Security Issues and Solutions in Ecommerce Applications

The rise in popularity of conducting business online via ecommerce sites has not gone unnoticed by hackers and other cyber-criminals. A rise in the number of transactions and an increase in businesses that have an online presence have provided hackers with increased opportunities to exploit security vulnerabilities in ecommerce applications for personal profit, at the expense of legitimate businesses and users. A successful attack can result in downtime, the theft of user financial and personal information, loss of revenue, and loss of customers. This paper will offer an overview of some common types of security vulnerabilities and attacks on ecommerce platforms as well as some common tactics to prevent such attacks. Additional suggestions for maximizing information security on an application level as well as within an origination will be made with the goal emphasizing the prevention of attacks.

There are numerous tactics that exploiters use to gain access to user personal and financial information on ecommerce sites. One common attack is SQL injection, which is a tactic where a hacker inserts SQL query data into user input fields on a web site, with the goal of that query being executed by the database. With the strategic placement of apostrophes, dashes and semi-colons, the hacker can execute queries that bring a web site down, provide access to customer financial and other personal information, and even manipulate data on the site. There have been a number of high-profile SQL injection attacks that have resulted in the theft of user information. The web sites of both Guess and PetCo were both the victims of a successful SQL injection attack by a 20 year old programmer who was able to steal user credit card information. Other online retailers that have fallen victim to SQL injection attacks resulting in the theft of user and credit card information include OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

There are a number of things that can be done to reduce a web site’s vulnerability to SQL injection. These tactics include using stored procedures for database access, filtering and escaping input data, limit database user permissions and access, and encrypting data. By using stored procedures, SQL can be eliminated entirely and “by encapsulating the rules for a certain action - query, update, delete, etc. - into a single procedure, it can be tested and documented on a standalone basis and business rules enforced.” By filtering and escaping user input for any malicious code input, those statements can’t be executed as separate queries by the database in an injection attempt. In limiting database user permissions and access, the developer must limit the tables each web site’s database user has access to on the web server. Additionally, the web site’s database user should also never have server administrative privileges to minimize the amount of damage that can be done in an SQL injection. Finally, encrypting all user information in the database will add an additional layer of information protection, as hackers won’t have access to raw user data if an SQL injection attack is successful.

Another common attack on ecommerce sites is the Denial of Service (DoS) attack. A DoS attack is “an attack in which a large number of requests for service or access to a site bombard a system, which causes it to crash or become unable to respond in time.” Hackers are able to bring sites down by flooding the target server with packets, overloading bandwidth and memory, thus preventing legitimate users from being able to access the site. This can affect the ecommerce site itself, but common targets also include credit card payment gateways and bank sites, which can affect the flow of ecommerce transactions. There are a number of variations of DoS attacks, with the most popular being the amplification of attacks through the use of zombie machines, dubbed the Distributed Denial of Service attack.

While DoS attacks do not usually result in the theft of user information such as in the case of SQL injection, they have the ability to bring entire sites down. Hackers have varying motives which can range from making a political statement, mischief, or even to drive traffic to a competing ecommerce site. This can result in significant loss of revenue and a tarnished reputation for sites that do a significant amount of transactions online. Many large online retailers have been the victim of DoS attacks, notably the sites of Amazon, Paypal, Visa, and Mastercard in one high-profile attack in 2010 that resulted in downtime for several hours.

There is no way to completely prevent DoS attacks, as no technique or commercial product can completely guarantee that a single user connection is legitimate rather than a bot that intends to flood the system. However, there are a number of things that can be done to mitigate vulnerability to DoS attacks. These include monitoring for attacks, restricting the bandwidth that can be used by the infringing IP addresses, maximizing the bandwidth available to the web server, limiting the rate of new traffic from one host, and limiting the rate of ICMP traffic. Additionally, using commercial Intrusion Detection Systems such as Symantec’s Intruder Alert, Tripwire Security Tripwire, and McAfee’s Entercept Desktop and Server Agents can further mitigate an ecommerce site’s vulnerability to DoS attacks.

A security exploit that is unique to the shopping carts and payment gateways of ecommerce sites is that of data manipulation, more specifically price manipulation in which “the total payable price of the purchased goods is stored in a hidden HTML field of a dynamically generated web page. An attacker can use a web application proxy such as Achilles to simply modify the amount that is payable when this information flows from the user’s browser to the web server.” Using this technique, an attacker can change the hidden price field value through a proxy and successfully submit the form. For example, a hacker can change the price of a $500.00 product to $50.00 and have the transaction go through successfully. If a business has a high amount on online transactions, the price change and purchase can often go unnoticed.

There are a number of things that can be done to prevent a data manipulation attack. The developer should avoid using hidden fields whenever possible, especially on values that should not change such as price. Additionally, if hidden fields are ever used, efforts should be made to encrypt the value stored in the field as well as the field name, as the hacker will have more difficulty figure out which fields to modify. Additionally, the input values submitted in a transaction should always be verified to ensure accuracy and prevent fraud such as price changing. Verification of price charged can also occur manually as orders are filled to provide another layer of authentication into the process.

