e-commerce

E-commerce security: a question of trust

Steven Furnell, Network Research Group, School of Computing, Communications & Electronics, University of Plymouth, Plymouth, United Kingdom

Some examples of E-commerce threats

The chart in Figure 1 has already shown that fraud has found an opportunity to flourish within the Internet environment. However, from the perspective of an E-commerce service, there are plenty of threats to be concerned about and fraud-related issues are just part of the story. While some of the threats are fairly generic to all types of Internet-based systems, others are more likely to be specifically targeted against E-commerce sites. An outline of some of the most significant issues is provided in the paragraphs that follow.

Within a relatively short time, electronic commerce services have risen to become a core element of the Internet and Web environment. Findings published by Forrester Research have indicated that online retail sales in the United States exceeded $100 billion in 20031, representing a 38% increase over the previous year. The US is by no means alone here, and the signs point towards continued growth in other regions as well.2 As well as increasing in volume, the nature of the business to consumer (B2C) E-commerce offerings has also evolved considerably since the early days of the web. The initial use of commercial web sites was effectively as an electronic shop window, where visitors could see product and service availability, but could not purchase them directly. Todays sites have, of course, moved well beyond this which in turn serves to increase the requirement for security, as sensitive personal and financial details are regularly provided during the course of transactions. Given that E-commerce is thriving, one may be tempted to assume that security aspects must have been addressed, and that the resulting environment is a trusted one. Unfortunately, however, the evidence suggests that as the use of E-commerce increases, so too does the number of users who are encountering problems with it. As an illustration of this, Figure 1 depicts findings from the US Internet Fraud Complaints Center (IFCC), and shows that the number of complaints received by the organization and referred to law enforcement has escalated significantly in recent years.3 This article considers the issue of ecommerce security, and some of the implications for the parties involved. The discussion begins by highlighting a variety of the threats to which E-commerce systems are exposed. Consideration is then given to the effects that such incidents can have upon the perceptions of online consumers and retailers, before examining some of the means by which protection can be achieved and confidence can be enhanced.

Malware
Worms, viruses, and other forms of malicious software represent the biggest threat to networked systems in general, and thus are certainly issues that E-commerce operators cannot afford to ignore. An infection may affect the operation of services, and hence represents a cause of lost revenue if this results in impairment or unavailability. Malware is also an issue from the customer perspective, in the sense that it could compromise security during their use of E-commerce services. A good example of this was the Bugbear worm from September 2002, which had keystroke logging capabilities and thus risked the users personal details being captured if they initiated a transaction from an infected system.4

Denial of Service (DoS)

DoS involves the intentional impairment or blocking of legitimate access by an unauthorized party (e.g. by flooding the victim site with spurious traffic). The 2004 version of the CSI/FBIs annual Computer Crime and Security Survey reveals that DoS attacks were the most costly reported, accounting for $26M from the 269 respondents that were willing and able to quantify their losses5 (note: this total appears to include losses attributable to malware, on the basis that worm/virus payloads were often responsible for initiating DoS attacks). Although the experience of DoS incidents is by no

Figure 1 : Incidents of Internet fraud (Source: IFCC)

10

e-commerce
means limited to E-commerce sites, the impact in these cases has the potential to be felt particularly strongly, in the sense that unavailability of the site directly equates to a halting of business operations. For example, at the time of writing, the most widely publicised DoS incident (aside from those resulting from malware payloads) dates back to February 2000, when a Canadian teenager operating under the alias Mafiaboy initiated a series of distributed DoS attacks against numerous popular sites, including Yahoo!, Amazon.com, eBay and CNN. The impact was significant for example, when the Amazon.com website was targeted on 8 February it became 98.5% unavailable to legitimate users.6 This situation lasted for around 30 minutes, and legitimate visitors to the site had to wait about five minutes to get to Amazons home page. It is easy to imagine that many people would have given up in this time, resulting in potential lost revenue for the company if they then went elsewhere rather than returning later.

Datastreaming
Datastreaming is one of the threats that is more likely to explicitly target the E-commerce domain, and involves the bulk theft of personal data such as card details by individuals or groups hacking into related systems. Although consumers may instinctively consider that their data requires protection against interception as it travels across the network, the evidence shows that it is far more likely to be vulnerable at the remote destination, where hackers may break in and steal it en masse. A notable example occurred in early 2000, when a hacker calling himself Curador began hacking into small E-commerce sites to steal payment card details. Beginning in late January and continuing through into early March, he penetrated nine sites, located in Britain, US, Canada, Japan and Thailand, stealing between 750 and 5,000 card numbers each time (it was estimated that 26,000 cards were compromised in total). Having stolen the card data, Curador also set up web sites to share the details with others (the site registrations naturally being paid for using stolen card numbers). The FBI estimated losses exceeding $3 million, taking into account the cost of closing down Curadors sites and issuing new cards

information, and users gullible enough to provide it all could find themselves at significant risk of both financial loss and identity theft. Phishing differs from the other threats listed here, in the sense that avoiding it requires vigilance on the part of the consumer rather than the E-business (albeit with the business being able to do its bit to alert its customers to the issue). This, however, does not mean that the E-business is unaffected by the problems. Quite the contrary in fact the impersonated companies often experience escalating costs as a result of increasing volume of calls to their customer support lines,8 and as with other security incidents, the adverse publicity could reduce trust in the affected brand.

Poorly configured systems

Although not an attack in itself, a badly configured system is a definite threat, which can increase the vulnerability to some of the other problems already discussed. Systems may be vulnerable because they have not been kept up to date (e.g. failure to apply the latest patches, leaving systems open to hacker exploits and malware), or because they have been badly configured in the first place. For example, in June 2000, a UK-based Internet Service Provider was hacked by an IT consultant who claimed that he wished to expose their security holes. Having compromised their site, the attacker was allegedly able to access the customer database containing details of more than 24,000 subscribers (including credit card information).9 In a properly designed system, this should not have been possible, with a physical separation between a public-facing Web server and the systems holding sensitive data. As it stood, the configuration of the system had left it vulnerable to a datastreaming incident. With these and other threats (e.g. fraudulent schemes such as the Nigerian email scam) to be concerned about, it is relevant to consider the resultant impacts from the perspectives of the consumers and businesses in the E-commerce domain.
11

Defacement
Given that the website is often the shop window for the E-business, it is important to ensure that it conveys the correct information and the best impression. With this in mind, vandalism of the site and alteration of its content is clearly unwelcome. Unfortunately, defacement has become a significant problem, and sites running unpatched Web server software represent a relatively easy target, even for novice hackers. As with DoS attacks, defacement incidents are by no means confined to E-commerce sites, and a look at defacement statistics at a site such as zone-h.org will reveal all manner of targets. However, the potential impact for an E-business could again be greater than for a site that is purely providing information services. For example, encountering a defaced site has the potential to cause lasting damage to the customers impression of the business, and in particular to the perception of its security (e.g. if the business cannot even protect its shop window, why should I trust it with my data?).

Phishing
Another of the types of attack that is more likely to specifically target the E-commerce domain, phishing tries to trick users into divulging sensitive data through messages and websites that purport to be from legitimate sources such as banks and online retailers. Although phishing incidents can be traced back to the mid-90s, there has been a notable surge in the last year or so, as perpetrators have found ways to apply the techniques for financial gain. Players in the E-commerce domain have therefore become desirable targets for impersonation, and the May 2004 report from the AntiPhishing Working Group reveals that, from 997 unique attacks, 94.5% had targeted companies in the financial services or retail sectors7. Such emails tend to request a whole range of sensitive

e-commerce

The customer perspective

Instinctively, one would expect that publicized incidents, such as the examples described above, would have adverse impacts from the perspective of potential online consumers. However, the statistics presented at the start of the discussion have already provided an implicit indication that E-commerce is forging ahead in spite of these problems. Indeed, survey data from the Association for Payment Clearing Services (APACS) in the latter half of 2003 indicated that 30 million UK adults used the Internet, with around 18 million having made online purchases during the previous year (representing an increase of over 50% compared to 2002).10 With such a high proportion of users making online purchases, it would certainly appear that security is of little concern. The obvious point, of course, is what about the sizable proportion of nonpurchasers that remain? To what extent are they being put off by security-related fears? If survey results are to be believed, then the apparent answer is quite a lot! For example, a 2003 survey by PaymentOne revealed security concerns to be far and away the prime reason preventing consumers from shopping online accounting for 70% of responses.11 In addition, it would be nave to assume that all of those using E-commerce services are doing so with complete confidence. For example, a survey conducted by my own research group back in 2000 revealed that over 90% of users who shopped online were doing so in spite of having some form of security concern.12 There is little doubt that many consumers would give similar responses today, and the growth of E-commerce has had more to do with factors such as the cost and convenience than the perceived improvements in protection. There is a potential problem of consumer awareness to be addressed, which could go some way to allaying their fears of purchasing online. For example, many card holders are afraid of their credit card number being stolen, but may not realise that their card provider protects them in this scenario, by removing their liability
12

provided that they have not been negligent in protecting their card or its associated details.13 In addition, there is evidence to suggest that the scale of the problem is over-estimated. For example, although the latest APACS findings suggest that fraud through E-commerce channels is increasing (estimated at 45m during 2003), the majority relates to the use of card details that have been fraudulently obtained in the real world the proportion relating to data actually stolen from websites is described as very lowx. Although security concerns are clearly not significant enough to prevent a significant population from engaging in E-commerce altogether, they may nonetheless adversely affect the use of related sites. For example, many users may elect to enter their personal details anew for each transaction rather than have the site store their details and potentially render them vulnerable to later misuse or datastreaming. Although this does not prevent the user from indulging in E-commerce, it serves to make the process much more time-consuming for a set of purchases.

Secure Electronic Transaction (SET) standard is a better alternative to SSL

Problems for E-businesses
The provision of E-commerce services is a factor for an increasing proportion of businesses. As an illustration of this, the 2004 Information Security Breaches Survey, from the UK Department of Trade & Industry, revealed that 73% of respondents claimed to have a transactional website up from just 13% in the previous version of the same survey two years earlier.14 This is particularly significant from a security perspective, in that the earlier survey had also posed the question of whether E-commerce systems are more or less of a target for attack than other systems. A substantial 61% of respondents considered them more likely to be

targeted, with only 7% considering there to be less likelihood (the remaining respondents felt the threat was unaltered).15 Suffering a security breach of any kind is clearly not good news for the victim organization, but the ramifications of the incident may go beyond the direct impacts. An obvious example of this is the potential for longer term damage to image and reputation. In this respect, survey results have shown that publicised incidents can adversely affect customer opinions, and cases have indeed been reported in which competitors have explicitly tried to take advantage of this, by mentioning that their rivals have suffered security breaches in order to lure away customers.16 As a result, online retailers are very much aware of the problem that security represents for their business. A 2000 survey from CommerceNet asked merchants to identify the main barriers to B2C E-commerce. In the resulting top ten list, based upon answers from 1,000 respondents in six countries, the issues of Security and Encryption and Trust and Risk occupied the highest positions.17 This rather suggests that the views of the merchants are in tune with those of the consumers, and it is therefore relevant to consider that if both sides perceive the same barriers, what evidence is there of a serious approach to security?

Who is doing what about it?

Despite their apparent concerns about security, most users will actually know very little about it and indeed may find it difficult to define their requirement much more specifically than saying that their personal and financial details need to be protected. As such, provided that they have been explicitly authenticated, and are then assured that the transit of sensitive data is protected from prying eyes, the majority of users will feel that there is little else to worry about. Current sites typically provide this assurance fairly well, and the Web browser obliges by showing the padlock symbol to denote a secure

