1. E-COMMERCE SEC. 1
Running Head: E-COMMERCE SEC.
E-commerce Security
Lindsey Landolfi
Towson University
Network Security
Professor Charles Pak
July 2011
1
2. E-COMMERCE SEC. 2
E-commerce or commerce done via electronic means has become an increasingly popular
method of shopping; its prevalence will become mainstream for much of society as electronic
forms of payment become preferred over physical cash or checks. The convenience and speed of
e-commerce must be accompanied by the required security and protection of the transactions and
payments. Every new opportunity for a retailer also becomes a new opportunity for an attacker;
as more money is exchanged over electronic means it will attract more attackers hoping to reap a
profit. This document will provide an overview of the risks presented by e-commerce, how
proper network security will mitigate these risks, and provide real world examples of how
technology and policies failed to protect the consumer.
As technology has progressed so has the way consumers use that technology when
making purchases. Stores have begun transitioning from the traditional brick-and-mortar,
physical, stores to having an online presence. Some companies have started without the presence
of a brick-and-mortar store, offering a shopping experience available exclusively online. As
retailers begin making these transitions, consumers have abandoned physical currency in favor of
electronic payment means. Several electronic payment systems are currently in widespread use.
Credit and debit cards are the most prevalent form of electronic currency and have been in use
for several years. Online wallets such as PayPal that allow you to pay directly from an online
account or charge a credit card have also become popular. A new payment technology still in its
infancy is Near Field Communications (NFC) for mobile phones. NFC devices will allow a
consumer to hold their mobile phone over a reader to process the payment, allowing the
consumer to stop carrying cash or credit cards altogether.
While these new payment methods allow for unprecedented convenience to the consumer
to pay for services and goods, for a network security person they present new challenges and
2
3. E-COMMERCE SEC. 3
threats. The industry has established standard security compliance requirements to protect
networks, customer data, and brand reputation. The Payment Card Industry Data Security
Standard (PCI DSS) requires annual compliance validation for organizations conducting e-
commerce. See appendix, figure 1 for PCIDSS control objectives and requirements. Many of the
same security tools used to protect a computer network may also be employed to defend the
networks that process payment transactions. Firewalls may be used to prevent systems holding or
processing transactions from accessing any system other than those necessary to carry out its
function. Firewalls should be configured to allow systems to only access other systems directly
necessary to complete the transaction. Intrusion Detection Systems (IDS) and Intrusion
Prevention Systems (IPS) may be used to detect or stop an attack in progress should an attacker
get through the firewall, mitigating any damage or compromise of data the attacker may attempt.
IDS and IPS should be deployed behind the firewall and should monitor traffic in multiple
locations. In this way, the IPS/IDS is capable of reporting if any one part of the network should
become compromised. Encryption may be employed to render any stored data indecipherable to
an attacker, but care must be taken to use strong encryption algorithms and keys. Encryption
keys should be carefully protected and only accessible to those who require access. Finally
policies must be in place that will direct employees on how to properly maintain a secure
environment. An employee training program that educates employees to recognize an attack and
common attack methodologies should be standard. Additionally, it would prove beneficial to
require refresher classes to be held yearly. Employees should also have easy access to a technical
security team to report any suspicious activity, files, or e-mails.
No one of these tools individually will be a "magic bullet" and successfully prevent or
mitigate an attack, but if properly combined together into a comprehensive security plan and
3
4. E-COMMERCE SEC. 4
defense they may be used to avert an attacker towards an easier target. When not implemented
properly, security tools may leave the company at risk for an information breach. Data breaches
may lead to lawsuits, loss of consumer trust, loss of revenue, and make the victim target for
future attacks. One example of how incorrectly implemented technology failed to provide
sufficient security was in the case of the TJ Maxx payment processing center in 2005.
TJ Maxx, a discount store, utilized Wi-Fi networks in its stores to connect the Point Of
Sale (POS) systems to a central server for the retail location. This central server was responsible
for forwarding requests for credit card authorizations to TJ Maxx's central payment processing
center. The payment processing center would then contact the customer's bank, obtain
authorization, and return the payment authorization to the POS server and register. While this
system was sucessful at accomplishing the goal of processing sales transactions, it lacked a
number of important safeguards and contained several security vulnerabilities. While TJ Maxx
never revealed the technical details of how the attack progressed I was able to draw some
conclusions based on news reports and the way the hackers were able to extract the confidential
data.
