Assignment (internet and computer security) Birja Regmi (09290446) Online Application Security: Ecommerce Security Introduction: Online Application providers in the Business-to-Consumer and Business-to Business segments represent an extremely large emerging market. Within these markets there are several numbers rising number of fraud attacks, combined with an increase in regulation and the emergence of mobile platforms, have driven the need for strong authentication. In order to remain competitive and to provide customers with ample protection strong authentication is proving to be an important component to the application providers. The e-commerce business is all about making money and then finding ways to make more money. It is a well know fact that it's hard to make more money, when consumers don't feel safe executing a transaction on the Web site. That's where SSL (Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce business can also potentially help the companies to unlock more money from the customer. Ecommerce Security Issues: E-commerce systems are based upon internet use, which provides open and easy communications on a global basis. However, because the internet is unregulated, unmanaged and uncontrolled, it poses a wide range of risks and threats to the systems operating on it. The use of the internet means that your internal IT and e-commerce systems are potentially accessible by anyone, irrespective of their location. Threats from hackers and the risks to business Some of the more common threats that hackers poses to e-commerce systems are mentioned below. Carrying out denial-of-service (DoS) attacks that stop access to authorised users of a website, so that the site is forced to offer a reduced level of service or, in some cases, ceases operation completely 1 Assignment (internet and computer security) Birja Regmi (09290446) Gaining access to sensitive data such as price lists, catalogues and valuable intellectual property, and altering, destroying or copying it Altering the website, and damaging image of the particular sites or directing customers to another site Gaining access to financial information about business companies or and their customers, with a view to perpetrating fraud Using viruses to corrupt our business data SECURITY ASSESSMENT and ASCERTAINMENT It is truly a great thing that the world of corporate undertakings or business as we say it can be done online. It is an enormous benefit which the platform of Internet has made this possible. However, as the convenience of shopping online increases so does the risk of doing the business increases along with it. There are few things that are really important in this regard. So, for any e-commerce site there are three specific things that the concerned ecommercial site needs to address. The first issue is with authentication; since for e-com site transactions are going to take place online and for that there are many critical information that are necessary to be disclosed. It is necessary to know that the interaction is taking place with the intended one. The fact of confidentiality is also important as information that is going to flow through the internet must be reliable of its integrity. Last but by no means on the list is non-repudiation. This is perhaps the most specific to the needs of e-commercial site as trading is going to take place online. It is important for the fact that the customer of the good cannot deny from the fact of placing the order of the good. It is even important in different case as there are going to be some transactions that are going to take place without credit card or “payment first fact”. Hence, in order to ascertain the above mentioned rules for e-commerce site several measures should be undertaken. The need can be addressed by defining the various level of security. Separate locations have to be secured by implementing various security functions in various levels. This fact will ultimately provide the feel of security to the customer involved in etransactions and the entire e-business architecture of the e-commerce site. 2 Assignment (internet and computer security) Birja Regmi (09290446) Security Solutions to make ecommerce site secure: There are various security undertakings that take place in e-commerce site. They are as follows: Encryption This is something that the e-commerce site can never do without. This is basically for hiding of the information from the customer to the server and from server to the user. 128 bit encryption has been used to ascertain that the information being transmitted form the server to the user or vice versa is not known to the other parties other then the two of involved parties. Digital Signatures The e-mail that the e-com site sends shall contain digital signature signifying that the mail is form the trusted source. The online receipts, the new arrivals information and the e-newsletter that will be sent to the customers by the e-commerce site should be digitally signed as this would ensure the customer of the e-com site’s authenticity. Digital Certificates It is the means by which the e-commerce site presents itself to its customer in a reliable way. That is the server where the e-commercial site is hosted, shall need to authenticate to the client and it would do this by presenting to the client with the certificate that is digitally signed by the Certificate Authority. VeriSign has been trusted with and is be used on the hosting web server of the e-commerce site. This is necessary as customers would feel reliable disclosing their critical information to the e-commerce site. Use of Cryptography The use of cryptography is critical for e-commerce site to ascertain security as the architecture of the site would need to make use of it. This would involve use of various servers like Web Server, Database Server. Also, while authenticating between server client and server this could be make use of to access data without the need of password. Asymmetric cryptography should be used, which uses two keys namely public key to encrypt and private key to decrypt. This would be used when servers authenticate themselves to each other while accessing resources. So, Web Server accessing the Database Server shall make use of asymmetric encryption to authenticate itself. 