E-commerce Security and Threats

E-commerce

Specific Solution in E-commerce

Brian D. Palmer

University of Maryland University College

Dr. Chen

INFA 620

August 7, 2012

1

E-commerce

The E-commerce environment allows companies such as Amazon, EBay, PayPal,

financial institutions, and other e-commerce companies alike to allocate services to the

consumer over the Internet resulting in the luxury of consumers not visiting a physical

store. However, with that luxury also welcomes the risk of threats such as hackers and

their various attacks on e-commerce sites and its consumers. To mitigate such risks,

adequate security tools are implemented by companies to protect consumers from being

victims of identity theft. However, some of the security tools implemented can have

limitations in regards to protecting the required assets. In addition, companies offering e-

commerce services should invest in additional security controls to implement into their

network infrastructure to ensure a safe online environment for their consumers.

Over the years e-commerce has become more popular and convenient for both

companies and consumers. For companies, e-commerce reduces cost and creates new

market opportunities (Brooghani, 2010). This service over the Internet offers consumers

the ability to shop, transfer funds, and sell goods from home, mobile device, or on the go.

With this luxury, also comes a growing concern with the security of consumers’

information such as account numbers, social security numbers, e-mail addresses, etc. The

movement of data from a browser to a server and back is vulnerable to an attack by an

outside threat (Brooghani, 2010). There has been an overwhelming fear by consumers if

e-commerce sites are safe and can be trusted with private information. The invading of

this private information through unauthorized means is a risk that will continue to exist.

Security relates to the ability of a company to protect its consumers online and

prevent online fraud through security measures (Mandic, 2009). Security controls are

implemented by companies to prevent an attack, but at the same time continuously allow

2

E-commerce

controlled access to the network to authorized users (Brooghani, 2010). The common e-

business security controls include but not limited to firewall software, intrusion detection

systems, secure electronic payment protocol, secure sockets layer(SSL), etc (Otuteye,

2003). However, with any security control implemented come limitations that could

cause a system to be vulnerable to securing the required assets. With that said, no system

of security is fool proof, so there may be a need to add additional security

software/hardware to compliment the existing security controls currently in place.

Firewalls (software or hardware) are implemented to protect the network from

attack by viruses and hackers. The two key components in regards to enterprise networks

are all inside and outside traffic must pass through the firewall. In addition, only

authorized traffic based on the enterprises’ security policy is allowed transit. The firewall

itself must be immune to penetration in order support advanced authentication techniques

such as smart cards and one-time passwords (Ahamed, Ansari, Kubendran,, 2011). The

four main firewalls used are packet filters, application gateways, circuit-level gateways,

and stateful packet-inspection. For example, a large company like Motorola, might place

a firewall at the outside of the system, and connect it to a gateway computer, and then

connect that machine to a router with packet filters, and finally connect the router to the

internal computer network (“Firewalls”, 2012). However, firewalls have limitations as

stated below:

“Firewalls cannot protect against what has been authorized. Firewalls permit the

normal communications of approved applications but if the applications

themselves have flaws, a firewall will not stop the attack because, to the firewall,

the communication is authorized.

3

E-commerce

Firewalls are only as effective as the rules they are configured to enforce. An

overly permissive rule set will diminish the effectiveness of the firewall.

Firewalls cannot stop social engineering attacks or an authorized user

intentionally using their access for malicious purposes.

Firewalls cannot fix poor administrative practices or poorly designed security

policies.

Firewalls cannot stop attacks if the traffic does not pass through them.” (Bragg,

Rhodes-Ousley, & Strassberg, 2004, p.230)

Below is an example of a firewall configuration:

(“PCI Compliance”, 2012)

4

E-commerce

Secure Sockets Layer (SSL) encrypts data such as credit cards numbers as well

other personally identifiable information, which prevents the unauthorized individuals

from stealing information for malicious intent. An SSL protected page’s address begins

with "https" and there is a padlock icon at the bottom of the page. The user browser

cannot secure the entire transaction which is the reason e-commerce sites implement SSL

certificate. The SSL certificate is used to encrypt the data and to identify the Web site. In

addition, the SSL certificate helps to prove the site belongs to who it says it belongs to

and contains information about the certificate holder, the domain that the certificate was

issued to, the name of the Certificate Authority who issued the certificate, and the root

and the country it was issued in (“SSL”, 2010). However, the limitations are that SSL can

be weak and vulnerable to Man-in-the-Middle (MITM) attacks. With the increased use of