Another tactic that hackers use to exploit the users of ecommerce sites is that of phishing. Phishing is the practice of using deception to manipulate users into sharing personal information including passwords, usernames, financial data, and even social security numbers. One common method of this is an attacker sending a user an email that appears to be from a legitimate ecommerce site. The email requests the user to verify account information via a fake version of the ecommerce site, duping the user into sharing personal information that the hackers can steal. Noteworthy phishing scams have affected users of Ebay, CitiBank, PayPal, and Best Buy, resulting in the theft of social security numbers, credit card information, and ATM pins.

Unfortunately there are few architectural safeguards that can be built into an ecommerce application to protect against phishing, as the theft occurs through users and a third party site rather than the legitimate ecommerce site. There are however, some things that the owners of ecommerce sites can do to reduce the threat of their users falling victim to phishing scams. If a phishing scam is detected, ecommerce site owners can file a complaint with the phishing site’s Internet Service Provider (ISPs) to take the site down. While laws regarding ISPs closing down sites due to phishing attempts vary by country, the successful removal of a phishing site can prevent users from being able to provide personal information. Ecommerce sites should also educate users to verify that the URL in the browser window is the URL of the legitimate site before giving away any personal information. One more technical approach to reduce vulnerability to a phishing attack is to use two-factor authentication on login forms, such as a picture and phrase in addition to the username and password. The absence of the extra authenticating image and phrase on an illegitimate site requesting user information can serve as a red flag to users that the version of the ecommerce site they are visiting is not authentic.

While a number of common exploitations of ecommerce sites and possible solutions to reduce vulnerability to such attacks have been discussed, there are also additional measures that can be taken to secure ecommerce applications, thus improving information security.

One important safeguard for securing payments on ecommerce sites is that of using Public Key Infrastructure (PKI) via a third party SSL certificate authority. Using a reputable SSL certificate authority such as Verisign, Thwate, or Geotrust authenticates the identities of both the merchant and seller, providing for encrypted transfer of sensitive information.

Additionally, the network that an ecommerce site runs on should be further secured by using one or multiple firewalls. One common implementation is to secure the public web server that hosts an ecommerce application between two firewalls using a DMZ architecture to provide security against external attacks as well as threats from internal business networks.

Further securing ecommerce applications relies on careful planning of the ecommerce application itself as well as a business continuity plan to assess and mitigate the effects of an external attack, especially if an ecommerce web site is a mission critical component of an organization.

When developing the ecommerce application as well as configuring web and database servers, it is important to incorporate vulnerability prevention at the design stage rather than after an attack has occurred. The various components that are designed to secure the application should be tested for vulnerability throughout the software development lifecycle to identify and fix any additional risk for exploitation.

Additionally, developing a business continuity plan that includes risk and crisis management if the ecommerce platform or the company’s customers are victims of cybercrimes can be a critical component of not only securing information, but of maintaining reputation and customers in the event of an attack. By assessing possible security threats and as well as their likelihood and possible impact on the organization, the appropriate risks can be mitigated at the design level, during the development process, at the infrastructure level, and at the client level before attacks occur. A crisis management plan that dictates the plan of action and provides for the necessary infrastructure to recover from an attack will help minimize the damage caused, to both revenue and customer trust in the organization. For example, to prepare for a potential SQL injection attack that would result in theft of user data, in addition to designing the application from the onset so that it uses stored procedures for database access, ensuring that input data is filtered and escaped, limiting database access, and encrypting data as discussed earlier in this paper, there must also be a crisis management plan that prepares for the loss and theft of data in the event of a successful SQL injection attack. Setting up a failover server well in advance as well as automating backups can prevent downtime in the event of an attack, as the affected server can be taken offline to assess the damage and undergo troubleshooting. A response system to notify users that their information has been compromised as informing them of the plan of action could be set up far in advance, allowing for a quick and reassuring response to customers rather than an ill-prepared reaction that further tarnishes the company’s reputation and revenue.

As more users and businesses conduct business online via ecommerce web sites, hackers will inevitably attempt to exploit that trend by attacking vulnerable web sites and users for personal gain, at the expense of a business’s profits, customers, and reputation. There are several common attacks on ecommerce sites including SQL injection, Denial of Service attacks, phishing, and data manipulation- all of which can be mitigated using specific solutions as discussed in this paper. Information and ecommerce applications can be further secured through utilizing an SSL certificate and firewalls. Further, information security initiatives should start at the design level to prevent attacks on various vulnerabilities. Additional protection can occur through a business continuity plan that incorporates risk assessment and mitigation as well as crisis management in the event of an attack to minimize financial loss and restore customer trust.

References: