No self-respecting commercial organisation takes the safety of its e-commerce operation lightly and most go to considerable lengths to ensure customers that the site they are using is safe.
Many e-commerce sites have a security policy stating they do not store customer's credit card details and carry "kite mark" type security endorsements from third parties. But this does not necessarily guarantee security.
CW360.com commissioned security firm ProCheckUp to report on e-commerce site vulnerabilities. The survey, using publicly available information, uncovered a range of potential problems on popular Web sites ranging from badly configured firewalls to unpatched server software and weak levels of encryption.
The potential problems the survey revealed do not mean sites are unsafe or that the staff administering them are at fault, rather they point to the range of difficulties faced by IT professionals in securing e-commerce operations.
Too much patch work
Among the sites tested by the ProCheckNet system, unpatched software was a key issue. The tests examined publicly accessible information on 20 Web servers to ascertain the version of software being run, strength of encryption and configuration of firewalls.
Companies developing Web software usually issue fixes to their software, know n as patches, when they discover or are alerted of bugs or security holes known as exploits.
A typical security policy, as outlined in the TrustUK logo programme sponsored by the DTI, is for Web sites to follow recommendations from their IT suppliers to ensure the site is secure. However, software suppliers issue patches constantly and in a complex e-commerce system, software from many companies could be used, making the job of tracking and applying patches extremely difficult.
Graham Titterington, senior analyst at Ovum says the biggest problem IT departments face is the quantity of patches being issued by software firms: "If you use IIS [the Microsoft Web server] and the Windows platform, there are almost 350 patches a year."
Maintaining the updates, says Titterington, is a full time job. He advises companies to run regular security assessments and consider using a managed service provider to handle security on their Web sites. Security is about "calculated risk. It is all down to money," he explains.
Richard Brain, technical director at ProCheckUp, highlights security flaws that could be targeted by an attack aimed at giving a hacker control over the Web server: "Even where companies say they do not store credit card information, the hacker basically can modify a Web page to send a copy of the credit card details to his e-mail account," he told CW360.com.
An intruder would not necessarily need to gain system administration privileges, just the same security rights of the Web server, says Brain. The process involved is similar to that used to hack Web pages and put up an obscene message on a site, he adds.
Department store Allders, which recently revamped its site, belongs to the government-backed TrustUK programme. However, ProCheckNet identified one example on the previous Allders site of an unpatched Java server.
On another of the sites ProCheckNet reported that a Web-based publishing tool called WebDav from Microsoft, had not been disabled. "If you follow the Microsoft security guidelines this software should only be loaded onto internal development sites" says Brain. "Having it on production sites might open the server to both current and future vulnerabilities."
The burning issue
A common problem identified by the ProCheckNet tool was poorly configured firewalls. The firewall is the first line of defence for securing a Web site and while misconfiguration would not necessarily make a site insecure, it does offer hackers a means of attack.
In the report from the ProCheckNet test, Brain said music retailer HMV's Web site firewall appeared to be poorly configured which "could give intruders access to applications on the [site]".
Responding to this information, Stuart Rowe, e-commerce director at HMV Europe said: "our security is one of the fortes of the site". He says the company uses IBM's AS/400 hardware, a server he believes nobody hacks and adds that the company maintains its systems internally, using IBM Global Services to deal with any escalation of problems.
Encryption holds the key
Sites use encryption to make it more difficult for hackers to find consumers' personal details and credit card information.
A spokeswoman for gift e-tailer Past Times told CW360.com: "We have the highest level of security that we can [use]. We keep our Web site as fully up to date as we can with regard to security bug fixes and patches, updating them when updates are released."
However, the ProCheckNet test reported security on the Past Times site was only 56-bit strength. Until 18 months ago this was the highest level of encryption that the US government allowed its native security firms to sell aboard.
Now, however, the general industry consensus on strong security favours 128-bit encryption. A 56-bit encryption policy is 2 to the power of 72 times easier to break, according to Brain. "Plans have been published to build cipher crackers able to break 56-bit code within hours," he says.
Although the government this week launched a campaign to boost consumer confidence in consumer sites, a recent survey of 1,001 UK consumers found 83% of people said they would not be shopping online this Christmas.
How the results were complied >>
These are the sites included in the CW360.com/ProCheckUp test:
Amazon UK >>
John Lewis >>
Marks & Spencer >>
Past Times >>
WH Smith >>
Majestic Wine Warehouse >>
We also checked a few other sites people may visit:
Inland Revenue online self assessment >>
Lloyds TSB >>
The trainline >>
This was first published in February 2003