This page intentionally left blank

Transcription

1

2 This page intentionally left blank

3 270 CHAPTER 4 E-commerce Security and Payment Systems many open communication ports that can be used, and indeed are designed to be used, by external computers to send and receive messages. The port typically attacked is TCP port 445. However, given their complexity and design objectives, all operating systems and application software, including Linux and Macintosh, have vulnerabilities. Social Network Security Issues Social networks like Facebook, Twitter, and LinkedIn provide a rich and rewarding environment for hackers. Viruses, site takeovers, identity theft, malware-loaded apps, click hijacking, phishing, and spam are all found on social networks (US-CERT, 2011). For instance, in 2011, hackers defaced Pfizer s Facebook page, took over the Twitter accounts of both USA Today and NBC News, and stole millions of LinkedIn passwords (Sophos, 2012). The Ramnit worm stole account information from more than 45,000 Facebook users. By sneaking in among our friends, hackers can masquerade as friends and dupe users into scams. Social network firms have thus far been relatively poor policemen because they have failed to aggressively weed out accounts that send visitors to malware sites (unlike Google, which maintains a list of known malware sites and patrols its search results looking for links to malware sites). Social networks are open: anyone can set up a personal page, even criminals. Most attacks are social engineering attacks that tempt visitors to click on links that sound reasonable. Social apps downloaded either from the social network or a foreign site are not certified by the social network to be clean of malware. It s clicker beware. Mobile Platform Security Issues The explosion in mobile devices has broadened opportunities for hackers. Mobile users are filling their devices with personal and financial information, making them excellent targets for hackers. In general, mobile devices face all the same risks as any Internet device as well as some new risks associated with wireless network security. While most PC users are aware their computers and Web sites may be hacked and contain malware, most cell phone users believe their cell phone is as secure as a traditional landline phone. As with social network members, mobile users are prone to think they are in a shared, trustworthy environment. Mobile cell phone malware was developed as early as 2004 with Cabir, a Bluetooth worm affecting Symbian operating systems (Nokia phones) and causing the phone to continuously seek out other Bluetooth-enabled devices, quickly draining the battery. More recently, Ike4e.B appeared on jailbroken iphones, turning the phones into botnetcontrolled devices. An iphone in Europe could be hacked by an iphone in the United States, and all its private data sent to a server in Poland. Ike4e.B established the feasibility of cell phone botnets. Many if not most apps written for Android phones have poor protection for user information, and Google removed more than 100 malicious apps from the Android Market in 2011 (Sophos, 2012). The first malicious iphone app was also discovered and removed from the itunes Store. And it is not just rogue applications that are dangerous, but also popular legitimate applications that simply have little protection from hackers (Kolesnikov-Jessup, 2011; US-CERT 2010). Via Forensics, a mobile security firm in Chicago, found in a study of 50 popular iphone apps that only three had adequate protection for usernames, passwords, and other sensitive

