September 1999
E-Commerce Security
BY KEVIN GRUMBALL, ACTINIC SOFTWARE
Access Granted
With the year 2000 rapidly approaching, users are scrambling to protect their PCs
from the ominous threat of the so-called millennium bug. Hundreds of Web pages, articles
and television shows have been dedicated to providing remedies for every Y2K ailment under
the sun - from PC crashes and food shortages to solar heating solutions and more. But will
the Y2K crisis hit before the first major Internet fraud? Don't be so sure.
With everyone focusing on the Y2K issue, less attention is being paid to the equally
serious question of e-commerce security. There are a multitude of e-commerce sites all
over the world that take in billions of dollars each day, but many have security
procedures that wouldn't stand up in the local 7-11 store.
In the good old days, when purchases were made the old-fashioned way over the
phone or in person the security of a shoppers credit card details was never
much of a question. Credit card information had a direct route, from your hand to the
merchants register or from your phone to theirs. But the virtual explosion of
e-commerce shopping over the last few years has changed the rules of this process. With
credit card information traveling over Internet lines for proc-essing on some remote
server, guaranteed security has become a critical factor for many consumers considering
shopping online.
Surprisingly, when it comes to making online buying secure, the issue isnt Secure
Socket Layer (SSL) or golden padlocks in fact, SSL is reasonably good at protecting
your sensitive credit card details as they travel across the Internet and that was
never much of a risk anyway. Think about it: Tapping into Internet protocols requires
physical access to routers on the Internet. Its about as hard as tapping into the
wires of your local phone company.
The common misconception, however, is that SSL protects your data all the way to the
merchant. Sadly, for most sites, that is simply not the case. It does offer protection,
but only part of the way. Take a look at the process: The buyer uses SSL to connect to the
secure server, which, despite its name, is no more secure than any other Web
server. The browser encrypts all data before they cross the Internet, so no one can access
or read the information en route. So far, so good. The Web server then decrypts the
information and stores it. When the merchant wants to see the data, he uses SSL to read
the information. The Web server encrypts the data as they are sent, and the browser
decrypts. Again, no one can tap the data in transit.
The problem is actually back with the stored data that are sitting decrypted and
wholly unprotected on the Web server, waiting to be processed by the merchant.
Essentially, anyone with access to the server can read the information that is stored
there. This includes the ISPs staff, in addition to any hacker that can get into the
server. In this scenario, your sensitive data are about as secure as your ISPs
security policy which is often nonexistent. The staff that handles cash in
traditional businesses is usually watched in some way, but its not as obvious that
an IP guru needs the same level of supervision. Businesses have audit trails in their
standard accounting systems, but a system operator (sysop) in an ISP can
access all your financial data with little or no hindrance and leave no trace
behind.
Recent breaches in online security have turned a critical eye to this question of
e-commerce safety. A recent discovery found that more than 100 sites on the Web were
vulnerable, not only to the deft hand of the experienced hacker, but to the average Web
surfer with the right search terms as well. In the case of an e-commerce mall, access to
one password could mean access to the purchase information in hundreds, even thousands, of
online stores. Hackers can literally hit the jackpot, taking just a few credit card or
bank details from each store for later use, all with little or no chance of detection.
Rest assured, as you read this article, hackers are currently collecting credit card
details for some future scam.
Additionally, the information in storage is not restricted to credit card details
alone. Hackers can also find out about the purchases themselves. Hacking into a mall that
hosts adult sites could yield some interesting opportunities for blackmail. At the very
least, companies could measure buying habits from consumers across a wide range of stores
and offer targeted scams.
Take this one step further. A fraudster discovers from an e-commerce site that you buy
gold coins from time to time. He offers you a rare coin at a knockdown price in an e-mail
purporting to come from a store that youve dealt with before. Based on past
experience, you trust the store and its security policies and are more than happy to send
over your credit card details. The store sends you confirmation that the goods
will be dispatched in a few days. After a week, you contact the store and they deny all
knowledge of the transaction. Meanwhile, your card is maxed out buying elsewhere on the
Internet.
So who is to blame for such an incidence? Most likely, your first instinct is to get
angry at the store itself. Eventually, you point a finger toward the ISP. Faking e-mail
headers is trivial; linking it to existing purchases makes it much more likely that
youll be taken in. Its also likely that youll never trust that store or
ISP again. Ultimately, everyone loses everyone, of course, but the hacker who
started it all, and who is now happily buying his way through the Internet on your dollar.
This has especially big implications for the ISPs that are currently running online malls
or e-commerce servers. Even though they do not take part directly in the deal, they may
still be legally liable for any losses. They may be cited as part of any large fraud. Few,
if any, have recognized this to date. ISPs flock to server-based e-commerce solutions, but
remain blissfully unaware of the true risks they are taking.
As a result, merchants and ISPs must take more care than ever before to protect
themselves and reassure their online customers that sensitive credit card
information and shopping details are completely secure. What do they need to do? For a
start, they need strong authentication of all sysop users ideally with something
like a hardware token. They also need to ensure that all actions performed by the sysops
are logged in an area that cannot be accessed by anyone except security staff. Of course,
neither of these tasks is particularly easy and may not be enough to get the job
done.
To fully protect themselves and their customers, merchants and ISPs should also
consider the use of e-commerce systems that keep all details encrypted while they sit on
the server. Along these lines, some shopping carts already use a light encryption
technique or an encrypted database to inhibit browsing. However, the key used to decrypt
the data is still present on the server itself (to read it before passing it to the
merchants browser), so it is still vulnerable to an attack from the outside or from
the ISPs internal staff. It still requires all the access controls and audit trails
we described before. Ideally, the ISP would never keep customer details and would have no
means of decrypting any information on its way to a merchant. Some e-commerce solutions
keep financial details on the Web server for a short time only and make sure they are
encrypted at all times.
Some merchants, for example, encrypt sensitive data on the buyers PC using a Java
applet and can also operate with SSL sites. With this method, the Web site is used only as
a mailbox each packet of financial information is kept on the Web
server for a short time only and is always fully secure. Ensuring that no one else can
open the packet can be achieved with 128-bit public-key encryption only the
merchant holds the key. Orders can be downloaded directly to the merchants PC for
processing. This means that no sensitive data are ever visible at the Web site, and that
all details can be stored safely on the merchants PC. The merchant need not be
online to view order details when a customer phones in. This will help ensure protection
for all parties involved. Merchants can provide customers with end-to-end security and the
ISPs are safe from liability, as they cannot view or affect the data in transit.
Ultimately, its not the consumer who is exposed the credit card companies
pass most of the risk to the merchants, who may look to share that risk with their
e-commerce providers. ISPs that run conventional malls and merchants that offer online
shopping carts may need to look closely at their indemnity insurance they could
have a nasty shock coming.
Kevin Grumball is CEO of Actinic Software, a
provider of plug-and-play e-commerce software. The companys Actinic Catalog software
provides a tool to build and deploy secure e-commerce Web sites. |