SSL by companies, hackers are discovering more ways to hack or bypass this

authentication technology (Kissoon, 2011). Below is an example of SSL webpage:

(“SSL Certificate”, 2012)

5

E-commerce

Secure electronic payment protocol is an open, vendor-neutral, non proprietary,

license-free specification for securing on-line transactions developed by International

Business Machines (IBM) and MasterCard. This security tool takes input from the

negotiation process and causes payment process to occur via a three-way communication

among the cardholder, merchant, and acquirer. There are four major business

requirements addressed by SEPP which are:

1. “To enable confidentiality of payment information.

2. To ensure integrity of all payment data transmitted

3. To provide authentication that a cardholder is the legitimate owner of a card

account.

4. To provide authentication that a merchant can accept MasterCard branded card

payments with an acquiring financial institution” (Ahamed et al., 2004, p.1306).

However, the privacy of non financial that is not addressed in the SEPP protocol as well

as the negotiation and delivery is a limitation. Below is an example of a SEPP transaction

between the cardholder, merchant, and acquirer:

6

“The operation of the Secure Electronic Transaction (SET) protocol relies on a sequence of messages. In the first two, the consumer and merchant signal their intention to do business and then exchange certificates and establish a transaction ID number. In the third step, the consumer purchase request contains a signed hash of the goods and services order, which is negotiated outside the protocol. This request is accompanied by the consumer's credit card information, encrypted so that only the merchant's acquiring bank can read it. At this point, the merchant can acknowledge the order to the customer, seeking authorization later (steps five and six) or perform steps five and six first and confirm authorization in step four. Steps seven and eight give the consumer a query capability, while the merchant uses steps nine and ten to submit authorizations for capture and settlement” (Sirbu, 1997, p.1)

E-commerce

Hackers are the main threat to the e-commerce environment, however they are

responsible for unleashing potential sub-threats such as Man-in-the-Mobile(MITMO),

Main-in-the-Browser(MITB) through Trojans(Zeus, Silion, Torpig, and Yaludle), and

Man-in-the-Middle(MITM). Phishing attacks can be used as part of the process with the

previously mentioned attacks to steal financial information from consumers. The Man-in-

the-Middle attack, also known as session hijacking is used by hackers to intrude into an

existing connection to intercept the exchanged data and inject false information. It

involves eavesdropping on a connection, intruding into a connection, intercepting

messages, and modifying data (“Man-in-the-Middle”, 2008, p.1). If a hacker were to

capture the cookie that is used to maintain the session state between a consumer’s

browser and the genuine website they are logging into, the hacker could present that

cookie to the web server and impersonate the connection. The consumer’s financial

information is now at risk of being compromised (Sanders, 2010). Below is an example

of a normal transmission and MITM attack:

7

A normal transmission where the user logs on to an e-commerce website where the user’s credentials are verified and user gains access to website. (Sanders, 2010)

E-commerce

The Man-in-the-Browser attack is an enhancement of the Man-in-the-Middle

attacker by using Trojans such as Zeus, Silon, Torpig, Yaludle, etc. The malicious

software will modify the content in the victim's browser when they visit the log-in page

adding additional form fields to the legitimate Web page. The idea is to phish for

information that may be used as a secondary authentication mechanism (Prince, 2010).

As a result, MITB enables hackers to steal consumer information such as login

credentials, account numbers, and other financial information. During an MITB attack,

the fraudulent website will look identical to the legitimate company website, but when

the customer enters their account details and one-time-password, the malicious software

used will immediately connect to the geniune website and use the details to impersonate

the customer and make a fraudulent transaction (Murdoch, 2008). Below is an example of

a MITB attack:

8

During the session hijacking attack, the hacker is intercepting the communication of a user logging into their account. Using this intercepted communication the hacker will impersonate that user and access the account from their attacking machine (Sanders, 2010)

E-commerce

The Man-in-the-Mobile attack uses a Trojan called SpyEye to steal funds during

online transactions. The trojan injects fields into the webpage and asks the user to input

their mobile phone number and the for International Mobile Equipment Identity (IMEI)

of the phone. The user is then told the information is needed so a "certificate", actually

the Trojan, can be sent to the phone and is informed that it can take up to three days

before the certificate is ready (Heyman, 2011). The message is a cover up to convince the

user that the Trojan is a legitimate certificate and to prevent any suspicion. According to

Zorn (2011), Managing Editor of Help Net Security, “the trojan is signed with a

developer certificate. Developer certificates are tied to certain IMEIs and can only be

installed to phones that have an IMEI that is listed in the certificate. This is why the

malware author(s) request the IMEI in addition to the phone number on the company’s

9

(Murdoch, 2008)

E-commerce

website. Once they receive new IMEIs, they request an updated certificate with IMEIs for

all victims and create a new installer signed with the updated certificate. The delay in

getting the new certificate explains why the SpyEye-injected message states it can take

up to three days for the certificate to be delivered" (Zorn, 2011, p.1).

The MITMO attack targets BlackBerry, Android, Symbian mobile devices. The

regions affected are the United States, Europe, Middle East, and Asia. However new

targeted countries have emerged such as Russia, Saudi Arabia, Bahrain, Oman,

Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong and

Peru (Kirk, 2011). To the contrary of the SpyEye example, there are other MITMO which

use similar malicious software to steal a consumer’s financial information. Below is an

example of a MITMO attack:

10

(1.) “The user is infected by a Trojan when visiting a compromised website. The site scans the user’s computer for vulnerabilities and, when it finds one, it injects a Trojan.

(2.) By monitoring the user’s online activity, the Trojan collects and transmits login credentials, phone numbers and other sensitive data to the attacker.

(3.) The attacker sends a phishing SMS to the victim’s cell phone using the number stolen at Step 2. The message is intended to persuade the user to click on a link that will

(4.) Upload a mobile Trojan to the user’s cell phone.(5.) The attacker performs an unauthorized funds transfer using the stolen login credentials.(6.) The bank sends an SMS with confirmation code to the compromised cell phone.(7.) The cell phone silently sends this code to the attacker, which is then used to confirm the transaction(8.) Steps 5-8 can be repeated many times, because the Trojan masks true funds amount and displays only the online

banking page the user expects to see” (“Online Banking Trojans”, 2012, p.1)

E-commerce

The following security controls are recommended solutions for e-commerce

companies as additional security to thwart any cyber attacks. The recommended security

controls are offered by Trusteer, a private held corporation. The security software offered

by Trusteer such as Pinpoint, Mobile and Rapport will assist e-commerce companies in

mitigating the discussed threats to ensure a safe online environment. According to

Trusteer (2012), Trusteer Cybercrime Prevention Architecture “is the technology

foundation of Trusteer’s sustainable security solution, enabling organizations to protect

their employees and customers against malware and phishing attacks. It prevents

credential theft, account takeover, and sensitive information theft. Trusteer Intelligence

Center experts extract emerging Crime Logic (i.e. attack tactics) from threat information

gathered by tens of millions of protected endpoints. Trusteer’s clientless and endpoint

protection layers are constantly updated to secure users against the evolving threat

landscape” (Trusteer, 2012, Cybercrime, para. 1). Below is an example of Trusteer’s

Architecture:

(Trusteer, 2012)

11

E-commerce

Trusteer’s Pinpoint application allows e-commerce companies to detect and

mitigate malware attacks and account takeover activity with easy integration with the

company’s online site and fraud prevention processes. Trusteer Pinpoint can alert fraud

teams on possible infections or feed risk score to the web application or risk engine to

mitigate potential fraud. Trusteer Pinpoint is clientless, completely transparent to end

users and does not require any installation of software on the endpoint. The application

enables companies to focus fraud prevention processes based on malware risk factors and

initiate malware removal with the Trusteer Rapport on infected endpoints. In addition,

Trusteer Pinpoint's analysis provides details on the specific malware kit used to generate

the malware variant and the malware’s Crime Logic (Trusteer, 2012).

