SECURITY ISSUES IN E-COMMERCE
E-commerce refers to the exchange of goods and services over the internet. It consists of buying and selling of products or services over electronic systems such as the internet and other computer networks. The widespread internet usage has enabled the amount of trade conducted electronically to grow extraordinarily. The aspects of e-commerce include E-tailing or virtual storefronts on websites with online catalogues, the gathering and use of demographic data through web contacts, Electronic Data Interchange (EDI), the business to business exchange of data, email, business-to-business buying and selling, the security of business transactions among others (VanKetel Tim, 2009).
E-commerce systems are also relevant to the services industry, which include online banking and brokerage services which allow customers to retrieve bank statements online, transfer funds, pay credit card bills, buy and sell securities, get financial guidance and information among others. Internet commerce applications have been threatened by continued stories of hacker attacks on e-commerce sites and abuse of consumer data privacy. This increased lack of security, may cause business operators to revert back to traditional methods of doing business. The customers computers network and the business servers network are vulnerable to insecurity issues. Information flow is no longer immune to everyday break-ins, theft, fraud and vandalism. In order to counter this trend, network security issues at the e-commerce and customer sites must be constantly reviewed and appropriate counter measures developed (Marchany Tront, 2002).
Background Information
Insecurity in e-commerce has been very alarming they follow right after violent crimes in the news. Rampant news about an attack on a major website where sensitive information is obtained, have been on the increase of late. This leaves us to wonder why e-commerce has been such vulnerable. The reasons that have been given by the majority of the people are that e-commerce exploits incentives are a bargain compared to other illegal opportunities. The tools necessary to perform an attack on the internet are fairly cheap compared to other crimes like robbing a bank. The pay off of a successful attack is unimaginable. A penny from every account at any one of the major banks will easily amount to several million dollars. This knowledge has left the use of e-commerce vulnerable to hackers of which immediate steps are required to be undertaken in order to counter these crimes (Khusial McKegney, 2005).
Another reason that explains why e-commerce is such vulnerable to insecurity issues is the fact that web application developers are often not very well versed with secure programming techniques. Security of the application is thus not one of the design goals of those applications. It has been occasioned by the urgent need to meet deadlines in the fast-moving e-commerce world. A delay in publishing a new feature on your website could allow a competitor to steal a march over you. The attitude is thus to put the functionality online, and issues regarding security can be dealt with later on.
In most shopping carts and online payment systems, they tout their 128-bit SSL (Secure Socket Layer) certificates as proof that their sites are well secured. The gullibility of customers to believe in this has reduced over time as experiences have taught them differently. There still exists thousands of websites displaying Thwart certificate icons as proof of their security. Any system has to meet four basic requirements that are basic principals for customer security privacy which entails information being kept from unauthorized parties, integrity where information is not tampered with, authentication which requires both the sender and the recipient to prove their identities to each other and non-repudiation which is a proof that the message was indeed received.
Threats to E-commerce
According to Marchany Tront (2002) the standard client model has three components the server system, the network and the client system. Server systems such as Window NT and Windows 2000 are slowly replacing mainframe operating systems such as MVS, VM or UNIX. The network component includes the internal business network. It is the path between the business and the customer through various Internet Service Providers and the customers internal network. Client systems are usually PC (Personal Computers) or Macintosh systems which run their respective window 9X, NT, W2K among other operating systems. E-commerce security strategies mainly deal with two issues which are mainly protecting the integrity of the business network and its internal systems and also accomplishing transaction security between the customer and the business. There are various tools that businesses use in order to protect their internal Network.
Security Attack Methods
In order for us to identify measures that should be put in place to deal with the issues of insecurity in e-commerce, it is vital to look at the potential methods which an attacker or hacker uses. The vulnerability of a system exists at the entry point and exit points within the system. There are several points which an attacker can target, which includes the shopper, shoppers computer, network connection between shopper client and websites server, website server and software vendor among others. In these points, the attacker can trick the shopper, scan the workstation of the client, snoop the network, attack the server, or else attack the software vendor to produce rogue programs (Khusial McKegney, 2005).
Tricking the Client
The easiest and most profitable attacks are based on tricking the shopper. The attacks involve surveillance of the shoppers behavior, gathering information to use against the shopper among many others. If the client is tricked into giving away the password once the challenge question is provided, the site is compromised and it is very likely that the client used the same logon ID and password on other sites which the attacker can now access. The attacker as an alternative can use the logon details of the client as personal information, in order to change details of the account of the client for his favor. He will only call the website administrators and pose as the client. Other tricks include phishing schemes where the attacker plays on the names of famous sites. He collects authentication and registration information when a client mistypes the real sites name and mistakenly enters the attackers site (Perez, 2005).
