Study Of Attacks On E Commerce Systems Computer Science Essay
Electronic commerce (e-commerce) services nowadays have become a core element and more popular on Internet and Web environment. Electronic commerce, Internet and Web environment have enabled businesses to reduce costs and offer many benefits both to the consumer and to the business. According to Forrester Research the online retail sales in the United stated for 2003 exceeded $100 billion. As the Information Technology and the using of internet are increasing every day, the demand for secure information and electronic services is growing. Every online transaction in the internet can be monitored and stored in many different locations, since the Internet is a public network it makes very important for businesses to understand possible security threats and vulnerabilities to their business. The key factor that affects the success of e-commerce is to exchange security on network. In this paper we will describe some of the security threats and vulnerabilities concerning the e-commerce security.
Keywords: e-Commerce security, threats, vulnerability, attacks
1. Introduction
The improvements that Internet has made during the past few years have changed the way people see and use the Internet itself. The more their use grows, the more attacks aim these systems and the amount of security risks increases. Security has become one of most important issues and significant concern for e-commerce that must be resolved [1]. Every private and public organization is taking computer and e-commerce security seriously more than before because any possible attack directly has an effect in E-commerce business [5]. The Internet and Web environment can provide as many security threats and vulnerabilities as opportunities for a company.
The low cost and high availability of the world wide Internet for businesses and customers has made a revolution in e-commerce [1]. This revolution in e-commerce in turn increases the requirement for security, as well as the number of on-line cheats and fraud as it is shown in the Figure 1. Although there has been investments and spent a very large amount of time and money to provide secures networks, still there is always the possibility of a breach of security [5]. According to IC3 2007 annual report, the total dollar loss from all referred complaints of fraud was $239.09 million [3]. The majority of these frauds and cheats were committed over the Internet or similar online services. Security is still a significant concern for e-commerce and a challenge for every company. Mitigate security threats and vulnerability is still a battle for every company [5]. Good security infrastructure means good productivity for the company.
Figure 1: Incidents of Internet fraud [15]
In this paper in the first section we will give a brief describe of e-commerce and the types of e-commerce, and then in second section we will describe the security issues and some of the threats and vulnerabilities- attacks in e-commerce. Last section discuss various defence mechanism uses to protect e-commerce security which is still high concerns of business.
2. E-commerce Background
Information and communication technology has become more and more essential and integral part of businesses. This highly uses of information technology have changed the traditional way of doing business. This new way of doing business is known as Electronic Commerce (E-Commerce) or Electronic Business (E-Business) [12]. Electronic commerce or e-commerce means buying and selling of products or services over the part of internet called World Wide Web. According to Verisign [2004] electronic commerce is a “strategic imperative for most competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies”. E-commerce includes electronic trading, trading of stocks, banking, hotel booking, purchases of airline tickets etc [2]. There are different types of e-commerce, but we will encompass the e-commerce on there types of business transaction:
B2B ( business to business);
B2C ( business to consumer);
C2C (consumer to consumer) [4].
Business to Business (B2B) e-commerce- is simply defined as commerce transactions among and between businesses, such as interaction between two companies, between e manufacturer and wholesaler, between a wholesaler and a retailer [16]. There are four basic roles in B2B e-commerce – suppliers, buyers, market-makers and web service providers. Every company or business plays at least one of them, and many companies or businesses play multiple roles [9]. According to the Queensland governments department of state development and innovation [2001] B2B ecommerce made up 94% of all e-commerce transactions [8]. The good examples and models of B2B are the companies such IBM, Hewlett Packard (HP), Cisco and Dell.
Business-to-Consumer (B2C) e-commerce- is the commerce between companies and consumer, businesses sell directly to consumers physical goods (i.e., such as books, DVDs or consumer products), or information goods (goods of electronic material digitized content, such as software, music, movies or e-books) [10]. In B2C the web is usually used as a medium to order physical goods or information goods [8]. An example of B2C transaction would be when a person will buy a book from Amazon.com. According to eMarketer the revenue of B2C e-commerce form US$59.7 billion in 2000 will increase to US$428.1 billion by 2004 [10].