TJ Maxx's Wi-Fi "was using a security protocol know as Wired Equivalent Privacy
(WEP)" (Berg, Freeman, Schneider, 2008) at some of its retail sites. Even a properly configured
WEP is relatively easy to crack; WEP weakness is evident in the authentication sequence due to
the lack of key management. WEP encryption is so insubstantial that "researchers at Darmstadt
Technical University in Germany have demonstrated that a WEP key can be broken in less than a
minute." (Berg, Freeman, Schneider, 2008) This use of weak encryption allowed the attacker to
easily break the encryption cipher, join the retail location's wireless network, and access the
machines processing payment transactions. There have been reports that some POS system
4
5. E-COMMERCE SEC. 5
passwords were "set to blank" (Goodwin, 2008), or employees "posted the password and
username on a post-it note" (Goodwin, 2008) to the computer for easy access. TJ Maxx's retail
locations did not use firewalls between the POS server and the payment processing center, nor
did it include IDS or IPS systems at either the POS server or the payment processing center.
They did not conform to the PCI standards for data retention policy by deleting data after a short
time after the transaction was processed. See appendix, figure 2 for a comparison between data
retained by TJ Maxx and the PCI retention standards. Finally, they did not have or did not
enforce policies on secure network practices. This lack of comprehensive security allowed the
attacker to war-drive to find the retail store's wireless network and gain entry to the retail
location's local network. Wardriving software uses radio signals to locate and collect information
on Wi-Fi network sources using weak or no encryption. Once inside the retail location's wireless
network the attacker was able to gain entry to the payment processing center where he installed a
packet sniffing program that collected confidential data that was exchanged between the POS
and central server. Stolen information included private data such as credit and debit card
numbers, Personal Identification Numbers (PINs), social security numbers, and driver's license
numbers. This information was then periodically uploaded to servers "leased in Latvia and
Ukraine" (Zetter, 2010). This process continued over the course of 18 months prior to detection,
and the attacker was able to siphon off about 80 gigabytes worth of data. While any one of these
issues alone may have allowed an attacker to gain entry to the network, when combined they
allowed the attacker unprecedented access to millions of credit and debit card numbers, social
security numbers, and bank account numbers. These issues could have been avoided with the
proper application of security technology and adherence to security policies.
5
6. E-COMMERCE SEC. 6
The retail Wi-Fi networks should have required configurations with a strong encryption
such as Wi-Fi Protected Access 2 (WPA2) or been physical connections such as Ethernet. Using
a directional antennae and reduced signal strengths which limit the ability for the wireless signal
to leave the building would have required the hacker to gain close physical proximity making it
more difficult to access the Wi-Fi network and possibly deterring an attacker who desires to
remain anonymous. Firewalls should have been deployed at both the POS server and the
payment center that limited communication between the cashing terminals, in turn blocking any
other systems from accessing one another. An IDS or IPS deployed at the POS server and the
payment processing center could have alerted administrators of the attack in progress or that
confidential data was leaving the facility and being sent to outside countries that the servers
should never communicate with. While TJ Maxx claims that some transaction data was being
deleted after a short time, some vital data was still being archived. Confidential data that had
served its purpose and was no longer needed should have been deleted or if stored should have
employed strong encryption to prevent access. Passwords to access systems that process
confidential data should have used higher complexity requirements such as the Microsoft’s
passfilt.dll file criterion, in order to lower the risk of a security breach. Finally TJ Maxx did not
have, or did not enforce a security policy with guidelines on protecting systems that processed
confidential data, policies guiding proper password selection and protection of passwords,
policies on performing log analysis, or policies specifying communication guidelines to the
outside world from machines that processed confidential data. Much of the research I found
concentrates on what technology TJ Maxx did not have deployed, but without policies stating
what how the technology should act and enforcements to ensure humans are configuring the
technology correctly it will not provide proper protection.
6
7. E-COMMERCE SEC. 7
A second case that illustrates the problems of lacking proper policies is that of RSA and
its SecurID tokens. RSA SecurID tokens are used to authenticate a user based on the ‘something
you have’ principle. The ‘something you have’ human authorization approach requires a tangible
object such as a hardware token or an i.d. card. The second aspect of RSA SecurID’s two-factor
authentication is the ‘something you know’ approach, such as password. RSA is “the only
solution that automatically changes your password every 60 seconds.” (RSA SecurID, 2011) The
tokens generate a random number based on the current time and a seed value set at the factory.
