Ecommerce Security Issues

Keeping your site and customer data safe.

Customer Security: Basic Principles
Most ecommerce merchants leave the mechanics to their hosting company or IT staf
f, but it helps to understand the basic principles. Any system has to meet four
requirements:
privacy: information must be kept from unauthorized parties.
integrity: message must not be altered or tampered with.
authentication: sender and recipient must prove their identities to each other.
non-repudiation: proof is needed that the message was indeed received.

Privacy is handled by encryption. In PKI (public key infrastructure) a message i

s encrypted by a public key, and decrypted by a private key. The public key is w
idely distributed, but only the recipient has the private key. For authenticatio
n (proving the identity of the sender, since only the sender has the particular
key) the encrypted message is encrypted again, but this time with a private key.
Such procedures form the basis of RSA (used by banks and governments) and PGP (
Pretty Good Privacy, used to encrypt emails).
Unfortunately, PKI is not an efficient way of sending large amounts of informati
on, and is often used only as a first step to allow two parties to agree upon a
key for symmetric secret key encryption. Here sender and recipient use keys that
are generated for the particular message by a third body: a key distribution ce
nter. The keys are not identical, but each is shared with the key distribution c
enter, which allows the message to be read. Then the symmetric keys are encrypte
d in the RSA manner, and rules set under various protocols. Naturally, the priva
te keys have to be kept secret, and most security lapses indeed arise here.
:Digital Signatures and Certificates
Digital signatures meet the need for authentication and integrity. To vastly sim
plify matters (as throughout this page), a plain text message is run through a h
ash function and so given a value: the message digest. This digest, the hash fun
ction and the plain text encrypted with the recipient's public key is sent to th
e recipient. The recipient decodes the message with their private key, and runs
the message through the supplied hash function to that the message digest value
remains unchanged (message has not been tampered with). Very often, the message
is also timestamped by a third party agency, which provides non-repudiation.
What about authentication? How does a customer know that the website receiving s
ensitive information is not set up by some other party posing as the e-merchant?
They check the digital certificate. This is a digital document issued by the CA
(certification authority: Verisign, Thawte, etc.) that uniquely identifies the
merchant. Digital certificates are sold for emails, e-merchants and web-servers.
:Secure Socket Layers
Information sent over the Internet commonly uses the set of rules called TCP/IP
(Transmission Control Protocol / Internet Protocol). The information is broken i
nto packets, numbered sequentially, and an error control attached. Individual pa
ckets are sent by different routes. TCP/IP reassembles them in order and resubmi
ts any packet showing errors. SSL uses PKI and digital certificates to ensure pr
ivacy and authentication. The procedure is something like this: the client sends
 a message to the server, which replies with a digital certificate. Using PKI, s
erver and client negotiate to create session keys, which are symmetrical secret
keys specially created for that particular transmission. Once the session keys a
re agreed, communication continues with these session keys and the digital certi
ficates.
:PCI, SET, Firewalls and Kerberos
Credit card details can be safely sent with SSL, but once stored on the server t
hey are vulnerable to outsiders hacking into the server and accompanying network
. A PCI (peripheral component interconnect: hardware) card is often added for pr
otection, therefore, or another approach altogether is adopted: SET (Secure Elec
tronic Transaction). Developed by Visa and Mastercard, SET uses PKI for privacy,
and digital certificates to authenticate the three parties: merchant, customer
and bank. More importantly, sensitive information is not seen by the merchant, a
nd is not kept on the merchant's server.
Firewalls (software or hardware) protect a server, a network and an individual P
C from attack by viruses and hackers. Equally important is protection from malic
e or carelessness within the system, and many companies use the Kerberos protoco
l, which uses symmetric secret key cryptography to restrict access to authorized
employees.
Transactions
Sensitive information has to be protected through at least three transactions:
credit card details supplied by the customer, either to the merchant or payment
gateway. Handled by the server's SSL and the merchant/server's digital certifica
tes.
credit card details passed to the bank for processing. Handled by the complex se
curity measures of the payment gateway.
order and customer details supplied to the merchant, either directly or from the
payment gateway/credit card processing company. Handled by SSL, server security
, digital certificates (and payment gateway sometimes).
Practical Consequences
1. The merchant is always responsible for security of the Internet-connected PC
where customer details are handled. Virus protection and a firewall are the mini
mum requirement. To be absolutely safe, store sensitive information and customer
details on zip-disks, a physically separate PC or with a commercial file storag
e service. Always keep multiple back-ups of essential information, and ensure th
ey are stored safely off-site.
2. Where customers order by email, information should be encrypted with PGP or s
imilar software. Or payment should be made by specially encrypted checks and ord
ering software.
3. Where credit cards are taken online and processed later, it's the merchant's
responsibility to check the security of the hosting company's webserver. Use a r
eputable company and demand detailed replies to your queries.
4. Where credit cards are taken online and processed in real time, four situatio
ns arise:
You use a service bureau. Sensitive information is handled entirely by the servi
ce bureau, which is responsible for its security. Other customer and order detai
ls are your responsibility as in 3. above.
You possess an ecommerce merchant account but use the digital certificate suppli
ed by the hosting company. A cheap option acceptable for smallish transactions w
ith SMEs. Check out the hosting company, and the terms and conditions applying t
o the digital certificate.
You possess an ecommerce merchant account and obtain your own digital certificat
e (costing some hundreds of dollars). Check out the hosting company, and enter i
nto a dialogue with the certification authority: they will certainly probe your
credentials.
You possess a merchant account, and run the business from your own server. You n
eed trained IT staff to maintain all aspects of security firewalls, Kerberos, SS
L, and a digital certificate for the server (costing thousands or tens of thousa
nds of dollars).
Security is a vexing, costly and complicated business, but a single lapse can be
expensive in lost funds, records and reputation. Don't wait for disaster to str
ike, but stay proactive, employing a security expert where necessary.
Sites on our resources page supplies details.
Taking It Further
Still finding ecommerce security rather baffling? Most e-merchants can keep them
selves and their data safe by following simple strategies, which we outline on o
ur protecting yourself page.