Consumer to Consumer (C2C) e-commerce- this is the type of e-commerce which involves business transactions among private individuals or consumers using the Internet and World Wide Web. Using C2C, costumers can advertise goods or products and selling them directly to other consumers. A good example of C2C is eBay.com, which is an online auction where costumers by using this web site are able to sell a wide variety of goods and products to each other [6]. There is less information on the size of global C2C e-commerce [10]. Figure 2 illustrates some of the e-commerce business describe above.
Figure 2: Common e-Commerce business model [14]
3. Security threats to e-commerce
Security has three basic concepts: confidentiality, integrity, and availability. Confidentiality ensures that only the authorized persons have access to the information, not access for the unauthorized persons, Integrity ensures the data stored on any devices or during a communication process are not altered by any malicious user, Availability ensures that the information must be available when it is needed [16]. Security plays an important role in e-commerce. The number of online transaction last years has a tremendous increase; this has been accompanied by an equal rise in the number of threats and type of attacks against e-commerce security [13]. A threat can be defined as “the potential to exploit a weakness that may result in unauthorised access or use, disclosure of information or consumption, theft or destruction of a resource, disruption or modification” [8]. E-commerce environment has different members involved E-commerce network:
Shoppers who order and buy products or services
Merchant who offer products or services to the shoppers
The Software (Web Site) installed on the merchant’s server and the server
The attackers who are the dangerous part of E-commerce network
Looking on the above parties involved in the e-commerce network, it is easy to
see that malicious hackers threaten the whole network and are the most dangerous part of network. These threats on e-commerce can abuse, misuse and cause high financial loss to business. Figure 3 briefly displays the methods the hackers use in an E-commerce network [11].
Figure 3: Target points of the attacker [11]
The assets that must be protected to ensure secure electronic commerce in an E-commerce network include client (shopper) computers or client-side, transaction that travel on the communication channel, the Web site on the server and the merchant’s server- including any hardware attached to the server or server-side. Communication channel is one of the major assets that need to protect, but it is not the only concern in e-commerce security. Client- side security form the user’s point of view is the major security; server-side security is a major concern form the service provider’s point of view. For example, if the communication channel were made secure but no security measure for either client-side or server-side, then no secure transmission of information would exist at all [1, 2]. According to Figure 3 above there are some different security attack methods that an attacker or hacker can use to attack an E-commerce network. In the next section we will describes potential security attack methods.
4. Possible Attacks
This section overviews and describes various attacks that can occur in the sense of an e-commerce application. Moreover, ethical aspects are taken into consideration. From an attacker’s point of view, there are multiple actions that the attacker can perform, whereas the shopper does not have any clue what is going on. The attacker’s purpose is to gain access to each and every information in the network flow from the when the buyer has pressed the ”buy” button until the web site server has responded back. Furthermore, the attacker tries to attach the application system in a most discrete and ethical way. An onview of various attacks on ecommerce are given:
Tricking the Shopper: One very profitable and simple way of capturing the shopper’s behaviour and information to use against the attacker is by tricking the shopper, which in other words is known as the social engineering technique. This can be done in various ways. Some of them are:
An attacker can call the shopper, representing to be an employee from a shopping site to extract information about the shopper. Thereafter, the attacker can call the shopping site and then pretend to be the shopper and ask them for the user information, and further ask for a password to reset the user account. This is a very usual scenario.
Another example would be to reset the password by giving information about a shopper’s personal information, such as the date of birth, mothers maiden name, favourite movie, etc. If it is the case the shopping websites gives away these information out, then retrieving the password is not a big challenge anymore.