4 Technology Solutions 271 data. Servers of mobile service providers like AT&T and Verizon are also vulnerable. In 2011, two computer hackers were arrested for allegedly breaking into AT&T s servers to gather addresses and other personal information of about 120,000 users of Apple s ipad, including corporate chiefs, U.S. government officials, and Hollywood moguls. The hackers did not use the information (Bray, 2011). Vishing attacks target gullible cell phone users with verbal messages to call a certain number and, for example, donate money to starving children in Haiti. Smishing attacks exploit SMS messages. Compromised text messages can contain and Web site addresses that can lead the innocent user to a malware site. A small number of downloaded apps from app stores have also contained malware. Madware innocentlooking apps that contain adware that launches pop-up ads and text messages on your mobile device is also becoming an increasing problem. Read the Insight on Technology case, Think Your Smartphone Is Secure? for a further discussion of some of the issues surrounding smartphone security. Cloud Security Issues The move of so many Internet services into the cloud also raises security risks. From an infrastructure standpoint, DDoS attacks threaten the availability of cloud services on which more and more companies are relying. Safeguarding data being maintained in a cloud environment is also a major concern. For example, researchers identified several ways data could be accessed without authorization on Dropbox, which offers a popular cloud file-sharing service. Dropbox has also experienced several security snafus, including leaving all of its users files publicly accessible for four hours in June 2011 due to a software bug, the discovery of a security hole in its ios app which allowed anyone with physical access to the phone to copy login credentials, and the theft of usernames and passwords in August To combat some of these issues, Dropbox has implemented a number of measures, including two-factor authentication, which relies on two separate elements something you know, such as a password, coupled with a separately generated code. Around the same time, a hack into writer Mat Honan s Apple icloud account using social engineering tactics allowed the hackers to wipe everything from his Mac computer, iphone, and ipad, which were linked to the cloud service, as well as take over his Twitter and Gmail accounts (Honan, 2012). These incidents highlight the risks involved as devices, identities, and data become more and more interconnected in the cloud. 4.3 Technology Solutions At first glance, it might seem like there is not much that can be done about the onslaught of security breaches on the Internet. Reviewing the security threats in the previous section, it is clear that the threats to e-commerce are very real, potentially devastating for individuals, businesses, and entire nations, and likely to be increasing in intensity along with the growth in e-commerce. But in fact a great deal of progress has been made by private security firms, corporate and home users, network administrators, technology firms, and government agencies. There are two lines of defense:

5 272 CHAPTER 4 E-commerce Security and Payment Systems Insight on Technology Think Your Smartphone Is Secure? So far, there have been few publicly identified, large-scale, smartphone security breaches. In 2012, the biggest security danger facing smartphone users is that they will lose their phone. In reality, all of the personal and corporate data stored on the device, as well as access to corporate data on remote servers, are at risk. In many Wall Street firms, losing your company phone means you lose your job. Still, criminals find stealing financial and personal data from PCs much easier and more lucrative than attacking cell phones. But with smartphones outselling PCs in 2012, and with smartphones increasingly being used as payment devices, they are likely to become a major avenue of malware. Have you ever purchased anti-virus software for your smartphone? Probably not. Many users believe their iphones and Androids are unlikely to be hacked because Apple and Google are protecting them from malware apps, and that the carriers like Verizon and AT&T can keep the cell phone network clean from malware just as they do the land-line phone system. Telephone systems are closed and therefore not subject to the kinds of attacks that occur on the open Internet. To date, there has not been a major smartphone hack resulting in millions of dollars in losses, or the breach of millions of credit cards, or the breach of national security, but just because it has not happened yet doesn t mean that it won t. With 116 million smartphone users in the United States, 122 million people accessing the Internet from mobile devices, business firms increasingly switching their employees to the mobile platform, consumers using their phones for financial transactions and even paying bills, the size and richness of the smartphone target for hackers is growing. The smartphone ecosystem is a very large target today, and rich with potential criminal opportunities. Users of smartphones download and open files with their browsers, and send and receive financial, personal, and commercial information. Hackers can do to a smartphone just about anything they can do to any Internet device: request malicious files without user intervention, delete files, transmit files, install programs running in the background that can monitor user actions, and potentially convert the smartphone into a robot that can be used in a botnet to send and text messages to anyone. Apps are one avenue for potential security breaches. Apple, Google, and RIM (BlackBerry) now offer over 1.25 million apps collectively. Apple claims that it examines each and every app to ensure that it plays by Apple s itunes rules, but risks remain. Most of the known cases that occurred thus far have involved jailbroken phones. The first iphone app confirmed to have embedded malware made it past Apple into the itunes store in July However, security company Kaspersky expects the iphone to face an onslaught of malware within the next year. Apple itunes app rules make some user information available to all apps by default, including the user s GPS position and name. However, a rogue app could easily do much more. Nicolas Seriot, a Swiss researcher, built a test app called SpyPhone that was capable of tracking users and all their activities, then transmitting this data to remote servers, all without (continued)

