TEA Blog

SECURITY RISKS ASSOCIATED WITH E-COMMERCE WEBSITES

For some business owners, the ease in which an site can be set up may actually come at an unexpected cost. Using one of the web applications mentioned above, or any number of proprietary solutions as well, someone with very little knowledge can set up shop and begin collecting credit card information from their customers. While an online shop may be too attractive to pass up, web applications that run sites have become a "soft spot" for interested in stealing credit card information and other customer data. For this reason, Web application security is a vital consideration for e-commerce site owners.

Risks Associated with E-Commerce

Over the years, the methods used by sites to process and store credit card information has become much more sophisticated than the early days of online shopping. This progress has helped online shopping overcome one of its greatest obstacles, consumer trust. As evidenced by the amount of money spent online each year, people feel much more secure in shopping online than they ever have. Unfortunately for businesses, the methods used by cyber criminals trying to steal their customers information have made it easier than ever for them to compromise a web application.

Credit Card Theft/Fraud

Sophisticated cyber criminals use to launch coordinated attacks against unsuspecting that are vulnerable to attack in order to steal credit card information - credit card security is one of the most important components of e-commerce security. The infamous TJX security breach disclosed in 2007 is a good example of what can happen to companies that do not have the proper security measures in place. This breach resulted in 94 million accounts being compromised with losses exceeding $70 million due to fraud the result was a lawsuit filed against TJX by over 300 banks. When the attacker, Alberto Gonzalez, was finally caught it was found that he exploited SQL Injection vulnerabilities in various to net over 130 million credit cards.

Some of the most common exploits used in financial data theft include:

  • SQL Injection

  • Cross-Site Scripting

  • Path Traversal

  • Session Hijacking

  • Malware (Drive-by downloads)

Unfortunately, most sites that are vulnerable to these types of attacks dont know it until it is too late.

Interruption of Business

It could be that a competitor is trying to hurt your business, or maybe just an attacker learning how to exploit known vulnerabilities. Quite possibly, it could be that someone has compromised your web server so that they can use its resources: hard drive space, processing power, and bandwidth. Whatever the reason, a Denial of Service attack can hurt any business because customers cannot get to your site while you are under attack. Not only is revenue lost because your customers cannot get to your online store, but they may think twice before ever shopping again if they know that your site is vulnerable to attack.

Damaged Brand

When credit cards are stolen from sites, it usually makes the news. When a theft reaches the headlines, both existing and potential customers tend to avoid using that merchant. Even the most loyal customers think twice and may turn to a competitor if they are concerned about the security of their financial data.

Theft is not the only way an attack can hurt an established brand name either. With many Internet users relying on browser add-ons that seek out and report on potentially harmful sites, if your is thought to be spreading malware or loaded with spam as a result of a link injection you could quite rapidly see a loss of traffic.

Search Engine Results

Companies fight hard to achieve the premier listings in the search engine results page, often spending a great deal of money on Search Engine Optimization specialists to help them rank high. All it takes is a Cross-Site Scripting attack that feeds your visitors with malware, or a link injection attack that flags your site as a spam delivery site and those rankings you worked so hard for will plummet. Larger search engines will remove potentially harmful sites from their search results altogether.

Once a has been cleaned, a request can be made to have it re-evaluated and returned to the search engine results, it can be a rather process and it is a process that is sure to hurt traffic and revenue.

Protecting Ecommerce Sites

In 2004 five different credit card security programs merged to form the Payment Card Industry Security Standards Council (PCI DSS) with the purpose of creating an extra level of protection for card issuers making sure that merchants (both online and brick and mortar) meet basic levels of security when storing, processing, and transmitting cardholder data.

To set a minimum level of security, the Payment Card Industry set 12 requirements for compliance that fall into one of six groups called control objectives. The control objectives consist of:

  • Build and maintain a secure network

  • Protect cardholder data

  • Maintain a vulnerability management program

  • Implement strong access control measures

  • Regularly monitor and test networks

  • Maintain an information security policy

Companies that fail to comply with the PCI DSS standards risk losing the ability to process credit card payments and may be subjected to audits and fines.

Web Application Compliance

As many are powered by web applications, and the application layer being a soft spot for attackers, the PCI Data Security Standards specifically address how to protect web applications.

In what is known as requirement 6.6, owners who process credit cards are given two options for compliance. Option one requires a code review to be done by an internal employee or a trusted third-party source and must consist of one of the four methods:

1. Manual review of application source code
2. Proper use of automated application source code analyzer (scanning) tools
3. Manual web application security vulnerability assessment
4. Proper use of automated web application security vulnerability assessment (scanning) tools

The problem with code reviews is that they can be , they can be expensive, and they dont protect against zero-day vulnerabilities. For instance, if a highly qualified reviewer is hired to check the source code for compliance, he may be able to locate vulnerabilities that are known to him today, the vulnerabilities that have yet to be discovered most likely will not be caught in a standard code review.

Web Application Firewalls

Option two of requirement 6.6 allows for a company to implement a web application firewall solution in place of regular code reviews. A web application firewall, either a hardware appliance or software solution, is placed in between the client and the web application. Web application firewalls, or WAFs, protect cardholder data because all web layer traffic is inspected looking for traffic that is meant to exploit known vulnerabilities as well as patterns that may suggest a zero-day exploit being launched against the application.

Without having to dedicate programmers to inspect every line of code, web application firewalls are known to protect against:

  • Path Traversal Vulnerabilities

  • Known worms

  • Remote Command Execution

  • Probes

  • Denial of Service attacks

  • Compromised servers

  • Cross-Site Scripting

  • SQL Injections

and more.

The Need to Avoid Attacks

When it comes to protecting your site from attackers having access to the credit card data, security needs to be a top priority. To ensure that all online merchants who process credit cards are taking the same precautions, the Payment Card Industry mandates compliance with their Data Security Standards.

A successful attack against an site that puts credit card data at risk will most certainly draw the attention of the PCI. Odds are that a vulnerable who has allowed data to be accessed illegally will be found out of compliance with these standards. In addition to the possibility that such a breach could result in lost revenues, the victim may also find themselves subject to fines imposed by the PCI.

Protect Your Web Applications

By acting as a Security-as-a-Service solution threat management tool is able to provide protection to web servers whether the admin has an extensive background in security or just a minimal amount of knowledge on the subject.

Solution to your web application security needs are:

  • Strong security against known and emerging hacking attacks

  • Best-of-breed predefined security rules for instant protection

  • Interface and API for managing multiple servers with ease

  • Requires no additional hardware, and easily scales with your business

Unique security approach eliminates the need to learn the specific threats that exist each web application. The software focuses on analyzing each request to the web server and the impact it has on the application.

ARTICLE SOURCE: This factual content has not been modified from the source. This content is syndicated news that can be used for your research, and we hope that it can help your productivity. This content is strictly for educational purposes and is not made for any kind of commercial purposes of this blog.