A last way of retrieving personal information, which by the way is used a lot during the world wide web today, is by using the phishing schemes. It is very difficult to distinguish for example, www.microsoft.com/shop with www.micorsoft.com/shop . The difference between these two is a switching between the letters ‘r’ and ‘o’. But by entering into the wrong false shop to pretend to be an original shop with login forms with password fields, will provide the attacker all confidential information. And this is performed if the shopper mistypes this URL link. The mistyped URL might be sent through email and pretend to be an original shop without any notice from the buyer [11, 15].
Password Guessing: Attackers are also aware of that is possible to guess a shoppers password. But this requires information about the shopper. The attacker might need to know the birthday, the age, the last name, etc. of the shopper, to try of different combinations. It is very common that the personal information is used into the password by many users through the internet, since they are easy to be remembered. But still, it needs a lot of effort from the attacker’s view, to make a software that guesses the shoppers password. One very famous attack might be to look up words from the dictionary and use these as passwords, this is also known as the dictionary attack. Or the attacker might look at statistics over which passwords are most commonly used in the entire world [15].
Workstation Attack: A third approach is to trying to attack the workstation, where the website is located. This requires that the attacker knows the weaknesses of the workstation, since such weak points are always presented in work stations and that there exist no perfect system without any vulnerabilities. Therefore, the attacker might have a possibility of accessing the workstations root by via the vulnerabilities. The attacker first tries to see which ports are open to the existing work station by using either own or already developed applications. And ones the attacker has gained access to the system, it will therefore be possible to scan the workstations information about shoppers to retrieve their ID and passwords or other confidential information.
Network Sniffing: When a shopper is visiting a shopping website, and there is a transaction ongoing, then the attacker has a fourth possibility. The possibility is called sniffing. That an attacker is sniffing means that all data which is exchanged between the client and server are being sniffed (traced) by using several applications. Network communication is furthermore not like human communication as well. In a human communication, there might be a third person somewhere, listening to the conversation. In the network communication technology, the data which is sent via the two parties are first divided in something called “data packages” before the actual sending from one part to another. The other part of the network will therefore gather these packages back into the one data which was sent to be read. Usually, the attacker seeks to be as close as possible to the either the shoppers site or near the shopper to sniff information. If the attacker places himself in the halfway between the shopper and website, the attacker might therefore retrieve every information (data packages). Given an example in this, then assuming a Norwegian local shopper wants to buy an item from a webshop located in the United States of America. The first thing which will happen is that the personal information data which is being sent from the shopper will be divided into small pieces of data to the server located in the USA. Since the data flow over the network is not controlled by the human, the packages might be send to different locations before reaching the destination. For instance, some information might go via France, Holland and Spain before actually reaching the USA. In such a case, the sniffer/attacker was located in France, Holland or Spain, will mean that the attacker might not retrieve every and single information. And given that data, the attacker might not analyze and retrieve enough information. This is exactly the reason why attackers are as close as possible to either the source or the destination point (client side or server side).
Known Bug Attack: The known bug attack can be used on both the shoppers’ site and on the webpage site. By using already developed tools, the attacker can apply these tools to find out which software to the target the server is having and using. From that point, the attacker further need to find patches of the software and analyze which bugs have not been corrected by the administrators. And when knowing the bugs which are not fixed, the attacker will thus have the possibility of exploiting the system [11].
There are still many various of attacks one can do more than these described above. More attacks that be used against ecommerce application could by doing Denial of Service (DOS) attacks where the attacker impact the servers and by using several methods, the attacker can retrieve necessary information. Another known attack is the buffer overflow attack. If an attacker has gained access to the root, the attacker might further get personal information by making his own buffer, where all overflow (information) is transferred to the attacker’s buffer. Some attackers also use the possibility looking into the html code. The attacker might retrieve sensitive information from that code, if the html is not well structured or optimized. Java, Javascript or Active X export are being used in html as applets, and the attacker might also distort these and set a worm into the computer to retrieve confidential information.