3 Assignment (internet and computer security) Birja Regmi (09290446) Anti-Virus Implementation The antivirus programs are something that perhaps none of the host system can do without. The antivirus program installed in each and every server system would ensure that it is secure and free of malicious programs. This fact would mean that server is working normally at all times and definitely reduces the probability of disclosure of information. IDS integrated Firewall Implementation Firewalls are definitely the major security need a network. But there are few things that the firewalls are unable to do which can probably be done by IDS integrated to it. So, the firewall should be placed just in the internal network after the Cisco router. The Firewall integrated with proper IDS and updated signature database would mean that the servers are much more secured. Use of Cisco Router Cisco router has been preferred over to other routers due to its vast coverage area in terms of applicability. This would be placed in the De-Militarized Zone (DMZ) in the internal network connecting it to the external network. This has been done so that there is no unauthorised access to the internal network and the attacks like Denial of Service (DoS) are checked. Being a router, it would manage the routing and importantly interlink the various mirror servers at geographically different locations. Rules for access control shall be configured on the router that shall regulate the flow of data. Proper Log Reporting Despite the adoption all the different types of security measures, it is inevitable that there would be few breaches or holes in security that is present. So, such holes can be reviewed with the help of logs that are generated by the various servers and services running in the network. The information as number of attacks attempted or unauthorised access attempts would be kept track of with the help of logs. Even the use of software in this case shall be useful to generate reports out of logs that the servers like web, database or application create. Default Ports Changing One of the ways of keeping the track of the security assessment would be to change the default ports that are assigned for specific services. This can be done according to our specific necessity. In this way, intruders trying to break web access to the specific link or 4 Assignment (internet and computer security) Birja Regmi (09290446) page can be minimized. This can be achieved changing of ports adds that extra bit of security to it. Proper Monitoring and Analysis It is no substitute to any other security measures that we might adopt for an e-com site. It is essential to determine who and what is making the attempt to gain access to our system and get to the critical servers. Proper monitoring would help to analyse us who is interacting with servers and what for is he/she interacting. The implementation of simple analysis software has been preferred which shall monitor the system logs and the network wrong happenings. This shall be installed at all critical servers to know about the possible security breach attempts and track the associated hackers. Updating the Software Patches It is essential that the programs that are involved in the e-commerce site are kept updated once in a while. Especially, those portions of the e-commerce site that are related to its building are more crucial. The software as Apache with TomCat, mysql and other applications along with some protocols shall be updated in an attempt to keep the system free of holes in security and bugs. This would definitely mean a better performance for the entire e-com architecture. Host Monitoring For an e-commerce site it is necessary to know about the functions that are accessed on the ecom site and the frequency with which they are accessed. It is the duty of the network/security administrator to keep information relating to login attempts (especially the failure ones) and origin of the user (remote location). This would be helpful in determining the security of the e-com site as well. Implementing Authentication Protocols These categories of protocols are mostly beneficial in defining the level of access for different layer of resources. This would mean that the chances of disclosing or leaking the information to the unauthorised third party are reduced. Authentication Protocols like TLS (Transport Layer Security) and SSL (Secure Socket Layer) are the authentication protocols that have been used. 5 Assignment (internet and computer security) Birja Regmi (09290446) VeriSign: The Major Role in Defining Security It is inevitable that the e-com site features SSL as said above and in order for its implementation we shall depend on VeriSign for the SSL certificate. This has been used at the web server as discussed previously. This is so as it is