So long as the seed value and algorithm to generate the random number are kept secret, it is
impossible for an attacker to calculate the current or next random number in a sequence. The
security offered by SecurIDs led many large corporations and the US Government to use RSA
technology to secure their own networks and Virtual Private Networks (VPN). As a company
specializing in security products, RSA was an industry leader in maintaining a secure local
network including defensive countermeasures such as firewalls, IDS/IPS, secure passwords, and
encryption. RSA fell victim to an Advanced Persistent Threat (APT) in 2011; an ATP typically
progresses through different phases each customized to achieve the maximum effect.
RSA's network initially came under a social engineering attack when low level
employees received "two different phishing emails over a two day period" (Rivner, 2011)
containing Excel spreadsheet attachments harboring malicious code. The employees did not have
the necessary security training to advise them not to open the attachments or to forward them to a
security department for examination. When the infected attachments were opened a Trojan was
executed that began an escalation of privilege until the attacker was able to access accounts of
individuals with credential to access to the database containing the seeds used for initializing the
SecurID tokens. See appendix, figure 3 for a visual of the various stages of the ATP attack
7
8. E-COMMERCE SEC. 8
strategy on RSA. Additionally, the algorithm used to generate the random number from the seed
was also compromised rendering the SecurID tokens vulnerable. Shortly after the RSA attack,
"several large defense contractors" (Diodati, 2011) were attacked and had confidential data
removed from their systems.
RSA utilized the latest in security technology enabling the company's Computer Incident
Response Team to detect and stop the attack quickly, but not quickly enough to stop the attackers
from obtaining confidential data. In RSA's case it was not a lack of technology but instead a lack
of policy on training employees to recognize threats and procedures for non-technical employees
to confirm or report those threats that lead to the data breach. A policy defining the amount of
training employees receive, what types of threats they should be trained to watch for, and ways
for non-technical employees to report suspicious e-mails could have prevented the initial attack.
Companies must be prepared for the transition to cyberspace. New e-commerce
opportunities for online retailers will also bring new opportunities for cybercrime and
cybercriminals. For companies offering e-commerce these case examples should be used to
understand the risks of placing networks open to the internet. If companies are not properly
prepared for the internet threats of tomorrow they will lose money, reputation and consumer
confidence. For retailers that wish to thrive in this new environment a proper network defense,
strongly enforced security policies, and proper training will allow companies to defend against
new attacks that will be attracted when money changes hands on the internet. Security it not
simply technology, it is the human implementation, enforcement, and management of that
technology supported by security policy which enables strong defense.
8
9. E-COMMERCE SEC. 9
References
Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx data security
fiasco. The CPA Journal, 34-39. Retrieved from
http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm
Diodati, M. (2011, June 2). The seed and the damage done: RSA SecurID [Web log post].
Retrieved from Gartner: http://blogs.gartner.com/mark-diodati/2011/06/02/
the-seed-and-the-damage-done-rsa-securid/
Goodin, D. (2008, May 27). TJX employee fired for exposing shoddy security. The Register.
Retrieved from http://www.securityfocus.com/news/11520
Rivner, U. (2011, April 1). Anatomy of an attack [Web log post]. Retrieved from RSA:
http://blogs.rsa.com/rivner/anatomy-of-an-attack/
RSA SecurID. (2011). Securing your future with two-factor authentication. Retrieved from EMC
Corporation website: http://www.rsa.com/node.aspx?id=1156
Zetter, K. (2010, March 25). TJX Hacker Gets 20 Years in Prison [Web log post]. Retrieved
from WIRED threat level: privacy, crime and security online:
http://www.wired.com/threatlevel/2010/03/tjx-sentencing/
9
10. E-COMMERCE SEC. 10
Appendix
Figure 1:
Payment Card Industry (PCI) Data Security Standard (DSS)
Control Objectives and Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
PCI Security Standards Council
10
11. E-COMMERCE SEC. 11
Figure 2:
Suspected TJX Data Retention Practice Compared with PCI Standards
Data Retained by PCI Retention
Data Item TJX Standards
Primary Account Number
Cardholder Data (PAN) Yes Yes
Cardholder Name * Yes Yes
Service Code* Yes Yes
Expiration Date* Yes Yes
Sensitive Full Magnetic Stripe Yes No
Authentication
Data† CVC2/CVV2/CID Yes No
PIN/PIN Block Yes No
* Must be protected if stored in conjunction with PAN.
† Sensitive authentication data must not be stored after authorization (even if encrypted).
(Berg, Freeman, Schneider, 2008)
Figure 3:
The Various Stages of the ATP Attack Strategy on RSA
(Rivner, 2011)
11