5. Defence
For each new attack presented in the real world, a new defence mechanism needs further to be presented as well to protect the society from unsuspicious issues. This section introduce some defence issues how to protect the attacks described in the section before. However, the main purpose from an sellers point of view in an ecommerce application is to protect all information. Protecting a system can be performed in several ways.
Education: In order to decrease the tricking attacks, one might educate all shoppers. This issue requires a lot of effort in time and not simple, since many customers still will be tricked by common social engineering work. Merchants therefore have to keep and remind customers to use a secure password since this person is used as the identity. Therefore it is important to have different passwords for different websites as well and probably save these passwords in a secure way. Furthermore, it is very important not to give out information via a telephone conversation, email or online programs.
Setting a safe Password: It is very important that customers do not use passwords which are related to themselves, such as their birthdays, children’s name, etc. Therefore it is important to use a strong password. A strong password has many definitions. For example, the length of passwords is an important factor with various special characters. If a shopper cannot find a strong password, then there are many net sites proving such strong passwords.
Managing Cookies: When a shopper registers into a website with personal information, a cookie is being stored into the computer, so no information is needed to be entered again at next logon. This information is very useful for an attacker, therefore it is recommended to stop using cookies, which is an very easy step to do in the browser [11].
Personal Firewall: An approach of protecting the shopper’s computer is by using a personal firewall. The purpose of the firewall is to control all incoming traffic to the computer from the outside. And further it will also control all out coming traffic. In addition, a firewall has also an intrusion detection system installed, which ensures that unwanted attempts at accessing, modification of disabling of the computer will not be possible. Therefore, it is recommended that a firewall is installed into the pc of a shopper. And since bugs can occur in a firewall, it is therefore further important to update the firewall [11].
Encryption and decryption: All traffic between two parties can be encrypted from it is being send from the client and decrypted when it has been received until the server, vice versa. Encrypting information will make it much more difficult for an attacker to retrieve confidential information. This can be performed by either using symmetric-key algorithms or asymmetric key algorithms [11].
Digital Signatures: Like the hand signatures which are performed by the human hand, there is also something known as the digital signature. This signature verifies two important things. First, it checks whether the data comes from the original client and secondly, it verifies if the message has been modified from it has been sent until it was received. This is a great advantage for ecommerce systems [11].
Digital Certificates: Digital signature cannot handle the problem of attackers spoofing shoppers with a false web site (man-in-the-middle-attack) to information about the shopper. Therefore, using digital certificates will solve this problem. The shopper can with very high probability accept that the website is legal, since it is trusted by a third party and more legal party. In addition, a digital certificate is not a permanent unlimited time trusted. Therefore one is responsible to see if the certificate is still valid or not [11].
Server Firewall: Unlike personal firewall, there is also something known as the server firewall. The server firewall is an more advanced program which is setup by using a demilitarized zone technique (DMZ) [11]. In addition, it is also possible to use a honey pot server [11].
These preventions were some out of many in the real world. It is very important to make users aware and administrators update patches to all used application to further protect their systems against attacks. One could also analyze and monitor security logs which are one big defence strategy, to see which traffic has occurred. Therefore it is important that administrators read their logs frequently and understand which parts have been hit, so administrators can update their system.
6. Conclusion
In this paper firstly we gave a brief overview of e-commerce and its application, but our main attention and the aim of this paper was to present e-commerce security issues and various attacks that can occur in e-commerce, also we describe some of the defence mechanism to protect e-commerce against these attacks. E-commerce has proven its great benefit for the shopper and merchants by reducing the costs, but e-commerce security is still a challenge and a significant concern for everyone who is involved in e-commerce. E-commerce security dose not belong only technical administrators, but everyone who participate in e-commerce- merchants, shopper, service provider etc. Even there are various technologies and mechanisms to protect the E-commerce such as user IDs and passwords, firewall, SSL, Digital certificates etc, still we need to be aware and prepared for any possible attack that can occur in e-commerce.
Order Now