necessary for the transactions to be secured that take place through the public network of Internet. So, the VeriSign has been relied on due to its below mentioned features: It is a well known name in the industry and has a good reputation as the digital security agency. It provides the SSL certificate that even the site users would be able to see. The sort of dual layer of security is ascertained for the e-com site as through the SSL certificate and VeriSign seal of security. It acquires one of the strongest encryption. The mark that is trusted by lot in the internet. It facilitates with the Digital Signatures. Protection of the identity from the theft by the use of PKI (Public Key Infrastructure) and Digitized IDs for mail security. It makes the user feel more secured while disclosing their critical information as it shares long history in this field. Hence, the above mentioned features means that the use of VeriSign as the digital security partner would mean that there are more visitors to the site and more registered user making purchase; as a result the revenue generated by the e-commerce site is significantly increased. 6 Assignment (internet and computer security) Birja Regmi (09290446) How secure transaction is done on ecommerce sites: Sensitive information has to be protected through at least three transactions: Credit card details supplied by the customer, either to the merchant or payment gateway should be handled by the server's SSL and the merchant/server's digital certificates. Credit card details passed to the bank for processing this should be handled by the complex security measures of the payment gateway. Lastly, order and customer details supplied to the merchant, either directly or from the payment gateway/credit card processing company should also be handled by SSL, server security, digital certificates (and payment gateway sometimes). Practical Consequences 1. The merchant is always responsible for security of the Internet-connected PC where customer details are handled. Virus protection and a firewall are the minimum requirement. To be absolutely safe, store sensitive information and customer details on zip-disks, a physically separate PC or with a commercial file storage service. Always keep multiple back-ups of essential information, and ensure they are stored safely off-site. 2. Where customers order by email, information should be encrypted with PGP or similar software. Or payment should be made by specially encrypted checks and ordering software’s. 3. Where credit cards are taken online and processed later, it's the merchant's responsibility to check the security of the hosting company's web server. Use a reputable company and demand detailed replies to your queries. 4. Where credit cards are taken online and processed in real time, four situations may arise that are described below 7 Assignment (internet and computer security) Birja Regmi (09290446) Use of service bureau Sensitive information is handled entirely by the service bureau, which is responsible for its security. Other customer and order details are main responsibility as described above. Possessing an ecommerce merchant account but use the digital certificate supplied by the hosting company. A cheap option acceptable for smallish transactions with SMEs. Checking out the hosting and company terms and conditions applying to the digital certificate. Possessing an ecommerce merchant account and obtain your own digital certificates (costing some hundreds of dollars). Check out the hosting company, and enter into a dialogue with the certification authority: they will certainly probe your credentials. Possessing a merchant account, and run the business from your own server. You need trained IT staff to maintain all aspects of security — firewalls, Kerberos, SSL, and a digital certificate for the server (costing thousands or tens of thousands of dollars). How practically security measures are applied in Ecommerce sites?? Security is a challenging concern for every IT based organizations today when it comes to an e-business based organization; the security factor becomes even more important. Since the ebusiness based companies fully rely on the internet as all of its transactions and workings are internet-based, there are always great chances of threats and intrusions from third party hackers and unauthorized people spread wide in the internet. As example amazon.co.uk is taken and studies for this report. In this site security has been a major concern and the site puts the best effort to maintain the overall security of its network and system. One of the most effective security measures that amazon.co.uk has adopted is the use of SSL (Secure Socket Layer) which is provided by the third party VeriSign. Since all the transactions take place in the open internet, the SSL has been implemented at web servers for secure transaction between the customer and the site. The reason why VeriSign has been chosen for this is because of a wide range of features and advantages it offers. 