Security in e-commerce

While many security issues in e-commerce are the same as general security issues, some of them are specific for the kind of software used by e-commerce businesses: databases, in particular databases which are accessed remotely, online forms, and shopping carts. Below we consider these specific vulnerabilities as well as more general ones.

SSL

SSL allows to transfer data in an encrypted form. All information that a customer might want to keep private should be transmitted via SSL. Such information should definitely include credit card number and related information, and may, depending on the type of business, include customer's name, address, and the list of products that the customer is buying. It should also include the customer's password and order ID.

SSL connection (i.e. connection via https, instead of http) should be the default for transmitting customer's information. However, it is often not the default protocol on many commercial web sites. The reason why many businesses don't use SSL as default is because SSL connection is slower than a regular http connection (due to encryption and decryption). eBay has been criticized recently for transmitting passwords in the clear rather than encrypted (click here for details).

How reliable is SSL itself? In 1998 a Bell Labs researcher Daniel Bleichenbacher has discovered a problem with a version of SSL used at that time: it turned out that a long sequence of specifically designed messages allows to figure out the key used by a server in a session by studying error messages returned by the server. Since then SSL has been patched so that no information about the key can be gathered from error messages. The problem, however, was more theoretical than practical, because figuring out the key required around a million messages sent over a designated connection. SSL is considered a secure way of transmitting private information.

Database vulnerabilities

More common vulnerabilities in e-commerce are caused remotely accessed databases. Below are some examples:

Shopping cart vulnerabilities

Numerous vulnerabilities have been discovered in shopping carts, both commercially produced and "home made" ones:

Customer's passwords

Many online businesses use customer's passwords to authorize access to sensitive data (such as the order information). However, one has to be extremely careful with how the password system works. Here are potential problems: In general, a business web site may be better off without customer's passwords, and should not rely on them for protection of sensitive information.

Installing recent patches

Software bugs and vulnerabilities are discovered every day. Even though many of them are discovered by security experts, rather than hackers, they may still be exploited by hackers once they became a public knowledge. That's why it is important to install all software patches as soon as they become available. This link describes one of the recent vulnerabilities.
This page has been created and is maintained by Elena Machkasova
Comments and suggestions are welcome at emachkas@wellesley.edu

Spring Semester 2002