password
n In April 2002 hackers got into the
Authorize.Net card processing system
(largest gateway payment system on the
Internet)
n Executed 13,000 credit card
transactions, of which 7,000 succeeded
n Entry into the Authorize.Net system
required only a log-on name, not a
password

4
Brute Force Solution
n Online Data should
assign strong
passwords at the start
n Customers should
modify those
passwords frequently
n Authorization services
such as VeriSign and
Authorize.Net should
have built-in
safeguards that
recognize brute force
attacks
n Signals that
something is
amiss:
n A merchant issues an
extraordinary number
of requests
n Repeated requests for
small amounts
emanating from the
same merchants

5
n The Results
n VeriSign halted the transactions
before they were settled, saving
Spitfire $316,000 in charges
n Authorize.Net merchants were
charged $0.35 for each transaction
n The criminals acquired thousands of
valid credit card numbers to sell on
the black market

6
n What we can learn…
n Any type of EC involves a number of
players who use a variety of network and
application services that provide access to
a variety of data sources
n A perpetrator needs only a single
weakness in order to attack a system
n Some attacks require sophisticated
techniques and technologies
n Most attacks are not sophisticated;
standard security risk management
procedures can be used to minimize their
probability and impact
Home

7
12.2 The Need for Security
§ Data from Computer
Security Institute and
FBI indicate:
§ Cyber attacks are on the
increase
§ Internet connections are
increasingly a point of
attack
§ The variety of attacks is
on the rise
§ The reporting of serious
crimes to law enforcement
has declined
n According to the
statistics reported to
CERT/CC over the past
year (CERT/CC 2002)
n The number of cyber
attacks skyrocketed from
approximately 22,000 in
2000 to over 82,000 in
2002
n First quarter of 2003 the
number was already over
43,000
Home

8
12.3 Why Now ?
§ Security systems are only as strong as
their weakest points
§ Security and ease of use (or
implementation) are antithetical to one
another
§ Security takes a back seat to market
pressures
§ Security of an EC site depends on the
security of the Internet as a whole
§ Security vulnerabilities are increasing
faster than they can be combated
§ Security compromised by common
applications
Home

9
Issues at a simple marketing site:
§ User’s perspective
§ Is Web server owned and
operated by legitimate
company?
§ Web page and form contain
some malicious code content?
§ Will Web server distribute
the user’s information to
another party?
§ Company’s perspective
§ Will the user attempt to break
into the Web server or alter the
site?
§ Will the user try to disrupt the
server so it isn’t available to
others?
§ User and company perspective
§ Is network connection free from
eavesdropping?
§ Has information sent back and forth
between server and browser been
altered?

10
(cont.)
Major security issues in
EC
§ Confidentiality
Menimpan informasi pribadi
dan sensitif dari pihak-pihak
yang tidak berwenang
§ Integrity
Mencegah dan melindungi
data dari usaha merubah dan
menghancurkan baik sengaja
maupun tidak
§ Non-repudiation
Kemampuan untuk
membatasi penyangkalan
terhadap transaksi, biasanya
dengan menggunakan
signature
§ Authentication
Proses dimana pihak yang
satu mengkui keberadaan
pihak yang lainnya
§ Authorization
Proses yang memastikan
bahwa seseorang mempunyai
hak akses
§ Auditing
Proses pencatatan informasi
tentang aktivitas akses,
penggunaan fasiltas, atau
ancaman terhadap security

12
12.5 Type of Threats and Attacks
Nontechnical attack:
Serangan dengan cara
menipu seseorang
untuk memberikan
informasi yang
berhubungan dengan
akses kedalam jaringan
Multiprong approach used to
combat social engineering:
1. Education and training
2. Policies and procedures
3. Penetration testing

13
Technical attack:
An attack perpetrated
using software and
systems knowledge or
expertise
The players
§ Hackers
§ Crackers
§ Script kiddies
§ Systems and software
bugs and
misconfigurations
§ Distributed Denial-of-
service (DDoS) attacks
§ Malicious code
§ Viruses
§ Worms
§ Macro viruses and macro
worms
§ Trojan horses
12.5 Type of Threats and Attacks
(Cont.)

