1 / 21

E-Commerce Security Threats

E-Commerce Security Threats. And what you can do about it. Here are some numbers. In America 8 out of 10 US consumers use the internet to shop. In 2012, $42.3 billion were spent online during Nov-Dec alone $20.4 billion was lost to cyber crime in 2012. The Internet is a Dangerous P lace.

kerryn
Télécharger la présentation

E-Commerce Security Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. E-Commerce Security Threats And what you can do about it

  2. Here are some numbers • In America • 8 out of 10 US consumers use the internet to shop. • In 2012, $42.3 billion were spent online during Nov-Dec alone • $20.4 billion was lost to cyber crime in 2012

  3. The Internet is a Dangerous Place • 604,826 Million identities exposed per breach • Targeted attacks (42% + from 2011) • 50% Small-Medium business • 18% small business • 50% big business • Bot Nets • 2011: 3.1 million • 2012: 3.4 million

  4. Examples of Recent Security Breaches • Evernote: 10 million users’ data stolen. Passwords hashed + salted. (Phishing) • StratFor: 75,000 credit card numbers. 2.5 million emails. (Unsecure CMS plugin) • Sony: 77 million users’ data. Usernames, passwords, and credit card numbers (security through obscurity) • LivingSocial: 50 million users'. Name, email, DOB. Passwords hashed + salted. • 100 major universities (Harvard, Stanford..): 120,000+ emails, username, passwords. SQL Injection

  5. Means of Attack Things you can control Enforcing robust password practices Avoiding security through obscurity Implementing encryption for data transfers Properly coded SQL Cross Site Scripting Social engineering Out of your control • Physical server security • Trustworthy employees • Server updates • Usage of a firewall and intrusion detection system.

  6. DDoS Attacks Becoming more and more popular amongst internet activists, a distributed denial-of-service attack is an attempt to make resources available for legitimate users.

  7. Too much of a good thing? Both legitimately and illegitimately a website can be DDoSed. (the SlashDot effect, or /b/) • It is done by using a large network of “zombie” PCs to request your website at the same time, using up your bandwidth and processor power • They can also flood TCP requests.. But how do I prevent it? • Don’t be hated on the internet • Implement caching, limit amount of requests per IP, and purchase hardware

  8. Password Policy • How long to guess your password? • Require a complex password for you users • Change default passwords (WordPress admin, Linksys..) • Limiting login attempts is also advisable • These tend to be reused by users

  9. Cool trick This can help you make easy to remember passwords so you don’t have to keep on using the same one on every site. http://xkcd.com/936/

  10. Password Storage • Those password your users use, you can just save them in your database, or can you? Saving them in ‘clear text’ lets you and your employees see a person’s password which has numerous security and privacy implications. So what can you do? • Hash them! But this still leaves them venerable, to brute force and rainbow table attacks. • Salt them! Adding random characters to the end of the user’s password before hashing it, and keeping that saved in a separate database adds another step for an intruder to overcome.

  11. Security Through Obscurity • Security problems are usually a when they happen not if they do • Hiding your password list in a secret remote text file on your server might be well hidden, but anyone can find it. • You might be the only one who knows how that super awesome custom hashing algorithm you coded works, but that doesn’t mean someone can reverse engineer it and discover problems later. • That IPX network protocol on your 110 baud modem? Just because it is old doesn’t mean no one else knows how to get in.

  12. SSL Encryption Why would you want to encrypt data? When users log on, they have to submit their username and password over the internet, and anyone along the way can read it. Would you want your credit card number out in the open?

  13. Asymmetric Encryption • Authentication and Encryption • They rely on the PKI(Public Key Infrastructure) • Vulnerable to MIM attacks. • Costly • Buying a certificate • Processing requests A Diffie–Hellman key exchange

  14. You are not safe at Starbucks… • So called “Man-in-the-Middle” attacks are carried out by eavesdropping on your connection • Using packet sniffers, they can intercept the data you send out and receive • For more sophisticated attacks they can also spoof an IP with the Address Resolution Protocol • SSL/TSL prevents this

  15. Cross Site Attacks • Cross Site Scripting • Client side scripts executed on webpages • Cross Site Request Forgery • Unencrypted form links • Prevention? • Whitelist and escape user input

  16. SQL Injections Number one threat since 2010 According to Open Web Application Security Project (OWASP) Easy to execute Severe organization impact

  17. SQL Injections, how do they work? • An innocent SQL Statement "SELECT * FROM users WHERE name = '" + userName + "';" • Replace userName variable with a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't; • The new command becomes SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't'; • And that is how someone just deleted your user table!

  18. SQL Injection Prevention • Use parameters to restrict user input • SQLCommand("SELECT * FROM users WHERE name = '" + userName + "';“) • Searches for the username “a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' ='t;” • Grant necessary permission only • Authorize read on selected information • Example: deny SELECT ON sys.TABLES TO webdatabaselogon; • Deny or limit xp_cmdshell

  19. Dear Friend, I have an exciting business opportunity for you! How do they do it? • Scammers may also attempt to trick you or your employees into handing out private information • They may spoof their emails or phone calls to phish for specific data • Fake letters to renew your domain name by an unknown host Is there a way to avoid it? • Not really, but being skeptical, and educated about new threats will let you avoid falling for these types of scams • Spam filters are nice too

  20. Pro Tips Things to do Change your default passwords Encrypt personal data Enforce user policies Examine security/event logs Validate your forms for malicious code Things to avoid • Reusing the same password • Falling for email scams • Using unsecure connection methods • Avoid giving too much information in error messages • Letting users upload files

  21. The End Any questions?

More Related