e-commerce
connection (see Figure 2). But what does this really mean, and should the user be satisfied that it is giving them sufficient protection? Asking casual users to suggest the protection provided by the padlock may indeed reveal some rather generous assumptions. However, the reality of the situation is that it relates to the usage of the Secure Sockets Layer (SSL) protocol. This is a widely used mechanism for securing Internet E-commerce, and can provide two significant elements of protection from a transaction perspective: encryption of the communications link, and confirmation that the contacted server belongs to the merchant. This is good from the consumer perspective, but it leaves a notable hole for the merchant in that they cannot, by default, perform a reciprocal confirmation of the consumers identity (SSL supports it as part of the handshake protocol, but requires the consumer to have a certificate installed which the vast majority will not have). As a consequence, an honest merchant could receive orders from a stolen or forged credit card. Of course, other administrative safeguards can provide protection here, but this does not mean that suitable safeguards could not be incorporated at the technology level. Indeed, a more substantial alternative to SSL has already been proposed, which provides considerably more protection namely the Secure Electronic Transaction (SET) standard. Unlike SSL, which arose as a security mechanism for general application, SET was specifically designed to provide safeguards for card payments over open networks such as the Internet. It was announced back in 1996, and was a collaborative effort between Visa, Mastercard and a number of leading technology companies (including Microsoft, IBM, RSA and Verisign).18 The scheme uses a combination of digital certificates and digital signatures to ensure privacy and confidentiality amongst the main participants in a transaction: the customer, the customers bank, and the merchant. When compared to the SSL approach, the most significant difference from the consumer perspective is that credit card details themselves are not divulged to the merchant. This immediately reduces the potential for threats such as datastreaming, as merchant systems would no longer hold repositories of card details. It also offers advantages to the merchant, in the sense of being able to authenticate the customer. If SET-based protection is so much better, it begs the obvious question of why it has not found its way into widespread use. The main reason is the complexity of the approach, and the resultant demands that it places upon consumers and merchants both of whom would be required to install specific software to support the mechanism. Faced with this choice, versus the option of using the SSL functionality that is built into Web browsers and servers as standard, it is perhaps unsurprising that the latter has prevailed. Indeed, as far back as 1999, the SET approach was being dismissed as illustrated by the following quote from an E-commerce market analyst at IDC: SET is dead . . . Consumers dont want to have preinstalled software to be able to shop online. Secure Socket Layer provides security without the need for this.19 And, of course, most consumers are quite happy with their picture of a padlock! Those looking for some greater reassurance can at least look for signs of the vendors commitment to security in other ways. A baseline would be to see some evidence of the site having a credible privacy and security policy which at least indicates some recognition of the issue being a concern for customers. However, a more tangible indication would be if there is evidence of the practical measures having gone beyond the norm. For example, the customer authentication on many sites simply relies upon a basic username (or email address) and password combination as the only barrier to accessing user accounts (and making use of any personal / financial information that is pre-stored there). However, this is not the only option. Online banking sites have for some time utilised a somewhat more substantial challenge-response process, requiring the user to enter personal information such as date of birth, along with randomly selected digits from a secret security number (thus reducing the possibility of someone capturing the information e.g. via a keystroke logging worm and then being able to repeat it for a subsequent successful login). The downside, of course, is that this process may be perceived as too time-consuming or complex by potential customers. In order to provide additional protection against misuse of card details, the major card operators have developed schemes that can be incorporated into ecommerce sites in order to verify transactions namely Visas Verified by Visa20 and MasterCards SecureCode.21 Both approaches work on the principle that whenever an online purchase is made using a credit card number, the user must verify that their use of the number is legitimate by providing a password (which is

Figure 2 : An indication that all is secure?

13

e-commerce
then verified by their card issuer). Thus, the card details alone are no longer sufficient to authorize a transaction. The approaches require both consumers and merchants to register for the service, and having done so merchants can then use the logo on their site, providing an additional indication of security for consumers. Such approaches go some way towards providing the additional features that SET already incorporated (e.g. ensuring authentication of the customer for the merchant). However, there are still notable aspects (which SET also dealt with) that remain unresolved principally the fact that the card details are still provided as part of the transaction and could therefore be vulnerable to interception. Of course, this is not a problem if all retailers use the MasterCard or Visa scheme, because the card number alone will not enable a transaction to be made, but at the moment there are many sites that do not incorporate the protection. There are also potential compatibility problems, in the sense that the verification windows in which users enter their passwords may get blocked if the user has installed software to block pop-up windows. Getting around this problem obliges users to temporarily disable one aspect of their protection in order to use another. Such issues are indicative of the fact that the security aspect of E-commerce has yet to mature to the desirable degree. tomer awareness of genuine risks in order to increase their confidence in using the services.
9 "Hacker taps into 24,000 credit cards",

About the author

Dr Steven Furnell is the head of the Network Research Group at the University of Plymouth, UK. He has been actively involved in security research for over 12 years, and has authored numerous papers on the topic, as well as the book Cybercrime: Vandalizing the Information Society, in which some of the incidents cited in this article are examined in more detail.

