The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering e-commerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers.
1. E-commerce
Specific Solution in E-commerce
Brian D. Palmer
University of Maryland University College
Dr. Chen
INFA 620
August 7, 2012
1
2. E-commerce
2
The E-commerce environment allows companies such as Amazon, EBay, PayPal,
financial institutions, and other e-commerce companies alike to allocate services to the
consumer over the Internet resulting in the luxury of consumers not visiting a physical
store. However, with that luxury also welcomes the risk of threats such as hackers and
their various attacks on e-commerce sites and its consumers. To mitigate such risks,
adequate security tools are implemented by companies to protect consumers from being
victims of identity theft. However, some of the security tools implemented can have
limitations in regards to protecting the required assets. In addition, companies offering ecommerce services should invest in additional security controls to implement into their
network infrastructure to ensure a safe online environment for their consumers.
Over the years e-commerce has become more popular and convenient for both
companies and consumers. For companies, e-commerce reduces cost and creates new
market opportunities (Brooghani, 2010). This service over the Internet offers consumers
the ability to shop, transfer funds, and sell goods from home, mobile device, or on the go.
With this luxury, also comes a growing concern with the security of consumers’
information such as account numbers, social security numbers, e-mail addresses, etc. The
movement of data from a browser to a server and back is vulnerable to an attack by an
outside threat (Brooghani, 2010). There has been an overwhelming fear by consumers if
e-commerce sites are safe and can be trusted with private information. The invading of
this private information through unauthorized means is a risk that will continue to exist.
Security relates to the ability of a company to protect its consumers online and
prevent online fraud through security measures (Mandic, 2009). Security controls are
implemented by companies to prevent an attack, but at the same time continuously allow
3. E-commerce
3
controlled access to the network to authorized users (Brooghani, 2010). The common ebusiness security controls include but not limited to firewall software, intrusion detection
systems, secure electronic payment protocol, secure sockets layer(SSL), etc (Otuteye,
2003). However, with any security control implemented come limitations that could
cause a system to be vulnerable to securing the required assets. With that said, no system
of security is fool proof, so there may be a need to add additional security
software/hardware to compliment the existing security controls currently in place.
Firewalls (software or hardware) are implemented to protect the network from
attack by viruses and hackers. The two key components in regards to enterprise networks
are all inside and outside traffic must pass through the firewall. In addition, only
authorized traffic based on the enterprises’ security policy is allowed transit. The firewall
itself must be immune to penetration in order support advanced authentication techniques
such as smart cards and one-time passwords (Ahamed, Ansari, Kubendran,, 2011). The
four main firewalls used are packet filters, application gateways, circuit-level gateways,
and stateful packet-inspection. For example, a large company like Motorola, might place
a firewall at the outside of the system, and connect it to a gateway computer, and then
connect that machine to a router with packet filters, and finally connect the router to the
internal computer network (“Firewalls”, 2012). However, firewalls have limitations as
stated below:
•
“Firewalls cannot protect against what has been authorized. Firewalls permit the
normal communications of approved applications but if the applications
themselves have flaws, a firewall will not stop the attack because, to the firewall,
the communication is authorized.
4. E-commerce
•
Firewalls are only as effective as the rules they are configured to enforce. An
overly permissive rule set will diminish the effectiveness of the firewall.
•
Firewalls cannot stop social engineering attacks or an authorized user
intentionally using their access for malicious purposes.
•
Firewalls cannot fix poor administrative practices or poorly designed security
policies.
