Web e-commerce applications that handle payments (online banking, electronic transactions or using debit cards, credit cards, PayPal or other tokens) have more compliance issues, are at increased risk from being targeted than other websites and there are greater consequences if there is data loss or alteration. Banking services are highly regulated, but even the smallest electronic retailer is affected by the Payment Card Industry Data Security Standard (PCIDSS). Recently, this has become more widely known due to increased publicity and enforcement following last year's update to clarify and add requirements.
Protecting payment web application users and application systems requires a combination of administrative, technological and physical controls. Watson Hall provides independent security analyst services for organisations developing, operating or purchasing such software systems.
Example e-commerce security projects
Electronic crime, sometimes referred to as technology crime, e-crime or cybercrime, refers to crimes that can only be committed using information technology such as phishing, data theft and payment fraud. Software called crimeware (that can assist man-in-the-middle attacks, botnets and key logging) is increasingly easy to find and deploy against targets, and e-commerce websites in particular are often seen as the "sweet spots", especially by organised crime. Whilst some one-off attacks may be the result of disgruntled customers, ongoing and organised attacks are more likely to be undertaken internally by staff or externally by organised criminals.
The attraction of obtaining bank account and payment card details, and the fraud which can subsequently be attempted using the compromised data, means that ecommerce applications, like banking services, are a particularly popular target.
The e-commerce application is not simply the transaction or payment screens on the website. Bank account and payment card data will exist in many locations. It is necessary to identify where the data exists, why it is required as well as who can access it and where they are allowed to transfer it. This policy needs to be communicated to staff along with other security awareness training, enforced and audited.
Attaching devices to an internal network, or transfers of data externally have a high potential risk. If you invest effort and resources in building a secure data centre, and tightly controlled and managed authentication, authorisation and audit practices, this could all be wasted if any data is stored on a laptop, iPod, digital camera, MP3 player, PDA or removable storage device (e.g. USB mass storage device) and this device is mislaid, accessed by an unauthorised person (partner, spouse, child, friend), lost or stolen. Even if the data is not sensitive and does not contain account details, user names, passwords, bank account or payment card data, the cost to the organisation in responding to the situation and the subsequent lack of confidence can be huge.
All systems that may be connected in some manner with the application will create vulnerabilities. If you allow wireless access from mobile devices, this requires careful planning and management to ensure that incoming and outgoing data are secure, monitored and auditable. Your customers and suppliers may be using insecure wireless or compromised systems to access the application.
users working collaboratively on documents through sophisticated cross-company systems increase the risk of data loss, data contamination and contamination by viruses, worms, Trojans or other unauthorised software. Such systems may be peer-to-peer or web-based, but in either model, the security trust and management needs to be defined.
Staff, other employees and partners
E-commerce data breaches can be greater or exacerbated where there is internal involvement. This may be voluntarily or involuntarily such as through inadvertent download and execution of malware.
For new employees, background checks should be undertaken depending upon the level of access they will have to e-commerce systems - over and above the usual recruitment checks. Annual employee reviews should include security matters. Partner organisations need to be assessed and then reviewed periodically.
Security awareness programmes need to be defined, implemented and communicated. This education is an ongoing requirement and needs to be reinforced with the support of senior management.
Contracts of employment and computer usage policies need to allow for adequate monitoring and investigation should the need arise. This combined with separation of duties, data classification, a clear access control policy and strong authentication will deter fraud and aid detection when it has occurred.
A multi-faceted approach is needed to develop on integrated approach to e-commerce security. Each component of the e-commerce system should be robust and have its own independent security controls put in place.
Raising security awareness by contributing in industry-wide in initiatives and liaison with governmental and law enforcement agencies will help your business understand the threats and trends. Ensuring secure development methodologies are used to undertake programming and security best practice is being applied through the organisation will build a solid platform from which to deter electronic crime. Using staff and website user security awareness training, data classification and protection and staff controls and checks will assist in reducing the vulnerabilities. Applying a strategy of "defence in depth" to protect e-commerce systems will help mitigate the effect of botnet attacks, and a supported and maintained plan for incident detection, prevention and management will need to be in place.
Other web security analysis services from Watson Hall
development security and compliance,
security best practice,
security due diligence.
Contact Watson Hall
E-commerce is the new target for organised crime. Weak security is not an option.
Watson Hall, located in the centre of London, undertakes consultancy on e-commerce security. Contact Watson Hall to see how we can assist your implementation, operation and compliance of e-commerce websites and applications.