E-COMMERCE SEC. 1

Running Head: E-COMMERCE SEC.

E-commerce Security

Lindsey Landolfi

Towson University

Network Security

Professor Charles Pak

July 2011

1

E-COMMERCE SEC. 2

E-commerce or commerce done via electronic means has become an increasingly popular

method of shopping; its prevalence will become mainstream for much of society as electronic

forms of payment become preferred over physical cash or checks. The convenience and speed of

e-commerce must be accompanied by the required security and protection of the transactions and

payments. Every new opportunity for a retailer also becomes a new opportunity for an attacker;

as more money is exchanged over electronic means it will attract more attackers hoping to reap a

profit. This document will provide an overview of the risks presented by e-commerce, how

proper network security will mitigate these risks, and provide real world examples of how

technology and policies failed to protect the consumer.

As technology has progressed so has the way consumers use that technology when

making purchases. Stores have begun transitioning from the traditional brick-and-mortar,

physical, stores to having an online presence. Some companies have started without the presence

of a brick-and-mortar store, offering a shopping experience available exclusively online. As

retailers begin making these transitions, consumers have abandoned physical currency in favor of

electronic payment means. Several electronic payment systems are currently in widespread use.

Credit and debit cards are the most prevalent form of electronic currency and have been in use

for several years. Online wallets such as PayPal that allow you to pay directly from an online

account or charge a credit card have also become popular. A new payment technology still in its

infancy is Near Field Communications (NFC) for mobile phones. NFC devices will allow a

consumer to hold their mobile phone over a reader to process the payment, allowing the

consumer to stop carrying cash or credit cards altogether.

While these new payment methods allow for unprecedented convenience to the consumer

to pay for services and goods, for a network security person they present new challenges and

2

E-COMMERCE SEC. 3

threats. The industry has established standard security compliance requirements to protect

networks, customer data, and brand reputation. The Payment Card Industry Data Security

Standard (PCI DSS) requires annual compliance validation for organizations conducting e-

commerce. See appendix, figure 1 for PCIDSS control objectives and requirements. Many of the

same security tools used to protect a computer network may also be employed to defend the

networks that process payment transactions. Firewalls may be used to prevent systems holding or

processing transactions from accessing any system other than those necessary to carry out its

function. Firewalls should be configured to allow systems to only access other systems directly

necessary to complete the transaction. Intrusion Detection Systems (IDS) and Intrusion

Prevention Systems (IPS) may be used to detect or stop an attack in progress should an attacker

get through the firewall, mitigating any damage or compromise of data the attacker may attempt.

IDS and IPS should be deployed behind the firewall and should monitor traffic in multiple

locations. In this way, the IPS/IDS is capable of reporting if any one part of the network should

become compromised. Encryption may be employed to render any stored data indecipherable to

an attacker, but care must be taken to use strong encryption algorithms and keys. Encryption

keys should be carefully protected and only accessible to those who require access. Finally

policies must be in place that will direct employees on how to properly maintain a secure

environment. An employee training program that educates employees to recognize an attack and

common attack methodologies should be standard. Additionally, it would prove beneficial to

require refresher classes to be held yearly. Employees should also have easy access to a technical

security team to report any suspicious activity, files, or e-mails.

No one of these tools individually will be a "magic bullet" and successfully prevent or

mitigate an attack, but if properly combined together into a comprehensive security plan and

3

E-COMMERCE SEC. 4

defense they may be used to avert an attacker towards an easier target. When not implemented

properly, security tools may leave the company at risk for an information breach. Data breaches

may lead to lawsuits, loss of consumer trust, loss of revenue, and make the victim target for

future attacks. One example of how incorrectly implemented technology failed to provide

sufficient security was in the case of the TJ Maxx payment processing center in 2005.

TJ Maxx, a discount store, utilized Wi-Fi networks in its stores to connect the Point Of

Sale (POS) systems to a central server for the retail location. This central server was responsible

for forwarding requests for credit card authorizations to TJ Maxx's central payment processing

center. The payment processing center would then contact the customer's bank, obtain

authorization, and return the payment authorization to the POS server and register. While this

system was sucessful at accomplishing the goal of processing sales transactions, it lacked a

number of important safeguards and contained several security vulnerabilities. While TJ Maxx

never revealed the technical details of how the attack progressed I was able to draw some

conclusions based on news reports and the way the hackers were able to extract the confidential

data.