14
Figure 12-1
Using
Zombies in a
Distributed
Denial of
Service Attack
Home

15
n Common mistakes in
managing their security
risks (McConnell 2002):
n Undervalued
information
n Narrowly defined
security boundaries
n Reactive security
management
n Dated security
management processes
n Lack of communication
about security
responsibilities
n Security risk
management:
A systematic process
for determining the
likelihood of various
security attacks and for
identifying the actions
needed to prevent or
mitigate those attacks

16
§ Definitions involved in
risk management
§ Assets—anything of value
worth securing
§ Threat—eventuality
representing danger to an
asset
§ Vulnerability—weakness
in a safeguard
§ Required to determine
security needs
§ 4 phases of risk
management
§ Assessment
§ Planning
§ Implementation
§ Monitoring

17
§ Assessment phase
evaluation of assets, threats,
vulnerabilities
§ Determine
organizational
objectives
§ Inventory assets
§ Delineate threats
§ Identify vulnerabilities
§ Quantify the value of
each risk
§ Planning phase of risk
management
arrive at a set of security
policies
§ Define specific policies
§ Establish processes for
audit and review
§ Establish an incident
response team and
contingency plan
(cont.)

18
(cont.)
§ Implementation phase of risk
management
choose particular technologies
to deal with high priority
threats
§ Monitoring phase of
risk management
ongoing processes used to
determine which measures
are successful,
unsuccessful and need
modification
Home

19
13.7 Security Technology
Securing EC Communication
n Authentication system:
System that identifies the
legitimate parties to a
transaction, determines the
actions they are allowed to
perform, and limits their actions
to only those that are
necessary to initiate and
complete the transaction

20
Biometric systems:
Authentication systems that identify
a person by measurement of a
biological characteristic such as a
fingerprint, iris (eye) pattern, facial
features, or voice
Physiological biometric (fingerprint,
iris, voice)
Behavioral biometric (keystroke
monitoring)
Encryption:
The process of scrambling
(encrypting) a message in such a
way that it is difficult, expensive, or
time-consuming for an unauthorized
person to unscramble (decrypt) it
Security Protocol
n Secure Socket Layer (SSL):
Protocol that utilizes standard
certificates for authentication and
data encryption to ensure privacy
or confidentiality
n Transport Layer Security (TLS):
As of 1996, another name for the
SSL protocol
n Secure Electronic Transaction
(SET):
A protocol designed to provide
secure online credit card
transactions for both consumers
and merchants; developed jointly
by Netscape, Visa, MasterCard, and
others

21
Securing EC Networks
n Firewall: A network node consisting
of both hardware and software that
isolates a private network from a
public network
n Virtual private network (VPN): A
network that uses the public Internet
to carry information but remains
private by using encryption to
scramble the communications,
authentication to ensure that
information has not been tampered
with, and access control to verify the
identity of anyone using the network
n Intrusion detection systems
(IDSs): A special category of
software that can monitor activity
across a network or on a host
computer, watch for suspicious
activity, and take automated action
based on what it sees

22
Figure 13-6
Application-Level Proxy (Bastion
Gateway Host)

23
Figure 13-7
Screen Host Firewall

24
Figure 13-8
Screen Subnet Firewall (with
DMZ)
Home

25
13.8 Managerial Issues
1. Have we budgeted enough for security?
2. What are the business consequences of poor security?
3. Which e-commerce sites are vulnerable to attack?
4. What is the key to establishing strong e-commerce
security?
5. What steps should businesses follow inestablishing a
security plan?
6. Should organizations be concerned with internal security
threats?
Home

E commerce Security

More Related Content

What's hot

Viewers also liked

Similar to E commerce Security

More from Wisnu Dewobroto

Recently uploaded

E commerce Security