In addition, e-commerce companies should implement Trusteer Rapport which

can prevent future infections, allowing users to safely execute online monetary

transactions (Trusteer, 2012). To protect customers from MITM and MITB attacks, the

Rapport software locks down customer browsers and creates a tunnel for secure

communication with the e-commerce website. This software prevents attacks such as

MITB and MITM by securing user credentials and personal information, stops financial

fraud and account takeover. Employees’ endpoints, managed and unmanaged, are

protected against advanced malware and spear phishing attacks. Rapport prevents

keylogging, screen capturing and application tampering credentials and sensitive data are

secured from theft by Cyber criminals (Trusteer, 2012).

Software vulnerabilities in mobile operating systems, such as Apple’s iOS and

Google’s Android, allow malicious software to infect and take over devices. The MITMO

malware aims to steal credentials, tampers with financial transactions and out-of-band

12

E-commerce

authentication and compromises mobile e-commerce applications. To address these

issues, Trusteer Mobile provides layered protection against malware attacks by

performing real time device risk analysis, end-to-end protection for sensitive transaction

data and prevention of sensitive data leakage. Trusteer Mobile includes a secure mobile

browser that is used after the device analysis is completed. The embedded browser blocks

Man-in-the–Middle (i.e. Pharming) attacks by validating that online banking IP addresses

and SSL certificates belong to the genuine site. Once users have logged in, the specific e-

commerce company has the capability to leverage the risk score to restrict access to

specific data or capabilities and decline approval of specific transactions. In addition,

Trusteer Mobile Security SDK adds a protection layer to standalone mobile apps. As a

result, developers can embed the Security SDK and use it to adapt their business logic to

utilize device risk analysis and transaction protection provided by Trusteer (Trusteer,

2012). Below is an example of the Security SDK mobile app which detects malware on a

user’s mobile device:

13

(Trusteer, 2012)

E-commerce

Lastly, Trusteer Situation Room is an ongoing risk-assessment service that keeps

track of fraudsters and their activities. It will present e-commerce companies with a clear

and elaborate picture of threats at various levels including organizational, regional and

industry wide. Using Trusteer Situation Room, companies can immediately identify new

attacks targeting their systems and customers, and receive accurate analysis of these

attacks, their implications, and suggestions for addressing them. Trusteer Situation Room

features ongoing reports describing the change in threat over time and the effectiveness

of various controls that e-commerce companies has in place against them. It is supported

by a professional group of fraud and malware analysts who closely monitor financial

fraud activities around the clock (Trusteer, 2012). Below is an example of Trusteer

Situation Room:

(Trusteer, 2012)

14

E-commerce

The four recommendations mentioned make up Trusteer’s Cybercrime Prevention

Architecture (TPCA). Combined with Trusteer’s Intelligence Center, around the clock

detection and blocking of new attacks are monitored. Furthermore, e-commerce will

benefit from the above mentioned solutions because of the real-time intelligence which

can automatically feed into layered fraud prevention and security systems. As a result, e-

commerce companies are more knowledgeable of cyber crime attacks against themselves

and their consumers.

The Trusteer recommended solutions will allow e-commerce companies to

proactively protect their e-commerce customers from becoming a victim of identity theft.

By receiving real time alerts, e-commerce companies will be able to investigate emerging

threats such as suspicious computers, reconnected infected computers, phishing attacks,

and new zero day threats. The security software provided by Trusteer will assist e-

commerce companies with securing their customers’ browsers from financial malware

attacks and fraudulent websites (Trusteer, 2012). The implementation of the discussed

recommended solutions will increase e-commerce companies’ visibility of unauthorized

intrusion.

15

E-commerce

References

Ahmadi-Brooghani, Z. (2010). Security Issues in E-commerce: an Overview. International

Review on Computers & Software, 5 (5), 575-580. Retrieved August 4, 2012 from

Academic Source Complete.

Ahamed, Dr. S., Ansari, A., Kubendran, Dr. V. (2011). Transaction Based Security Issues and

Pathways to Effective Electronic Commerce: From Tactics to Strategy. Internatoinal

Journal of Engineering Science & Technology, 3(2), 1304-1310. Retrieved August 5,

2012 from Academic Search Complete.