1. When a customer purchases any goods from amazon.co.uk the third party authentication and payment services VeriSign and PayPal provides an interface for providing credit card details which validates the authentication of the details provided. The third party service VeriSign guarantees the security of the information that 8 Assignment (internet and computer security) Birja Regmi (09290446) customer enters in credit card details. Since this session is in SSL (HTTPS), such information is encrypted and not disclosed to any unauthorized person. By using digital certificates in web server, SSL encryption, Implementation of double signatures, public key cryptography between services, access control list(ACL) Amazon.co.uk has securely implemented online transaction system. Fig: Secure Login Using https Secured Payment Service (PayPal) All ecommerce sites require the involvement of transaction processing between the site and the customer. This processing of transaction needs to be secure by all means in the open internet. The customer and the site cannot be directly connected for payment purposes because of the trust factor. A third party payment gateway becomes essential for processing the payment transaction. In the ecommerce site, PayPal is used as the payment gateway for processing payment transaction. This payment gateway provides a secure and reliable channel for processing payment transaction between the ecommerce 9 Assignment (internet and computer security) Birja Regmi (09290446) site amazon.co.uk and the customer’s account. Some of its best features are listed below: PayPal can easily be integrated with PAY FLOW which is already integrated with many shopping carts. It accepts both credit and debit cards along with the customer’s account in the ecommerce site. It has the provision of their famous Fraud Protection System and Chargeback Protection System into the transaction it processes. It provides 128-bit SSL encryption for better security such that customers can rely on it and do not hesitate to disclose their credit card details. Fig: Secure PayPal Login It is completely free with no merchant account fee, annual fees or registration fees. It can be used with multiple customers at once such that customers do not have to wait for transaction to be completed. The use of https also makes the site more secure. 10 Assignment (internet and computer security) Birja Regmi (09290446) Fig: Pay Flow Diagram Following are the steps involved in the working of Pay Flow Pro: First of all, the user makes the purchase in the ecommerce site by clicking “Buy Now”. The buy function directs the transaction data to the Pay Flow Pro Gateway Client. The Pay Flow processing cycle starts when the gateway client sends the transaction data through SSL encrypted channel. Then PayPal redirects the transactional data to concerned bank or financial institution where the transactional data receives a token for processing. 11 Assignment (internet and computer security) Birja Regmi (09290446) The concerned bank or institution either authorizes or declines the transaction request depending upon customer’s balance in the credit card or authenticity of credit card details and thus notifies to the PayPal Pay Flow. Finally, PayPal sends a confirmation whether or not to process the transaction and once the user confirms, the transaction is carried out where the corresponding balance is transferred from customer’s account to the ecommerce site’s account. This whole process takes no more than three seconds. Fig: Steps involved in Online Payment Processing 12 Assignment (internet and computer security) Birja Regmi (09290446) Conclusion: By looking at the overall report, different measures should be taken for making a secure online system in ecommerce sites. Although there are many issues that pose a threat to Ecommerce businesses, by enforcing a strong security policy, security can be ascertained. Security issues such as Identity theft, Credit-card fraud, DoS attacks, viruses, etc that pose a threat to E-Commerce business, must be adequately minimized so as to ascertain a secure environment for customers as well as online business sites as a whole. To achieve this goal, use of security measures such as digital certificates, digital signatures, higher-bit encryption systems and services that provide these facilities such as Verisign, C.A., Paypal, etc must be implemented. Also, secure authentication and logon policies should be implemented for client’s security. Hence, by securing online transactions, maintaining confidentiality and privacy and securing the overall E-commerce business site, merchants as well as consumers can trade in a secure platform. 13 Assignment (internet and computer security) Birja Regmi (09290446) REFRENCES: Reynolds, J. (2009). The complete E-Commerce Book Design, Build & Maintain a Successful Web-Based Business. 2nd edition; CMP Books Upu (2010) ecommerce security [online] Available http://www.upu.int/security/en/e-commerce_security_en.pdf [Accessed from 11th Feb 2010] Garci, A. Horowitz, B. (2006) The Potential of Underinvestment in Internet Security Implications for Regulator Policy [online] Available from http://weis2006.econinfosec.org/docs/24.pdf [Accessed 10th Feb 2010] Ecommerce (2010) Security Issue s [online] Available from http://www.ecommercedigest.com/ecommerce-security-issues.html [Accessed 11th Feb 2010] Amazon (2010) [online] Available from https://www.amazon.co.uk/gp/sign-in.html [Accessed 11th Feb 2010] Verisign (2010) Information on Security Services [Online] Available from http://www.verisign.com [Accessed 01th Feb 2010] Paypal(2010)Information on Payment Services [Online] Available from https://www.paypal.com/np/cgi-bin/webscr?cmd=p/gen/about-outside[Accessed 01th Feb 2010] Card-Media (2008) WorldPay E-Commerce Security Information [Online] Available from http://www.card-media.co.uk/security.htm [Accessed 09th Feb 2010] Vark, J.V. (1997) E-Commerce and the Security Myth [Online] Available from http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/inde x.html [Accessed 29th Jan 2010] 14