Snooping the Clients computer
Most computer users have limited knowledge of security vulnerabilities of their computer systems. They connect with the internet and shop for software in the internet. Most software vendors ensure their products are easy to install by disenabling their security features. The client will in most cases not bother to install the security features which will create a treasure trove for attackers. According to Khusial McKegney (2005) tools such as SATAN is used to perform port scans on a computer that detects entry points into the machine. The attacker can use various techniques to gain entry into the users system based on the opened ports found. They can easily scan the file system to obtain personal information that will lead them to their end.
Sniffing the Network
The attacker is able to monitor data between the clients computer and the server. He collects data about the client, or steals personal information, which may include passwords, credit card numbers and other important personal details. It is impractical for attackers to target the middle of the network as their attacking point. This is because a single request by a client to a server is broken up in small pieces (packets) as it leaves the clients computer and is reconstructed at the server. It is almost impossible for an attacker to access all the packets in the middle of the network which leaves them with the option of targeting near the clients computer or server. It is normally easier to use the clients computer end since most clients ship their wireless hubs with security features disabled. The attacker can thus scan unencrypted traffic from the users computer (Khusial McKegney, 2005).
Denial of Service (DoS) Attacks
This involves getting the server to perform large number of mundane tasks, which exceeds the capacity of the server to cope with any other task. A smart hacker gets the server to use more computational resources in processing the request, than he does in generating the request. It is used in popular sites where the hacker infects computers on the internet via a virus or other means. The infected computer becomes slaves to the hacker which he can use to bombard the target server with useless but resource consuming requests.
Viruses and Trojan Horses
Viruses are the most publicized threats to client systems. The insecurity of the client system makes the viruses effective. Subverting a PC will only require access to the system and no special privilege is needed to write data into sensitive system areas. The viruses once in the system will destroy the users files. Trojan horse programs which include Netbus, BackOrifice and others can allow a hacker to control, examine, or monitor any information on the target PC. They are also able to use the target PC to send information to the net as if the legitimate user has done it. Trojan horses are thus used by hackers to develop forgery, data modification and eaves dropping (Marchany Tront, 2002).
Guessing Passwords
Attackers also can guess a users password either manually or automatically by the use of electronic devices. Automated use of password proves to be more successful than the manual, which is only carried out when the attacker has vital information about the client. Other methods which are used by hackers include use of known server bugs and use of server root exploits. As technology improves, newer methods of attacks are being developed. This implies that businesses have to be proactive in designing counter measures against these schemes and practices which swindle millions of dollars in the business world (Marchany Tront, 2002).
Defense Mechanism Tools
Despite the existence of hackers and crackers, e-commerce can remain to be a safe and secure activity. Resources which are available to companies that are involved in e-commerce are enormous, and as such they will pursue every legal route to protect their customers. The people who use the business system should be well educated. Education will also be the only way to ensure that customers take appropriate precautions. The precautions will include, installing personal firewalls for the client machines, storing confidential information in encrypted form, the stream can be encrypted using the SSL protocol to protect information flowing between the client and the e-commerce website, using appropriate password policies, firewalls, and routine external security audits and using threat model analysis, strict development policies and external security audits in order to protect the software that is running the website (Khusial McKegney, 2005).
Personal and Server Firewalls
A firewall ensures that requests can only enter the system from specified ports. It ensures that all accesses are only from certain physical machines in some cases. It is a common technique where a demilitarized zone is set up using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This only allows the client browser to communicate with the server. The second firewall sits behind the e-commerce servers. It is greatly fortified, and only requests from trusted servers on specific ports are allowed through. They both use intrusion detection software to detect any unauthorized access attempts. A honey port server is also used its a resource which can involve a fake payment server, which is placed on the demilitarized zone in order to fool the hacker into thinking that he has penetrated the inner wall. These servers are closely monitored and any access by an attacker is detected. When a computer is being connected to a network, it becomes vulnerable to attack. A personal firewall helps protecting the computer by limiting the types of traffic initiated by and directed to the computer (Khusial McKegney, 2005).
