Security Issues in E-Commerce – Part 2
by Eamonn O’Raghallaigh
…continues from Part 1.
Technical attacks are one of the most challenging types of security compromise an e-commerce provider must face. Perpetrators of technical attacks, and in particular Denial-of-Service attacks, typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, large online retailers and popular social networking sites.
Denial of Service Attacks
Denial of Service (DoS) attacks consist of overwhelming a server, a network or a website in order to paralyze its normal activity (Lejeune, 2002). Defending against DoS attacks is one of the most challenging security problems on the Internet today. A major difficulty in thwarting these attacks is to trace the source of the attack, as they often use incorrect or spoofed IP source addresses to disguise the true origin of the attack (Kim and Kim, 2006).
The United States Computer Emergency Readiness Team defines symptoms of denial-of-service attacks to include (McDowell, 2007):
- Unusually slow network performance
- Unavailability of a particular web site
- Inability to access any web site
- Dramatic increase in the number of spam emails received
DoS attacks can be executed in a number of different ways including:
ICMP Flood (Smurf Attack) – where perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network’s bandwidth is quickly used up, preventing legitimate packets from getting through to their destination
Teardrop Attack – A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized, payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code of various operating systems causes the fragments to be improperly handled, crashing them as a result of this.
Phlashing – Also known as a Permanent denial-of-service (PDoS) is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Perpetrators exploit security flaws in the remote management interfaces of the victim’s hardware, be it routers, printers, or other networking hardware. These flaws leave the door open for an attacker to remotely ‘update’ the device firmware to a modified, corrupt or defective firmware image, therefore bricking the device and making it permanently unusable for its original purpose.
Distributed Denial-of-Service Attacks
Distributed Denial of Service (DDoS) attacks are one of the greatest security fear for IT managers. In a matter of minutes, thousands of vulnerable computers can flood the victim website by choking legitimate traffic (Tariq et al., 2006). A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers. The most famous DDoS attacks occurred in February 2000 where websites including Yahoo, Buy.com, eBay, Amazon and CNN were attacked and left unreachable for several hours each (Todd, 2000).
Brute Force Attacks – A brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. Brute Force Attacks, although perceived to be low-tech in nature are not a thing of the past. In May 2007 the internet infrastructure in Estonia was crippled by multiple sustained brute force attacks against government and commercial institutions in the country (Sausner, 2008). The attacks followed the relocation of a Soviet World War II memorial in Tallinn in late April made news around the world.
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing scams generally are carried out by emailing the victim with a ‘fraudulent’ email from what purports to be a legitimate organization requesting sensitive information. When the victim follows the link embedded within the email they are brought to an elaborate and sophisticated duplicate of the legitimate organizations website. Phishing attacks generally target bank customers, online auction sites (such as eBay), online retailers (such as amazon) and services providers (such as PayPal). According to community banker (Swann, 2008), in more recent times cybercriminals have got more sophisticated in the timing of their attacks with them posing as charities in times of natural disaster.
Social engineering is the art of manipulating people into performing actions or divulging confidential information. Social engineering techniques include pretexting (where the fraudster creates an invented scenario to get the victim to divulge information), Interactive voice recording (IVR) or phone phishing (where the fraudster gets the victim to divulge sensitive information over the phone) and baiting with Trojans horses (where the fraudster ‘baits’ the victim to load malware unto a system). Social engineering has become a serious threat to e-commerce security since it is difficult to detect and to combat as it involves ‘human’ factors which cannot be patched akin to hardware or software, albeit staff training and education can somewhat thwart the attack (Hasle et al., 2005).
In conclusion the e-commerce industry faces a challenging future in terms of the security risks it must avert. With increasing technical knowledge, and its widespread availability on the internet, criminals are becoming more and more sophisticated in the deceptions and attacks they can perform. Novel attack strategies and vulnerabilities only really become known once a perpetrator has uncovered and exploited them. In saying this, there are multiple security strategies which any e-commerce provider can instigate to reduce the risk of attack and compromise significantly. Awareness of the risks and the implementation of multi-layered security protocols, detailed and open privacy policies and strong authentication and encryption measures will go a long way to assure the consumer and insure the risk of compromise is kept minimal.
To learn more about how to protect your website CLICK HERE
ANTONIOU, G., BATTEN, L. & PARAMPALLI, U. (2008) A Trusted Approach to E-Commerce. Secure Data Management.
BLYTHE, S. E. (2006) Cyberlaw Of Japan: Promoting E-Commerce Security, Increasing Personal Information Confidentiality, And Controlling Computer Access. Journal of Internet Law, 10, 20-26.
BOARDS.IE (2008) Jobs.ie Security Breached. http://www.boards.ie/vbulletin/showthread.php?p=55521004.
DESMEDT, Y. (2005) Man-in-the-Middle Attack. Encyclopedia of Cryptography and Security.
HASLE, H., KRISTIANSEN, Y., KINTEL, K. & SNEKKENES, E. (2005) Measuring Resistance to Social Engineering. Information Security Practice and Experience.
HOLCOMBE, C. (2007) Advanced Guide to E-Commerce, LitLangs Publishing.
KIM, B.-R. & KIM, K.-C. (2006) Improved Technique of IP Address Fragmentation Strategies for DoS Attack Traceback. Computer Science – Theory and Applications.
LAUER, T. & DENG, X. (2007) Building online trust through privacy practices. International Journal of Information Security, 6, 323-331.
LEJEUNE, M. A. (2002) Awareness of Distributed Denial of Service Attacks’ Dangers: Role of Internet Pricing Mechanisms. NETNOMICS, 4, 145-162.
MCDOWELL, M. (2007) Cyber Security Tip ST04-015. IN TEAM, U. S. C. E. R. (Ed.) United States Computer Emergency Readiness Team.
MULPURU, S. (2008) B2C E-Commerce Expected To Top $300B In Five Years. Forrester Research, 1-7.
PERROTTA, N. (2008) Be on guard for ID-theft schemes. Consumer Reports Money Adviser, 5, 2-2.
RYAN, E. (2008) DPC urges Jobs.ie customers to be wary. ENN. http://www.enn.ie/story/show/10124134 ed.
SAUSNER, R. (2008) Could the U.S. Be the Next Estonia? Bank Technology News. SourceMedia, Inc.
SCHLAEGER, C. & PERNUL, G. (2005) Authentication and Authorisation Infrastructures in b2c e-Commerce. E-Commerce and Web Technologies.
SWANN, J. (2008) Beware of Disaster Phishing Scams. Community Banker, 17, 15-15.
SYMANTEC (2007) Attacks rise as e-tailers lag finance sector on security. Computer Weekly, 4-4.
TARIQ, U., HONG, M. & LHEE, K.-S. (2006) A Comprehensive Categorization of DDoS Attack and DDoS Defense Techniques. Advanced Data Mining and Applications.
TODD, B. (2000) Distributed Denial of Service Attacks. http://www.linuxsecurity.com/resource_files/intrusion_detection/ddoswhitepaper. html.
VAIL, M. W., EARP, J. B. & ANTAN, A. L. (2008) An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies. IEEE Transactions on Engineering Management, 55, 442-454.
> Contact Eamonn