TJ Maxx's Wi-Fi "was using a security protocol know as Wired Equivalent Privacy

(WEP)" (Berg, Freeman, Schneider, 2008) at some of its retail sites. Even a properly configured

WEP is relatively easy to crack; WEP weakness is evident in the authentication sequence due to

the lack of key management. WEP encryption is so insubstantial that "researchers at Darmstadt

Technical University in Germany have demonstrated that a WEP key can be broken in less than a

minute." (Berg, Freeman, Schneider, 2008) This use of weak encryption allowed the attacker to

easily break the encryption cipher, join the retail location's wireless network, and access the

machines processing payment transactions. There have been reports that some POS system

4

E-COMMERCE SEC. 5

passwords were "set to blank" (Goodwin, 2008), or employees "posted the password and

username on a post-it note" (Goodwin, 2008) to the computer for easy access. TJ Maxx's retail

locations did not use firewalls between the POS server and the payment processing center, nor

did it include IDS or IPS systems at either the POS server or the payment processing center.

They did not conform to the PCI standards for data retention policy by deleting data after a short

time after the transaction was processed. See appendix, figure 2 for a comparison between data

retained by TJ Maxx and the PCI retention standards. Finally, they did not have or did not

enforce policies on secure network practices. This lack of comprehensive security allowed the

attacker to war-drive to find the retail store's wireless network and gain entry to the retail

location's local network. Wardriving software uses radio signals to locate and collect information

on Wi-Fi network sources using weak or no encryption. Once inside the retail location's wireless

network the attacker was able to gain entry to the payment processing center where he installed a

packet sniffing program that collected confidential data that was exchanged between the POS

and central server. Stolen information included private data such as credit and debit card

numbers, Personal Identification Numbers (PINs), social security numbers, and driver's license

numbers. This information was then periodically uploaded to servers "leased in Latvia and

Ukraine" (Zetter, 2010). This process continued over the course of 18 months prior to detection,

and the attacker was able to siphon off about 80 gigabytes worth of data. While any one of these

issues alone may have allowed an attacker to gain entry to the network, when combined they

allowed the attacker unprecedented access to millions of credit and debit card numbers, social

security numbers, and bank account numbers. These issues could have been avoided with the

proper application of security technology and adherence to security policies.

5

E-COMMERCE SEC. 6

The retail Wi-Fi networks should have required configurations with a strong encryption

such as Wi-Fi Protected Access 2 (WPA2) or been physical connections such as Ethernet. Using

a directional antennae and reduced signal strengths which limit the ability for the wireless signal

to leave the building would have required the hacker to gain close physical proximity making it

more difficult to access the Wi-Fi network and possibly deterring an attacker who desires to

remain anonymous. Firewalls should have been deployed at both the POS server and the

payment center that limited communication between the cashing terminals, in turn blocking any

other systems from accessing one another. An IDS or IPS deployed at the POS server and the

payment processing center could have alerted administrators of the attack in progress or that

confidential data was leaving the facility and being sent to outside countries that the servers

should never communicate with. While TJ Maxx claims that some transaction data was being

deleted after a short time, some vital data was still being archived. Confidential data that had

served its purpose and was no longer needed should have been deleted or if stored should have

employed strong encryption to prevent access. Passwords to access systems that process

confidential data should have used higher complexity requirements such as the Microsoft’s

passfilt.dll file criterion, in order to lower the risk of a security breach. Finally TJ Maxx did not

have, or did not enforce a security policy with guidelines on protecting systems that processed

confidential data, policies guiding proper password selection and protection of passwords,

policies on performing log analysis, or policies specifying communication guidelines to the

outside world from machines that processed confidential data. Much of the research I found

concentrates on what technology TJ Maxx did not have deployed, but without policies stating

what how the technology should act and enforcements to ensure humans are configuring the

technology correctly it will not provide proper protection.

6

E-COMMERCE SEC. 7

A second case that illustrates the problems of lacking proper policies is that of RSA and

its SecurID tokens. RSA SecurID tokens are used to authenticate a user based on the ‘something

you have’ principle. The ‘something you have’ human authorization approach requires a tangible

object such as a hardware token or an i.d. card. The second aspect of RSA SecurID’s two-factor

authentication is the ‘something you know’ approach, such as password. RSA is “the only

solution that automatically changes your password every 60 seconds.” (RSA SecurID, 2011) The

tokens generate a random number based on the current time and a seed value set at the factory.

