Successful e-commerce depends on security. A single breach that
hits the headlines can do untold damage to consumer confidence, to
say nothing of the risks to the e-commerce organisation
itself.
No self-respecting commercial organisation takes the safety of its
e-commerce operation lightly and most go to considerable lengths to
ensure customers that the site they are using is safe.
Many e-commerce sites have a security policy stating they do not
store customer's credit card details and carry "kite mark" type
security endorsements from third parties. But this does not
necessarily guarantee security.
CW360.com commissioned security firm ProCheckUp to report on
e-commerce site vulnerabilities. The survey, using publicly
available information, uncovered a range of potential problems on
popular Web sites ranging from badly configured firewalls to
unpatched server software and weak levels of encryption.
The potential problems the survey revealed do not mean sites are
unsafe or that the staff administering them are at fault, rather
they point to the range of difficulties faced by IT professionals
in securing e-commerce operations.
Too much patch work
Among the sites tested by
the ProCheckNet system, unpatched software was a key issue. The
tests examined publicly accessible information on 20 Web servers to
ascertain the version of software being run, strength of encryption
and configuration of firewalls.
Companies developing Web software usually issue fixes to their
software, know n as patches, when they discover or are alerted of
bugs or security holes known as exploits.
A typical security policy, as outlined in the TrustUK logo
programme sponsored by the DTI, is for Web sites to follow
recommendations from their IT suppliers to ensure the site is
secure. However, software suppliers issue patches constantly and in
a complex e-commerce system, software from many companies could be
used, making the job of tracking and applying patches extremely
difficult.
Graham Titterington, senior analyst at Ovum says the biggest
problem IT departments face is the quantity of patches being issued
by software firms: "If you use IIS [the Microsoft Web server] and
the Windows platform, there are almost 350 patches a year."
Maintaining the updates, says Titterington, is a full time job. He
advises companies to run regular security assessments and consider
using a managed service provider to handle security on their Web
sites. Security is about "calculated risk. It is all down to
money," he explains.
Richard Brain, technical director at ProCheckUp, highlights
security flaws that could be targeted by an attack aimed at giving
a hacker control over the Web server: "Even where companies say
they do not store credit card information, the hacker basically can
modify a Web page to send a copy of the credit card details to his
e-mail account," he told CW360.com.
An intruder would not necessarily need to gain system
administration privileges, just the same security rights of the Web
server, says Brain. The process involved is similar to that used to
hack Web pages and put up an obscene message on a site, he
adds.
Department store Allders, which recently revamped its site, belongs
to the government-backed TrustUK programme. However, ProCheckNet
identified one example on the previous Allders site of an unpatched
Java server.
On another of the sites ProCheckNet reported that a Web-based
publishing tool called WebDav from Microsoft, had not been
disabled. "If you follow the Microsoft security guidelines this
software should only be loaded onto internal development sites"
says Brain. "Having it on production sites might open the server to
both current and future vulnerabilities."
The burning issue
A common problem identified
by the ProCheckNet tool was poorly configured firewalls. The
firewall is the first line of defence for securing a Web site and
while misconfiguration would not necessarily make a site insecure,
it does offer hackers a means of attack.
In the report from the ProCheckNet test, Brain said music retailer
HMV's Web site firewall appeared to be poorly configured which
"could give intruders access to applications on the [site]".
Responding to this information, Stuart Rowe, e-commerce director at
HMV Europe said: "our security is one of the fortes of the site".
He says the company uses IBM's AS/400 hardware, a server he
believes nobody hacks and adds that the company maintains its
systems internally, using IBM Global Services to deal with any
escalation of problems.
Encryption holds the key
Sites use encryption
to make it more difficult for hackers to find consumers' personal
details and credit card information.
A spokeswoman for gift e-tailer Past Times told CW360.com: "We have
the highest level of security that we can [use]. We keep our Web
site as fully up to date as we can with regard to security bug
fixes and patches, updating them when updates are released."
However, the ProCheckNet test reported security on the Past Times
site was only 56-bit strength. Until 18 months ago this was the
highest level of encryption that the US government allowed its
native security firms to sell aboard.
Now, however, the general industry consensus on strong security
favours 128-bit encryption. A 56-bit encryption policy is 2 to the
power of 72 times easier to break, according to Brain. "Plans have
been published to build cipher crackers able to break 56-bit code
within hours," he says.
Although the government this week launched a campaign to boost
consumer confidence in consumer sites, a recent survey of 1,001 UK
consumers found 83% of people said they would not be shopping
online this Christmas.
How the results were complied >>
These are the sites included in the CW360.com/ProCheckUp
test:
Allders
>>Amazon UK
>>Argos >>Boots
>>
Dixons >>Harrods
>>Heals >>HMV
>>
John Lewis >>Marks & Spencer
>>Past Times
>>Sainsbury's
>>WH Smith
>>Majestic Wine Warehouse
>>
We also checked a few other sites people may visit:
Go >>Cahoot
>>
Inland Revenue online self assessment
>>
HSBC
>>
Lloyds TSB
>>
The trainline >>