The 3 Dimensions of eCommerce Security

December 3, 2008

Industry standards help to define common operational practices for information security management.  As a part of a competent information security program penetration testing is often relied upon to identify technical weaknesses in applications.  However information security must take this approach into the third dimension by engaging the business, thoroughly understanding the application, and preventing non-technical weaknesses that abuse allowable parameters; fraud.  This article will describe a few ways to protect an eCommerce system including a list of controls that may help reduce fraud.

Firstly, the three dimensions:

1. Industry standards such as ISO 27001, PCI DSS and SAS 70 can provide a level of assurance of operational practices (security policy, vulnerability management etc).  This approach is sometimes known as top-down.
2. Penetration testing provides a level of assurance that tested (and corrected) applications are less likely to succumb to known technical vulnerabilities and common coding weaknesses.  This approach is referred to as bottom-up.
3. Dimensions 1 + 2 may help an organisation appear security conscious however without examining controls in detail with a business mindset, the application may inadvertently allow non-technology based vulnerabilities i.e. fraud.

While the first dimension is addressed in the relevant documentation of each standard, there are specific areas that are relevant to eCommerce.  These practices normally form good vulnerability management and are priorities for an eCommerce system:

• Patching (e.g. update for known vulnerabilities)
• Hardening (e.g. remove unnecessary software)
• Encryption (e.g. use strong encryption algorithms)
• Secure configuration (e.g. enforce strong passwords)

Technical weaknesses in the eCommerce system may be identified by penetration testing.  These will vary from system to system however the following are common focal points for reports relating to the second dimension:

• Shopping cart price/quantity manipulation
• Identification and authentication to secure areas
• Authorisation (access control) to resources in secure areas
• Session management (and encryption) to secure areas
• Protection of resources (Digital Rights Management)

Finally, let’s enter the third dimension! Guidance to address fraud are less common than in areas pertaining to the first and second dimensions.  This may because the controls are more specialised and must be tailored to the needs of the organisation.

This said, here are some controls to protect an eCommerce system from fraud:

• Account checks
  • check if the company field is empty, complete and/or known
  • compare country of account with that of the IP address
  • check if low fraud country or high fraud country
  • check the previous purchase profile (e.g. known customer?)
  • free email address check (e.g. hotmail/gmail)
  • anonymous proxy check (e.g. anonymizer)
  • block fraudulent accounts ( e.g. account/IP/cookie)
• Transaction checks
  • completeness check
  • range checks
  • volume checks
• Payment processing
  • valid card check (including CVC/CV2)
  • verify address/postcode
  • participate in Verified by Visa and/or Mastercard SecureCode
• Suspect orders
  • hold suspect orders for manual verification
  • use out-of-band verification (e.g. call or SMS)

Besides the security controls mentioned throughout this article even non-security related measures are likely to aid eCommerce.  The organisation may take out insurance against fraud, garner confidence with consumers by offering a return guarantee, and/or entice sales with free shipping.