So long as the seed value and algorithm to generate the random number are kept secret, it is

impossible for an attacker to calculate the current or next random number in a sequence. The

security offered by SecurIDs led many large corporations and the US Government to use RSA

technology to secure their own networks and Virtual Private Networks (VPN). As a company

specializing in security products, RSA was an industry leader in maintaining a secure local

network including defensive countermeasures such as firewalls, IDS/IPS, secure passwords, and

encryption. RSA fell victim to an Advanced Persistent Threat (APT) in 2011; an ATP typically

progresses through different phases each customized to achieve the maximum effect.

RSA's network initially came under a social engineering attack when low level

employees received "two different phishing emails over a two day period" (Rivner, 2011)

containing Excel spreadsheet attachments harboring malicious code. The employees did not have

the necessary security training to advise them not to open the attachments or to forward them to a

security department for examination. When the infected attachments were opened a Trojan was

executed that began an escalation of privilege until the attacker was able to access accounts of

individuals with credential to access to the database containing the seeds used for initializing the

SecurID tokens. See appendix, figure 3 for a visual of the various stages of the ATP attack

7

E-COMMERCE SEC. 8

strategy on RSA. Additionally, the algorithm used to generate the random number from the seed

was also compromised rendering the SecurID tokens vulnerable. Shortly after the RSA attack,

"several large defense contractors" (Diodati, 2011) were attacked and had confidential data

removed from their systems.

RSA utilized the latest in security technology enabling the company's Computer Incident

Response Team to detect and stop the attack quickly, but not quickly enough to stop the attackers

from obtaining confidential data. In RSA's case it was not a lack of technology but instead a lack

of policy on training employees to recognize threats and procedures for non-technical employees

to confirm or report those threats that lead to the data breach. A policy defining the amount of

training employees receive, what types of threats they should be trained to watch for, and ways

for non-technical employees to report suspicious e-mails could have prevented the initial attack.

Companies must be prepared for the transition to cyberspace. New e-commerce

opportunities for online retailers will also bring new opportunities for cybercrime and

cybercriminals. For companies offering e-commerce these case examples should be used to

understand the risks of placing networks open to the internet. If companies are not properly

prepared for the internet threats of tomorrow they will lose money, reputation and consumer

confidence. For retailers that wish to thrive in this new environment a proper network defense,

strongly enforced security policies, and proper training will allow companies to defend against

new attacks that will be attracted when money changes hands on the internet. Security it not

simply technology, it is the human implementation, enforcement, and management of that

technology supported by security policy which enables strong defense.

8

E-COMMERCE SEC. 9

References

Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx data security fiasco. The CPA Journal, 34-39. Retrieved from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm

Diodati, M. (2011, June 2). The seed and the damage done: RSA SecurID [Web log post]. Retrieved from Gartner: http://blogs.gartner.com/mark-diodati/2011/06/02/ the-seed-and-the-damage-done-rsa-securid/

Goodin, D. (2008, May 27). TJX employee fired for exposing shoddy security. The Register. Retrieved from http://www.securityfocus.com/news/11520

Rivner, U. (2011, April 1). Anatomy of an attack [Web log post]. Retrieved from RSA: http://blogs.rsa.com/rivner/anatomy-of-an-attack/

RSA SecurID. (2011). Securing your future with two-factor authentication. Retrieved from EMC Corporation website: http://www.rsa.com/node.aspx?id=1156

Zetter, K. (2010, March 25). TJX Hacker Gets 20 Years in Prison [Web log post]. Retrieved from WIRED threat level: privacy, crime and security online: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/

9

E-COMMERCE SEC. 10

Appendix

Figure 1:

Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives and Requirements

Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder dataRequirement 2: Do not use vendor-supplied defaults for system passwords and othersecurity parameters

Protect Cardholder DataRequirement 3: Protect stored cardholder dataRequirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus softwareRequirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-knowRequirement 8: Assign a unique ID to each person with computer accessRequirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder dataRequirement 11: Regularly test security systems and processes

Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security

PCI Security Standards Council

10

E-COMMERCE SEC. 11

Figure 2:

Suspected TJX Data Retention Practice Compared with PCI Standards

Data Item Data Retained by TJX

PCI Retention Standards

Cardholder DataPrimary Account Number (PAN) Yes YesCardholder Name * Yes YesService Code* Yes YesExpiration Date* Yes Yes

Sensitive Full Magnetic Stripe Yes NoAuthentication Data† CVC2/CVV2/CID Yes No

PIN/PIN Block Yes No* Must be protected if stored in conjunction with PAN.† Sensitive authentication data must not be stored after authorization (even if encrypted).

(Berg, Freeman, Schneider, 2008)

Figure 3:

The Various Stages of the ATP Attack Strategy on RSA

(Rivner, 2011)

11