Bragg, R., Rhodes-Ousley, M., & Strassberg, K. (2004). The Complete Reference: Network

Security. Emeryville, California: McGraw-Hill/Osborne

Digicert (2012). Extended Validation EV SSL Certificate. Retrieved August 4, 2012,

fromhttp://www.digicert.com/ev-ssl-certification.htm.

Ektron Knowledge Base (2012). Info: Understanding PCI Compliance. Retrieved August 4, 2012

from http://dev.ektron.com/kb_article.aspx?id=26304

Firewalls (2012). Firewalls. Retrieved August 4, 2012 from

http://www.referenceforbusiness.com/small/Eq-Inc/Firewalls.html

Heyman, A. (2011). First SpyEye Attack on Android Mobile Platform now in the Wild.

Retrieved August 4, 2012, from http://www.trusteer.com/blog/first-spyeye-attack-

android-mobile-platform-now-wild

Kirk, J. (2011). SpyEye Trojan defeating online banking defenses. Retrieved August 4, 2012

from http://www.computerworld.com/s/article/9218645/SpyEye_Trojan_defeating_

online_banking_defenses

16

E-commerce

Kissoon, J. (2011). Secure Socket Layer-An Overview. Retrieved August 4, 2012 from

http://www.cleverlogic.net/articles/secure-socket-layer-overview.

Mandic, M. (2009). Privacy and Security in E-commerce. Trziste/Market, 21(2), 247-260.

Retrieved August 4, 2012 from Business Source Complete Database.

Murdoch, S. (2008). 2FA is dead. Retrieved August 5, 2012, from

http://blog.cronto.com/index.php?title=2fa_is_dead

Online Banking Security (2012). Online Banking Trojans. Retrieved August 4, 2012, from

http://www.safensoft.com/print.phtml?c=758

Otuteye, E. (2003). A Systematic Apporach to E-business Security. Retrieved August 4, 2012

from http://www.ausweb.scu.edu.au/aw03/papers/otuteye/paper.html

Prince, B. (2010). Understanding Man-in-the-Browser Attacks Targeting Online Banks

Retrieved August 4, 2012, from

http://securitywatch.eweek.com/exploits_and_attacks/understanding_man-in-the-

browser_attacks.html

Sanders, C. (2010). Understanding Man-in-the-Middle Attacks. Retrieved August 4, 2012, from

http://www.windowsecurity.com/articles/Understanding-Man-in-the-Middle-Attacks-

ARP-Part3.html

Sirbu, M.(1997). Credits and debits on the Internet. Retrieved August 4, from

http://spectrum.ieee.org/telecom/internet/credits-and-debits-on-the-internet/4

ToolBox (2008). Man-in-the-Middle. Retrieved August 4, 2012, from

http://it.toolbox.com/wiki/index.php/Man-in-the-Middle_Attack

17

E-commerce

Trusteer (2012). Cybercrime Prevention Architecture. Retrieved August 4, 2012 from

http://www.trusteer.com/Products/trusteer-cybercrime-prevention-architecture

Trusteer (2012). Rapport. Retrieved August 4, 2012 from

http://www.trusteer.com/Products/trusteer-rapport-pc-and-mac-security

Trusteer (2012). Mobile. Retrieved August 4, 20112 from

http://www.trusteer.com/Products/Trusteer-Mobile-for-Online-Banking

Trusteer (2012). Pinpoint. Retrieved August 4, 2012 from

http://www.trusteer.com/Products/trusteer-pinpoint-clientless-fraud-prevention

Trusteer (2012). Pinpoint Malware. Retrieved August 4, 2012 from

http://www.trusteer.com/products/malware-detection

Trusteer (2012). Pinpoint Phishing. Retrieved August 4, 2012 from

http://www.trusteer.com/Products/phishing-detection

Webopedia (2010). SSL: Your Key to E-commerce Security. Retrieved March August 4, 2012

from http://www.webopedia.com/DidYouKnow/Internet/2005/ssl.asp.

Zorn, Z. (2011). SpyEye-Fueled Man-in-the-Mobile Attack Targets Bank Customers. Retrieved

August 4, 2012 from http://www.net-security.org/malware_news.php?id=1683

18