6 Technology Solutions 273 user knowledge. The app harvested geolocation data, passwords, address book entries, and account information. Apple removed the app once it was identified. That this proof-ofconcept app was accepted by the itunes staff of reviewers suggests Apple cannot effectively review new apps prior to their use. Thousands of apps arrive each week. Security on the Android platform is much less under the control of Google because it has an open app model. As a result, the Android has been the primary smartphone target, and instances of malware on the Android platform have reportedly increased by 400%. Google does not review any of the apps for the Android platform but instead relies on technical hurdles to limit the impact of malicious code, as well as user and security expert feedback. Google apps run in a sandbox, where they cannot affect one another or manipulate device features without user permission. Android apps can use any personal information found on a Droid phone but they must also inform the user what each app is capable of doing, and what personal data it requires. Google removes from its official Android Market any apps that break its rules against malicious activity. One problem: users may not pay attention to permission requests and simply click Yes when asked to grant permissions. Apple s iphone does not inform users what information apps are using, but does restrict the information that can be collected by any app. Google can perform a remote wipe of offending apps from all Droid phones without user intervention. This is a wonderful capability, but is itself a security threat if hackers gain access to the remote wipe capability at Google. In one incident, Google pulled down dozens of mobile banking apps made by a developer called 09Droid. The apps claimed to give users access to their accounts at many banks throughout the world. In fact, the apps were unable to connect users to any bank, and were removed before they could do much harm. Google does take preventive steps to reduce malware apps such as vetting the backgrounds of developers, and requiring developers to register with its Google Wallet payment service (both to encourage users to pay for apps using their service but also to force developers to reveal their identities and financial information). Beyond the threat of rogue apps, smartphones of all stripes are susceptible to browser-based malware that takes advantage of vulnerabilities in all browsers. In addition, most smartphones, including the iphone, permit the manufacturers to remotely download configuration files to update operating systems and security protections. Unfortunately, flaws in the public key encryption procedures that permit remote server access to iphones have been discovered, raising further questions about the security of such operations. Some commentators dismiss these concerns as more hype than reality. But reality may be catching up with the hype. SOURCES: iphone Malware: Spam App Find and Call Invades App Store, by Zach Epstein, BGR.com, July 5, 2012; iphone Malware: Kaspersky Expects Apple s ios to be Under Attack by Next Year, by Sara Gates, Huffington Post, May 15, 2012; Android, Apple Face Growing Cyberattacks, by Byron Acohido, USA Today, June 3, 2011; Security to Ward Off Crime on Phones, by Riva Richmond, New York Times, February 23, 2011; AT&T Plans Smartphone Security Service for 2012, John Stankey, AT&T Enterprise CTO, interview May 16, 2012; Smartphone Security Follies: A Brief History, by Brad Reed, Network World, April 18, 2011; Experts: Android, iphone Security Different But Matched, by Elinor Mills, CNET News, July 1, 2010; Apple Security Breach Gives Complete Access to Your iphone, by Jesus Diaz, Gizmodo.com, August 3, 2010; iphone Certificate Flaws, iphone PKI Kandling flaws, by Cryptopath.com, January 2010.

7 274 CHAPTER 4 E-commerce Security and Payment Systems Figure 4.5 TOOLS AVAILABLE TO ACHIEVE SITE SECURITY There are a number of tools available to achieve site security. Encryption is the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver. The purpose of encryption is (a) to secure stored information and (b) to secure information transmisencryption the process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver. The purpose of encryption is (a) to secure stored information and (b) to secure information transmission cipher text text that has been encrypted and thus cannot be read by anyone other than the sender and the receiver technology solutions and policy solutions. In this section, we consider some technology solutions, and in the following section, we look at some policy solutions that work. The first line of defense against the wide variety of security threats to an e-commerce site is a set of tools that can make it difficult for outsiders to invade or destroy a site. Figure 4.5 illustrates the major tools available to achieve site security. Protecting Internet Communications Because e-commerce transactions must flow over the public Internet, and therefore involve thousands of routers and servers through which the transaction packets flow, security experts believe the greatest security threats occur at the level of Internet communications. This is very different from a private network where a dedicated communication line is established between two parties. A number of tools are available to protect the security of Internet communications, the most basic of which is message encryption. Encryption