Saturday, January 24, 2009

Is your E-Commerce Web Site Secure?

Electronic Commerce (e-commerce) websites have two basic objectives; making money and saving money online.

Some Kenyan companies primarily go online to increase their business turnover and profile.

Not all companies can be able to profitably sell products and services online, but all companies can save money by using the internet for business research and services.

The bottom line is that we are witnessing a surge in online transactions. This has proportionally spawned more attacks on e-commerce web sites. This is due to the fact that they conduct business and hold valuable information, for example credit card numbers or other private, personal data.

Most of these attacks exploit vulnerabilities found in e-commerce websites. Your business website is vulnerable to denial of service attacks, defacement, data theft and fraud where data is manipulated or actual theft occurs.

Other common technical attacks include SQL injection, information disclosure, path disclosure, price manipulation, buffer overflows and cross-site scripting. I shall outline SQL injection and price manipulation vulnerabilities for now.

SQL injection is where an attacker determines if a site is vulnerable by sending in the single-quote (‘) character. The message generated discloses the back-end technology being used and allows the attacker to access areas of the site.

SQL injection techniques differ depending on the database. For example an SQL injection on an Oracle database is done primarily using the UNION keyword. SQL vulnerabilities are common and do potentially allow unfettered execution of malicious database queries.

Another common vulnerability is price manipulation where an attacker uses a web application proxy to modify the amount that is payable when this information flows from the user’s browser to the web server. It is particularly unique to online shopping carts and payment gateways.

Building and maintaining an e-commerce site, is a dynamic process. Static websites that do not constantly change their security controls are extremely vulnerable to attack.
Network level protection is not enough. Secure websites need to use advanced configurations and filtering mechanisms. Packet and application filtering firewalls provide capabilities that go a long way in securing your website.

It is also advisable to cooperate with your ISP. Most methods of defense include blocking of unwanted network traffic blocking such as fragment blocking.

The rule of thumb is not to neglect your e-commerce site. Static websites that are never improved or maintained contain obsolete technology that is insecure. A dynamic website is harder to attack.