How secure is e-commerce?
The proliferation of electronic commerce and electronic banking puts the issue of data security squarely in the spotlight. Small businesses are seeing a growing need to protect their privacy on the Internet as they shift to online transactions. Computer experts warn that the potential for fraud is enormous, since anyone with access to a computer, Internet connection and the means to pay for purchased goods or services online can participate in e-commerce.
The Federal Deposit Insurance Corp., which insures deposits in banks of $100,000 and more, argues that the Internet “offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time.” It cautions, however, “safe banking online involves making good choices to help you avoid costly surprises or even scams.”
Most online consumers use credit or debit cards to pay for transactions, but other payment methods are becoming more popular, including “e-wallets,” which store customers’ data for easy retrieval for online purchases. In this faceless environment, the entry into the e-commerce mix of mobile and wireless transactions only increases the opportunities to cheat. Since online transactions require making payment at the time of purchase, an online consumer can cheat by using a stolen credit card for payment. A seller also can cheat by overcharging or by taking payment and not delivering the merchandise already paid for. A fraudster can set up a “phantom” shop online to simply collect customers’ credit card and other personal information, which could then be sold to marketing agencies or used for malicious purposes.
Fraudsters can do the same for banking transactions. “Whether you are selecting a traditional bank or an online bank that has no physical offices, it’s wise to make sure that it is legitimate,” the FDIC warns. “Watch out for copycat Web sites that deliberately use a name or Web address very similar to, but not the same as, that of a real financial institution. …Always check to see that you have typed the correct Web site address for your bank before conducting a transaction.”
Confidentiality, integrity, availability and accountability are the pillars of an e-commerce site and therefore the principal areas of challenge in securing the site. When hackers attack an e-commerce site, they essentially take aim at these pillars.
Also referred to as “secrecy,” or “privacy,” confidentiality ensures that only authorized parties can access “information assets”; that only authorized parties are able to read, view or print such assets, or even know that they exist. Integrity, meanwhile, involves protecting existing assets from modification by unauthorized parties or in unauthorized ways. Modification in this context refers to writing, changing, changing the status, deleting, inserting and creating.
Concern for “availability,” also termed “denial of service,” has to do with the need to make information available to authorized parties at appropriate times. Availability, then, ensures that those parties are not denied access to the information. Accountability, which stems from authentication and record keeping, by itself does not protect against attacks, but must be combined with other security services to be more effective.
Fraudsters use various strategies to attack e-commerce, including the following:
Social engineering. The use of non-technical means to gain unauthorized access, such as walking into a facility and pretending to be an employee or misrepresenting one’s identity over the telephone, in order to collect unauthorized information for use in online fraud. It is an attack against confidentiality.
Access. An attempt to gain unauthorized access to privilege information either during the transmission of the information or by hacking the database in which the information is stored. The introduction of wireless networks has increased the opportunity for eavesdropping and other security breaches of internal networks.
Modification. An attempt to modify privileged information, this kind of attack can be carried out against information that is in transit or that is stored in a database. It is an attack against integrity, making the information unreliable.
Denial-of-Service (DoS). An attack that denies legitimate users access to the resources of a system. It is widely viewed as nothing more than a nuisance attack, since the attacker does not obtain access to the system and cannot modify information contained in the system. This type of attack may be in the form of denial of access to information, denial of access to applications, denial of access to systems and denial of access to communications. DoS attacks are primarily against computer systems and networks.
Repudiation. An attempt to supply false information or prohibit the occurrence of a transaction. It is widely considered an attack against accountability. A repudiation attack may also take the form of masquerading—impersonating an individual or another system–or denying an event. In the latter form, a customer may make an online purchase with a credit card, then, when the bill arrives, deny to the credit card company that the purchase.
Non-existent or misrepresented items. Sellers may misrepresent an item for sale, or attempt to sell an item they do not possess.
Preventing security breaches
To prevent security breaches, e-Commerce sites use such Web-based tools as cryptographic protocols, as well as non-Web tactics mandated by law. Cryptographic protocols entail encryption—scrambling the information to prevent unauthorized access—and other secure schemes, such as digital signatures, digital cash and e-wallets. On the legislative side, the 1986 Computer Fraud Abuse Act and the European Union Data Protection Act of 1998 place specific requirements on entities—organizations, companies and governments—that collect and save data on individuals; The U.S. Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (Public Law 106-102) establishes mandates for the privacy of data for customers of financial institutions; and the 1996 Health Insurance Portability and Accountability Act (HIPPA) places the responsibility for creating and enforcing standards for the protection of health information under the Department of Health and Human Services.
Security schemes employed by most e-Commerce sites include the use of encryption on all e-commerce traffic on a link. Encryption by itself can prevent eavesdropping, but it cannot completely prevent interception. To protect against interception or destruction of links and nodes, proper identification and authentication protocols must be used to determine the identity of the remote end point. Confidentiality can prevent an attack against access, but cannot solve the problem on its own. Confidentiality must work with accountability to establish the identity of the individual who is attempting to access information in order to reduce the risk of unauthorized access. And while integrity can prevent modification and repudiation attacks, repudiation attacks cannot be prevented without good integrity, identification and authentication services. In this case, the digital signature is the mechanism to detect the attack.
Online transactions are inherently insecure, given the number of opportunities that exist to compromise the sites where those transactions take place. While efforts are under way to develop stronger encryption, encryption alone cannot protect against the interception or destruction of links. Early experience with credit cards and Internet shopping showed that the real risk of compromising credit card numbers did not come from eavesdropping on Internet traffic, but from hacking into merchants’ Web servers and other front-end systems, which often retain credit card numbers. As a result, an effort was launched between 1995 and 1996 to develop a payment protocol that would use digital signatures rather than credit card numbers. In addition to securing transactions, the effort was intended to reassure customers that online transactions would be secure and reduce the cost of fraud. However, with the continued proliferation of sophisticated computers, we still believe that strong encryption combined with other security resources will prevail in securing online transactions.
Sikiru Fadairo, Ph. D., is a professor of computer information systems at Medgar Evers College, City University of New York, Brooklyn, N.Y.