•
Firewalls cannot stop attacks if the traffic does not pass through them.” (Bragg,
Rhodes-Ousley, & Strassberg, 2004, p.230)
Below is an example of a firewall configuration:
(“PCI Compliance”, 2012)
4
5. E-commerce
5
Secure Sockets Layer (SSL) encrypts data such as credit cards numbers as well
other personally identifiable information, which prevents the unauthorized individuals
from stealing information for malicious intent. An SSL protected page’s address begins
with "https" and there is a padlock icon at the bottom of the page. The user browser
cannot secure the entire transaction which is the reason e-commerce sites implement SSL
certificate. The SSL certificate is used to encrypt the data and to identify the Web site. In
addition, the SSL certificate helps to prove the site belongs to who it says it belongs to
and contains information about the certificate holder, the domain that the certificate was
issued to, the name of the Certificate Authority who issued the certificate, and the root
and the country it was issued in (“SSL”, 2010). However, the limitations are that SSL can
be weak and vulnerable to Man-in-the-Middle (MITM) attacks. With the increased use of
SSL by companies, hackers are discovering more ways to hack or bypass this
authentication technology (Kissoon, 2011). Below is an example of SSL webpage:
(“SSL Certificate”, 2012)
6. E-commerce
6
Secure electronic payment protocol is an open, vendor-neutral, non proprietary,
license-free specification for securing on-line transactions developed by International
Business Machines (IBM) and MasterCard. This security tool takes input from the
negotiation process and causes payment process to occur via a three-way communication
among the cardholder, merchant, and acquirer. There are four major business
requirements addressed by SEPP which are:
1. “To enable confidentiality of payment information.
2. To ensure integrity of all payment data transmitted
3. To provide authentication that a cardholder is the legitimate owner of a card
account.
4. To provide authentication that a merchant can accept MasterCard branded card
payments with an acquiring financial institution” (Ahamed et al., 2004, p.1306).
However, the privacy of non financial that is not addressed in the SEPP protocol as well
as the negotiation and delivery is a limitation. Below is an example of a SEPP transaction
between the cardholder, merchant, and acquirer:
“The operation of the Secure Electronic Transaction (SET) protocol relies on a sequence of messages. In the first two, the
consumer and merchant signal their intention to do business and then exchange certificates and establish a transaction ID
number. In the third step, the consumer purchase request contains a signed hash of the goods and services order, which is
negotiated outside the protocol. This request is accompanied by the consumer's credit card information, encrypted so that only
the merchant's acquiring bank can read it. At this point, the merchant can acknowledge the order to the customer, seeking
authorization later (steps five and six) or perform steps five and six first and confirm authorization in step four. Steps seven and
eight give the consumer a query capability, while the merchant uses steps nine and ten to submit authorizations for capture and
settlement” (Sirbu, 1997, p.1)
7. E-commerce
7
Hackers are the main threat to the e-commerce environment, however they are
responsible for unleashing potential sub-threats such as Man-in-the-Mobile(MITMO),
Main-in-the-Browser(MITB) through Trojans(Zeus, Silion, Torpig, and Yaludle), and
Man-in-the-Middle(MITM). Phishing attacks can be used as part of the process with the
previously mentioned attacks to steal financial information from consumers. The Man-inthe-Middle attack, also known as session hijacking is used by hackers to intrude into an
existing connection to intercept the exchanged data and inject false information. It
involves eavesdropping on a connection, intruding into a connection, intercepting
messages, and modifying data (“Man-in-the-Middle”, 2008, p.1). If a hacker were to
capture the cookie that is used to maintain the session state between a consumer’s
browser and the genuine website they are logging into, the hacker could present that
cookie to the web server and impersonate the connection. The consumer’s financial
information is now at risk of being compromised (Sanders, 2010). Below is an example
of a normal transmission and MITM attack:
A normal transmission where the user logs on to an e-commerce website
where the user’s credentials are verified and user gains access to website.
(Sanders, 2010)
8. E-commerce
8
During the session hijacking attack, the hacker is intercepting the communication of a user
logging into their account. Using this intercepted communication the hacker will impersonate
that user and access the account from their attacking machine (Sanders, 2010)
The Man-in-the-Browser attack is an enhancement of the Man-in-the-Middle
attacker by using Trojans such as Zeus, Silon, Torpig, Yaludle, etc. The malicious
software will modify the content in the victim's browser when they visit the log-in page
adding additional form fields to the legitimate Web page. The idea is to phish for
information that may be used as a secondary authentication mechanism (Prince, 2010).