Security overview
A secure system accomplishes its task with no unintended side effects. Using the
analogy of a house to represent the system, you decide to carve out a piece of
your front door to give your pets' easy access to the outdoors. However, the hol
e is too large, giving access to burglars. You have created an unintended implic
ation and therefore, an insecure system.
In the software industry, security has two different perspectives. In the softwa
re development community, it describes the security features of a system. Common
security features are ensuring passwords that are at least six characters long
and encryption of sensitive data. For software consumers, it is protection again
st attacks rather than specific features of the system. Your house may have the
latest alarm system and windows with bars, but if you leave your doors unlocked,
despite the number of security features your system has, it is still insecure.
Hence, security is not a number of features, but a system process. The weakest l
ink in the chain determines the security of the system. In this article, we focu
s on possible attack scenarios in an e-Commerce system and provide preventive st
rategies, including security features, that you can implement.
Security has three main concepts: confidentiality, integrity, and availability.
Confidentiality allows only authorized parties to read protected information. Fo
r example, if the postman reads your mail, this is a breach of your privacy. Int
egrity ensures data remains as is from the sender to the receiver. If someone ad
ded an extra bill to the envelope, which contained your credit card bill, he has
violated the integrity of the mail. Availability ensures you have access and ar
e authorized to resources. If the post office destroys your mail or the postman
takes one year to deliver your mail, he has impacted the availability of your ma
il.
The players
In a typical e-Commerce experience, a shopper proceeds to a Web site to browse a
catalog and make a purchase. This simple activity illustrates the four major pl
ayers in e-Commerce security. One player is the shopper who uses his browser to
locate the site. The site is usually operated by a merchant, also a player, whos
e business is to sell merchandise to make a profit. As the merchant business is
selling goods and services, not building software, he usually purchases most of
the software to run his site from third-party software vendors. The software ven
dor is the last of the three legitimate players. The attacker is the player whos
e goal is to exploit the other three players for illegitimate gains. Figure 2 il
lustrates the players in a shopping experience.
Figure 2. The players
The attacker can besiege the players and their resources with various damaging o
r benign schemes that result in system exploitation. Threats and vulnerabilities
are classified under confidentiality, integrity, and availability. A threat is
a possible attack against a system. It does not necessarily mean that the system
is vulnerable to the attack. An attacker can threaten to throw eggs against you
r brick house, but it is harmless. A vulnerability is a weakness in the system,
but it is not necessarily known by the attacker. For example, only you know that
you have left your front door unlocked. Vulnerabilities exist at entry and exit
points in the system. In a house, the vulnerable points are the doors and windo
ws. When the burglar threatens to break into your house and finds the vulnerabil
ity of the unlocked door, he is exploiting the assets in the house.