While many security issues in e-commerce are the same as general security issues, some of them are specific of the kind of software used by e-commerce businesses: databases, in particular databases which are accessed remotely, online forms and shopping carts. Below we consider these specific vulnerabilities.

More common vulnerabilities in e-commerce are caused remotely accessed databases. Below are some examples:

(i)    Running SQL queries bases on data entered by the user may allow a malicious user to append their own query to the one that is supposed to be executed. Similar things can be done, in addition to online forms, with URL rewriting and cookies. Note that the user can easily type in any URL into the browser window, including a URL which contains an extra query. The user can also easily alter a cookie which resides on the user’s computer

To avoid these vulnerabilities, one has to check the data entered by the user, as well as URLs and cookies, to make sure that they are of the correct format. One can also restrict privileges of the process running search queries so that it is not allowed to remove data from the database. One also has to be careful not to expose table names in the text of online forms, since this attack requires the hacker to know the table name in order to delete the information from it.

(ii)    Another group of database security issues comes form exposing database servers to hackers. To prevent unauthorized access, database servers should be inside a firewall. It is also important that database passwords and user names are not exposed in web pages that a user can see (not only in plain text, but also in hidden fields, and in Java script code). Such passwords and user names should be transmitted encrypted.

(iii)    Since many employees of an online business have access to the database, their account names and passwords should be kept secure. Also, all code that contains passwords for database access (such as Java code of applets and servlets) should be stored securely.

Numerous vulnerabilities have been discovered in shopping carts, both commercially produced and “home made” ones:

(i)    Price manipulation: If a price of the product is passed as a hidden parameter in an online form and the value of the parameter is used to determine the charge on the credit card, then a customer can easily replace the HTML page with the form by their own page, where all the information is the same, but the price is changed to a lower one.

(ii)    Transaction modification: uses a similar idea. If the merchant’s site redirects the user to another website for credit card verification or sends a request for the charge tot eh credit card company, this is often done via a POST request may contain the amount of the credit card charge of the kind of transaction (some transactions may be specified as “test”, in which case no actual charge takes place). The user may modify the amount of charge or mark their transaction as “test”.

(iii)    Exposing Merchant’s ID: When the merchant sends a credit card charge request, the request may contain the merchant’s ID. If the ID is exposed in the website forms, a hacker may use this ID to send their own requests to the credit card company. The request may include canceling a transaction, thus crediting money to the credit card. Hackers also may use merchant’s ID to check if a credit card number is valid.

(iv)    Other things that may be exposed by poorly written shopping cart code are: IP addresses of database servers, user name and password for database access, names of database tables and columns. All this may cause theft, damage, or modification of the data stored in the database.

(v)    Another group of break-ins is related to so-called back door access to a shopping cart: Shopping carts come with passwords that allow the owner to change settings or access information in the shopping cart or the database. Initially these passwords re set to default. Once the default becomes known to hackers, the software can be easily accessed and changed to serve the purposes of the hacking.

Many online businesses use customer’s passwords to authorize access to sensitive data (such as the order information). However, one has to be extremely careful with how the password system works. Here are potential problems:

(i)    People Tend to Forget Their Passwords. A forgotten password needs to be reset. However, resetting a password should be done securely. The confirmation should be sent by e-mail, and the new password should not be used until the customer replies to the e-mail. One of the recent cases of security breaches involving changing passwords was discovered at eBay.

(ii)    Another possibility for stealing passwords is to “impersonate” a merchant and to request the user’s password. In general, a business website may be better off without customer’s passwords, and should not rely on them for protection of sensitive information.

For more help in E-Commerce Security Issue click the button below to submit your homework assignment