As a result, MITB enables hackers to steal consumer information such as login
credentials, account numbers, and other financial information. During an MITB attack,
the fraudulent website will look identical to the legitimate company website, but when
the customer enters their account details and one-time-password, the malicious software
used will immediately connect to the geniune website and use the details to impersonate
the customer and make a fraudulent transaction (Murdoch, 2008). Below is an example of
a MITB attack:
9. E-commerce
9
(Murdoch, 2008)
The Man-in-the-Mobile attack uses a Trojan called SpyEye to steal funds during
online transactions. The trojan injects fields into the webpage and asks the user to input
their mobile phone number and the for International Mobile Equipment Identity (IMEI)
of the phone. The user is then told the information is needed so a "certificate", actually
the Trojan, can be sent to the phone and is informed that it can take up to three days
before the certificate is ready (Heyman, 2011). The message is a cover up to convince the
user that the Trojan is a legitimate certificate and to prevent any suspicion. According to
Zorn (2011), Managing Editor of Help Net Security, “the trojan is signed with a
developer certificate. Developer certificates are tied to certain IMEIs and can only be
installed to phones that have an IMEI that is listed in the certificate. This is why the
malware author(s) request the IMEI in addition to the phone number on the company’s
website. Once they receive new IMEIs, they request an updated certificate with IMEIs for
all victims and create a new installer signed with the updated certificate. The delay in
10. E-commerce 10
getting the new certificate explains why the SpyEye-injected message states it can take
up to three days for the certificate to be delivered" (Zorn, 2011, p.1).
The MITMO attack targets BlackBerry, Android, Symbian mobile devices. The
regions affected are the United States, Europe, Middle East, and Asia. However new
targeted countries have emerged such as Russia, Saudi Arabia, Bahrain, Oman,
Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and
Peru (Kirk, 2011). To the contrary of the SpyEye example, there are other MITMO which
use similar malicious software to steal a consumer’s financial information. Below is an
example of a MITMO attack:
(1.) “The user is infected by a Trojan when visiting a compromised website. The site scans the user’s computer for
vulnerabilities and, when it finds one, it injects a Trojan.
(2.) By monitoring the user’s online activity, the Trojan collects and transmits login credentials, phone numbers and other
sensitive data to the attacker.
(3.) The attacker sends a phishing SMS to the victim’s cell phone using the number stolen at Step 2. The message is
intended to persuade the user to click on a link that will
(4.) Upload a mobile Trojan to the user’s cell phone.
(5.) The attacker performs an unauthorized funds transfer using the stolen login credentials.
(6.) The bank sends an SMS with confirmation code to the compromised cell phone.
(7.) The cell phone silently sends this code to the attacker, which is then used to confirm the transaction
(8.) Steps 5-8 can be repeated many times, because the Trojan masks true funds amount and displays only the online
banking page the user expects to see” (“Online Banking Trojans”, 2012, p.1)
11. E-commerce 11
The following security controls are recommended solutions for e-commerce
companies as additional security to thwart any cyber attacks. The recommended security
controls are offered by Trusteer, a private held corporation. The security software offered
by Trusteer such as Pinpoint, Mobile and Rapport will assist e-commerce companies in
mitigating the discussed threats to ensure a safe online environment. According to
Trusteer (2012), Trusteer Cybercrime Prevention Architecture “is the technology
foundation of Trusteer’s sustainable security solution, enabling organizations to protect
their employees and customers against malware and phishing attacks. It prevents
credential theft, account takeover, and sensitive information theft. Trusteer Intelligence
Center experts extract emerging Crime Logic (i.e. attack tactics) from threat information
gathered by tens of millions of protected endpoints. Trusteer’s clientless and endpoint
protection layers are constantly updated to secure users against the evolving threat
landscape” (Trusteer, 2012, Cybercrime, para. 1). Below is an example of Trusteer’s
Architecture:
12. E-commerce 12
(Trusteer, 2012)
Trusteer’s Pinpoint application allows e-commerce companies to detect and
mitigate malware attacks and account takeover activity with easy integration with the
company’s online site and fraud prevention processes. Trusteer Pinpoint can alert fraud
teams on possible infections or feed risk score to the web application or risk engine to
mitigate potential fraud. Trusteer Pinpoint is clientless, completely transparent to end
users and does not require any installation of software on the endpoint. The application
enables companies to focus fraud prevention processes based on malware risk factors and
initiate malware removal with the Trusteer Rapport on infected endpoints. In addition,
Trusteer Pinpoint's analysis provides details on the specific malware kit used to generate
the malware variant and the malware’s Crime Logic (Trusteer, 2012).