References
1 Johnson, C.A., Walker, J., Delhagen, K.

Conclusions
E-commerce has already demonstrated its great benefit for both consumers and merchants. As time goes on, the growth of domestic Internet access, and the increasing involvement of mobile devices (mcommerce) will yield more potential customers. Nonetheless, security clearly represents a significant concern - for good reason in several cases, given the range of potential threats and the limited extent to which suitable precautions are followed in some cases. The onus is upon operators to make appropriate use of technologies to reduce risk, and to assist in improving cus14

6 7

and Wilson, C.P. 2004. 2003 eCommerce: The Year In Review. Forrester Research, 23 January 2004 "Total B2C Revenues For US, Europe & Asia, 1999 - 2003 (in USD billions)", Statistics for Electronic Transactions, ePaynews.com, http:// www.epaynews.com/statistics/transactions.html#16 (accessed 9 August 2004). Internet Fraud Compliant Center. 2003. IFCC 2002 Internet Fraud Report January 1, 2002-December 31, 2002. National White Collar Crime Center and the Federal Bureau of Investigation. "W32.Bugbear@mm", Symantec Security Response, 30 September 2002. http://securityresponse.symantec.com/a vcenter/venc/data/pf/w32.bugbear@m m.html Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. 2004. Ninth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute. "A Frenzy of Hacking Attacks", Wired News Report, 9 February 2000. Anti-Phishing Working Group. 2004. Phishing Attack Trends Report - May 2004. http://www.antiphishing.org/ APWG_Phishing_Attack_ReportMay2004.pdf Savage, M. 2004. "This threat could kill e-commerce", SC Magazine, May 2004, pp22-25.

The Sunday Times, 25 June 2000, Main section, Page 14. 10"Card Fraud Overview", Card Watch - APACS Fraud Prevention. http://www.cardwatch.org.uk/html/over view.html (accessed 5 August 2004). 11 "Factors Discouraging US Consumers From Using A Credit Card Online", Statistics for General and Online Card Fraud, ePaynews.com, http://www. epaynews.com/statistics/fraud.html (accessed 9 August 2004) 12 Furnell, S.M. and Karweni, T. 2000. "Security implications of Electronic Commerce: A Survey of Consumers and Businesses", Internet Research, vol. 9, no. 5: 372-382. 13 Barclaycard. 2004. "Online Fraud Guarantee", http://www.barclaycard .co.uk/Products/Apply/Card_Benefit/Fr aud_Guarantee/index.html (accessed 9 August 2004). 14 DTI. 2004. Information Security Breaches Survey 2004. Department of Trade & Industry, April 2004. URN 04/617. 15 DTI 2002. (2002) Information Security Breaches Survey 2002. Department of Trade & Industry. April 2002. URN 02/318. 16 Schultz, E. 2004. "Security breaches drive away customers", Computers & Security, vol. 23, no. 5, pp360-361. 17 CommerceNet. 2000. Barriers to electronic commerce. http://www. commerce.net/research/barriersinhibitors/2000/Barriers2000study. html. 18 Stallings, W. 2002. "Introduction to Secure Electronic Transaction (SET)", informIT.com, 17 May 2002. 19 August, V. 1999. "SET still fails to deliver on promise", Information Week, 16 June 1999, p5. 20 Visa. 2004. "Verified by Visa", https://usa.visa.com/personal/secure_wi th_visa/verified_by_visa.html (accessed 9 August 2004). 21 MasterCard. 2004. "Introducing MasterCard SecureCodeTM!", http://www.mastercardmerchant.com/ securecode/ (accessed 9 August 2004).