Use of Secure Socket Layer (SSL)
This is a protocol that encrypts data between the Clients shoppers computer and the sites server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. On subsequent requests to the server, the information flowing is encrypted so that a hacker sniffing the network cannot read the contents. The SSL certificate is issued to the server by a certificate authority. In the procedure, the client sends a message to the server, which replies with a digital certificate. The server and client negotiate to create keys specially created for that particular transmission. Once the session keys are agreed, communication continues with these session keys and the digital certificates (LitLangs, 2010).
Digital Signatures and Certificates
According to LitLangs (2010) digital signatures meet the need for authentication and integrity. In this case a message is run through a hash function and if given a value the message digest. This digest, the hash function and the plain text which is encrypted with the recipients public key is sent to the recipient who decodes the message with the private key. He runs the message through the supplied hash function so as the message digest value remains unchanged which shows that the message has not been tampered with. The message is normally time stamped in most cases by a third party agency, which provides non-repudiation. A customer is able to know that the website receiving sensitive information is not set up by some other party posing as the e-merchant since they can always check the digital certificate which is issued by the certification authority. This certificate uniquely identifies the merchant.
Password Policies
It is fundamental for the company and the clients to ensure that password policies are enforced for shoppers and internal users. Issues such as number of attempts on account lockout threshold should be limited in order to prevent minimize the chances for hackers who guess passwords. The strength of the password should be looked into by setting the minimum length of password. The Federal Processing Standard recommends six characters. One may choose to have different policies for your clients and also policies for internal users. The policies should ensure that the passwords are sufficiently strong enough such that they cannot be easily guessed. The account lockout capability ensures that an automated scheme cannot make more than few guesses before the account is locked (Perez, 2005).
Intrusion Detection and Audits of Security Logs
An effective security system will prevent attacks and detect potential attackers. This helps in understanding the nature of the systems traffic, or a way in which the attackers can be brought to book and measures taken against them. The system should communicate to the client once a suspicious transaction is about to take place. The account should be closed and notification made to both the client and the systems administrator. The event can also be written to a security log. Any attempted unauthorized access to the system should also be logged. This will occur when a user attempts to use resources that he is not allowed to use, or perform actions that he is not allowed to perform. This indicates that the account has been co-opted and should be locked out. Business auditing should be used in addition to security logs, in order to monitor activities such as payment processing. This should also be done in order to detect patterns of inappropriate interaction at the business process level (Khusial McKegney, 2005).
Regulation, economic issues, and privacy co-design
According to Ackerman Donald (n.d.) there are various government attempts, by law or decree, which directs regulation of the e-commerce environment on behalf of the citizens. It has also included emerging legal precedents and case law for governing privacy in cyberspace. In the US, privacy is largely a matter of economics with the admonition that caveat emptor is the rule for consumers. All right to data is lost by an individual once heshe has provided it to an e-commerce or anyone else. The consumers are thus left with no recourse, which has resulted in loss of trust. Companies use the data supplied by their clients, which include selling it to third parties for subsequent reuse. There are some specific areas of greater protection which include medical records. The Federal Trade Commission that regulates the consumer and inter-state trade in the US has taken upon itself to take privacy cases to court.
In the European Union privacy rules are strikingly different. Europeans must unambiguously give consent after being informed as to why the information will be used. In Europe, consumers must be told of the entity collecting the data, purposes of the processing, recipients of the data, and the rights the customers have over the data. This has developed trust in European consumers and if the privacy issue is well developed in the US, a lot can be achieved in making e-commerce successful (Ackerman Donald, n.d.).
Recommendations and Conclusion
The US congress should pass legislation to bolster online privacy protection. This will ensure that websites that interact with consumers will give a notice defining privacy policies, a choice of how the information collected by the site is used, the scope of access of data by an individual and assurances that the data is secure.
It will also be vital for the government and private sector to ensure that the consumer is well educated on security issues. Training programs, orientation programs and other programs should be developed in order to increase the general populaces awareness of security in the internet. It will also be vital for the IT and the financial controlaudit groups within the e-commerce site to form an alliance, which will overcome the general resistance to implementing security practices at the business level.
To restore consumer confidence, the customers and businesses should ensure that the defense mechanism highlighted in this paper are well developed and properly exercised, so as to ensure that hacking and cracking of systems is no longer prevalent in the economy. It will also be worth mentioning that technology should be well used so as to counter new techniques which system hackers and crackers use. The use of proactive measures will be beneficial to companies, consumers and the government, in predetermining possible areas of weaknesses that can be target areas for hackers and crackers.
Categories:
0 comments:
Post a Comment