In addition, e-commerce companies should implement Trusteer Rapport which
can prevent future infections, allowing users to safely execute online monetary
transactions (Trusteer, 2012). To protect customers from MITM and MITB attacks, the
Rapport software locks down customer browsers and creates a tunnel for secure
communication with the e-commerce website. This software prevents attacks such as
MITB and MITM by securing user credentials and personal information, stops financial
fraud and account takeover. Employees’ endpoints, managed and unmanaged, are
protected against advanced malware and spear phishing attacks. Rapport prevents
keylogging, screen capturing and application tampering credentials and sensitive data are
secured from theft by Cyber criminals (Trusteer, 2012).
Software vulnerabilities in mobile operating systems, such as Apple’s iOS and
Google’s Android, allow malicious software to infect and take over devices. The MITMO
13. E-commerce 13
malware aims to steal credentials, tampers with financial transactions and out-of-band
authentication and compromises mobile e-commerce applications. To address these
issues, Trusteer Mobile provides layered protection against malware attacks by
performing real time device risk analysis, end-to-end protection for sensitive transaction
data and prevention of sensitive data leakage. Trusteer Mobile includes a secure mobile
browser that is used after the device analysis is completed. The embedded browser blocks
Man-in-the–Middle (i.e. Pharming) attacks by validating that online banking IP addresses
and SSL certificates belong to the genuine site. Once users have logged in, the specific ecommerce company has the capability to leverage the risk score to restrict access to
specific data or capabilities and decline approval of specific transactions. In addition,
Trusteer Mobile Security SDK adds a protection layer to standalone mobile apps. As a
result, developers can embed the Security SDK and use it to adapt their business logic to
utilize device risk analysis and transaction protection provided by Trusteer (Trusteer,
2012). Below is an example of the Security SDK mobile app which detects malware on a
user’s mobile device:
(Trusteer, 2012)
14. E-commerce 14
Lastly, Trusteer Situation Room is an ongoing risk-assessment service that keeps
track of fraudsters and their activities. It will present e-commerce companies with a clear
and elaborate picture of threats at various levels including organizational, regional and
industry wide. Using Trusteer Situation Room, companies can immediately identify new
attacks targeting their systems and customers, and receive accurate analysis of these
attacks, their implications, and suggestions for addressing them. Trusteer Situation Room
features ongoing reports describing the change in threat over time and the effectiveness
of various controls that e-commerce companies has in place against them. It is supported
by a professional group of fraud and malware analysts who closely monitor financial
fraud activities around the clock (Trusteer, 2012). Below is an example of Trusteer
Situation Room:
(Trusteer, 2012)
15. E-commerce 15
The four recommendations mentioned make up Trusteer’s Cybercrime Prevention
Architecture (TPCA). Combined with Trusteer’s Intelligence Center, around the clock
detection and blocking of new attacks are monitored. Furthermore, e-commerce will
benefit from the above mentioned solutions because of the real-time intelligence which
can automatically feed into layered fraud prevention and security systems. As a result, ecommerce companies are more knowledgeable of cyber crime attacks against themselves
and their consumers.
The Trusteer recommended solutions will allow e-commerce companies to
proactively protect their e-commerce customers from becoming a victim of identity theft.
By receiving real time alerts, e-commerce companies will be able to investigate emerging
threats such as suspicious computers, reconnected infected computers, phishing attacks,
and new zero day threats. The security software provided by Trusteer will assist ecommerce companies with securing their customers’ browsers from financial malware
attacks and fraudulent websites (Trusteer, 2012). The implementation of the discussed
recommended solutions will increase e-commerce companies’ visibility of unauthorized
intrusion.
16. E-commerce 16
References
Ahmadi-Brooghani, Z. (2010). Security Issues in E-commerce: an Overview. International
Review on Computers & Software, 5 (5), 575-580. Retrieved August 4, 2012 from
Academic Source Complete.
Ahamed, Dr. S., Ansari, A., Kubendran, Dr. V. (2011). Transaction Based Security Issues and
Pathways to Effective Electronic Commerce: From Tactics to Strategy. Internatoinal
Journal of Engineering Science & Technology, 3(2), 1304-1310. Retrieved August 5,
2012 from Academic Search Complete.
