September 1999

E-Commerce Security

BY KEVIN GRUMBALL, ACTINIC SOFTWARE

Access Granted
With the year 2000 rapidly approaching, users are scrambling to protect their PCs from the ominous threat of the so-called millennium bug. Hundreds of Web pages, articles and television shows have been dedicated to providing remedies for every Y2K ailment under the sun - from PC crashes and food shortages to solar heating solutions and more. But will the Y2K crisis hit before the first major Internet fraud? Don't be so sure.

With everyone focusing on the Y2K issue, less attention is being paid to the equally serious question of e-commerce security. There are a multitude of e-commerce sites all over the world that take in billions of dollars each day, but many have security procedures that wouldn't stand up in the local 7-11 store.

In the good old days, when purchases were made the old-fashioned way — over the phone or in person — the security of a shopper’s credit card details was never much of a question. Credit card information had a direct route, from your hand to the merchant’s register — or from your phone to theirs. But the virtual explosion of e-commerce shopping over the last few years has changed the rules of this process. With credit card information traveling over Internet lines for proc-essing on some remote server, guaranteed security has become a critical factor for many consumers considering shopping online.

Surprisingly, when it comes to making online buying secure, the issue isn’t Secure Socket Layer (SSL) or golden padlocks — in fact, SSL is reasonably good at protecting your sensitive credit card details as they travel across the Internet — and that was never much of a risk anyway. Think about it: Tapping into Internet protocols requires physical access to routers on the Internet. It’s about as hard as tapping into the wires of your local phone company.

The common misconception, however, is that SSL protects your data all the way to the merchant. Sadly, for most sites, that is simply not the case. It does offer protection, but only part of the way. Take a look at the process: The buyer uses SSL to connect to the “secure” server, which, despite its name, is no more secure than any other Web server. The browser encrypts all data before they cross the Internet, so no one can access or read the information en route. So far, so good. The Web server then decrypts the information and stores it. When the merchant wants to see the data, he uses SSL to read the information. The Web server encrypts the data as they are sent, and the browser decrypts. Again, no one can tap the data in transit.

The problem is actually back with the stored data that are sitting — decrypted and wholly unprotected — on the Web server, waiting to be processed by the merchant. Essentially, anyone with access to the server can read the information that is stored there. This includes the ISP’s staff, in addition to any hacker that can get into the server. In this scenario, your sensitive data are about as secure as your ISP’s security policy — which is often nonexistent. The staff that handles cash in traditional businesses is usually watched in some way, but it’s not as obvious that an IP guru needs the same level of supervision. Businesses have audit trails in their standard accounting systems, but a system operator (“sysop”) in an ISP can access all your financial data with little or no hindrance — and leave no trace behind.

Recent breaches in online security have turned a critical eye to this question of e-commerce safety. A recent discovery found that more than 100 sites on the Web were vulnerable, not only to the deft hand of the experienced hacker, but to the average Web surfer with the right search terms as well. In the case of an e-commerce mall, access to one password could mean access to the purchase information in hundreds, even thousands, of online stores. Hackers can literally hit the jackpot, taking just a few credit card or bank details from each store for later use, all with little or no chance of detection. Rest assured, as you read this article, hackers are currently collecting credit card details for some future scam.

Additionally, the information in storage is not restricted to credit card details alone. Hackers can also find out about the purchases themselves. Hacking into a mall that hosts adult sites could yield some interesting opportunities for blackmail. At the very least, companies could measure buying habits from consumers across a wide range of stores and offer targeted scams.

Take this one step further. A fraudster discovers from an e-commerce site that you buy gold coins from time to time. He offers you a rare coin at a knockdown price in an e-mail purporting to come from a store that you’ve dealt with before. Based on past experience, you trust the store and its security policies and are more than happy to send over your credit card details. The “store” sends you confirmation that the goods will be dispatched in a few days. After a week, you contact the store and they deny all knowledge of the transaction. Meanwhile, your card is maxed out buying elsewhere on the Internet.

So who is to blame for such an incidence? Most likely, your first instinct is to get angry at the store itself. Eventually, you point a finger toward the ISP. Faking e-mail headers is trivial; linking it to existing purchases makes it much more likely that you’ll be taken in. It’s also likely that you’ll never trust that store or ISP again. Ultimately, everyone loses — everyone, of course, but the hacker who started it all, and who is now happily buying his way through the Internet on your dollar.
This has especially big implications for the ISPs that are currently running online malls or e-commerce servers. Even though they do not take part directly in the deal, they may still be legally liable for any losses. They may be cited as part of any large fraud. Few, if any, have recognized this to date. ISPs flock to server-based e-commerce solutions, but remain blissfully unaware of the true risks they are taking.

As a result, merchants and ISPs must take more care than ever before to protect themselves — and reassure their online customers — that sensitive credit card information and shopping details are completely secure. What do they need to do? For a start, they need strong authentication of all sysop users — ideally with something like a hardware token. They also need to ensure that all actions performed by the sysops are logged in an area that cannot be accessed by anyone except security staff. Of course, neither of these tasks is particularly easy — and may not be enough to get the job done.

To fully protect themselves and their customers, merchants and ISPs should also consider the use of e-commerce systems that keep all details encrypted while they sit on the server. Along these lines, some shopping carts already use a light encryption technique or an encrypted database to inhibit browsing. However, the key used to decrypt the data is still present on the server itself (to read it before passing it to the merchant’s browser), so it is still vulnerable to an attack from the outside or from the ISP’s internal staff. It still requires all the access controls and audit trails we described before. Ideally, the ISP would never keep customer details and would have no means of decrypting any information on its way to a merchant. Some e-commerce solutions keep financial details on the Web server for a short time only and make sure they are encrypted at all times.

Some merchants, for example, encrypt sensitive data on the buyer’s PC using a Java applet and can also operate with SSL sites. With this method, the Web site is used only as a mailbox — each “packet” of financial information is kept on the Web server for a short time only and is always fully secure. Ensuring that no one else can open the packet can be achieved with 128-bit public-key encryption — only the merchant holds the key. Orders can be downloaded directly to the merchant’s PC for processing. This means that no sensitive data are ever visible at the Web site, and that all details can be stored safely on the merchant’s PC. The merchant need not be online to view order details when a customer phones in. This will help ensure protection for all parties involved. Merchants can provide customers with end-to-end security and the ISPs are safe from liability, as they cannot view or affect the data in transit.

Ultimately, it’s not the consumer who is exposed — the credit card companies pass most of the risk to the merchants, who may look to share that risk with their e-commerce providers. ISPs that run conventional malls and merchants that offer online shopping carts may need to look closely at their indemnity insurance — they could have a nasty shock coming.

Kevin Grumball is CEO of Actinic Software, a provider of plug-and-play e-commerce software. The company’s Actinic Catalog software provides a tool to build and deploy secure e-commerce Web sites.