Bragg, R., Rhodes-Ousley, M., & Strassberg, K. (2004). The Complete Reference: Network
Security. Emeryville, California: McGraw-Hill/Osborne
Digicert (2012). Extended Validation EV SSL Certificate. Retrieved August 4, 2012,
fromhttp://www.digicert.com/ev-ssl-certification.htm.
Ektron Knowledge Base (2012). Info: Understanding PCI Compliance. Retrieved August 4, 2012
from http://dev.ektron.com/kb_article.aspx?id=26304
Firewalls (2012). Firewalls. Retrieved August 4, 2012 from
http://www.referenceforbusiness.com/small/Eq-Inc/Firewalls.html
Heyman, A. (2011). First SpyEye Attack on Android Mobile Platform now in the Wild.
Retrieved August 4, 2012, from http://www.trusteer.com/blog/first-spyeye-attackandroid-mobile-platform-now-wild
Kirk, J. (2011). SpyEye Trojan defeating online banking defenses. Retrieved August 4, 2012
from http://www.computerworld.com/s/article/9218645/SpyEye_Trojan_defeating_
online_banking_defenses
17. E-commerce 17
Kissoon, J. (2011). Secure Socket Layer-An Overview. Retrieved August 4, 2012 from
http://www.cleverlogic.net/articles/secure-socket-layer-overview.
Mandic, M. (2009). Privacy and Security in E-commerce. Trziste/Market, 21(2), 247-260.
Retrieved August 4, 2012 from Business Source Complete Database.
Murdoch, S. (2008). 2FA is dead. Retrieved August 5, 2012, from
http://blog.cronto.com/index.php?title=2fa_is_dead
Online Banking Security (2012). Online Banking Trojans. Retrieved August 4, 2012, from
http://www.safensoft.com/print.phtml?c=758
Otuteye, E. (2003). A Systematic Apporach to E-business Security. Retrieved August 4, 2012
from http://www.ausweb.scu.edu.au/aw03/papers/otuteye/paper.html
Prince, B. (2010). Understanding Man-in-the-Browser Attacks Targeting Online Banks
Retrieved August 4, 2012, from
http://securitywatch.eweek.com/exploits_and_attacks/understanding_man-in-thebrowser_attacks.html
Sanders, C. (2010). Understanding Man-in-the-Middle Attacks. Retrieved August 4, 2012, from
http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-AttacksARP-Part3.html
Sirbu, M.(1997). Credits and debits on the Internet. Retrieved August 4, from
http://spectrum.ieee.org/telecom/internet/credits-and-debits-on-the-internet/4
ToolBox (2008). Man-in-the-Middle. Retrieved August 4, 2012, from
http://it.toolbox.com/wiki/index.php/Man-in-the-Middle_Attack
18. E-commerce 18
Trusteer (2012). Cybercrime Prevention Architecture. Retrieved August 4, 2012 from
http://www.trusteer.com/Products/trusteer-cybercrime-prevention-architecture
Trusteer (2012). Rapport. Retrieved August 4, 2012 from
http://www.trusteer.com/Products/trusteer-rapport-pc-and-mac-security
Trusteer (2012). Mobile. Retrieved August 4, 20112 from
http://www.trusteer.com/Products/Trusteer-Mobile-for-Online-Banking
Trusteer (2012). Pinpoint. Retrieved August 4, 2012 from
http://www.trusteer.com/Products/trusteer-pinpoint-clientless-fraud-prevention
Trusteer (2012). Pinpoint Malware. Retrieved August 4, 2012 from
http://www.trusteer.com/products/malware-detection
Trusteer (2012). Pinpoint Phishing. Retrieved August 4, 2012 from
http://www.trusteer.com/Products/phishing-detection
Webopedia (2010). SSL: Your Key to E-commerce Security. Retrieved March August 4, 2012
from http://www.webopedia.com/DidYouKnow/Internet/2005/ssl.asp.
Zorn, Z. (2011). SpyEye-Fueled Man-in-the-Mobile Attack Targets Bank Customers. Retrieved
August 4, 2012 from http://www.net-security.org/malware_news.php?id=1683