Data security is a huge responsibility for firms which indulge in online trading. There are various ways in which security can be breached, enabling hackers to access sensitive data. A study in America, found that when a company's security is breached online, its market value drops 2.1% within 2 days of the announcement of the breach, and average loss of $1.65billion (The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers). Credit card fraud has increased 29% in the past year, according to a report by the Association of Payment Clearing Services (Apacs), the fraud being via phone, mail and internet. Clearly there are several challenges faced by firms in order to keep data secure and to keep the trust of their customers. Online security is defined as, "...the protection of assets on the Internet from unauthorised access, use, alteration, or destruction". There are two types of security, physical and logical. Physical security includes guards, fireproof doors, security fences etc. Data security on the internet, obviously deals with logical security.
The internet was never designed to exchange value i.e. money, this makes it more of a challenge. Also, the fact the internet is 'always on', thanks to broadband and wireless internet. This means firms face much more complex security issues. One of the largest and increasingly popular methods of the fraudsters obtaining information is through a method known as "phishing." In September 2005, 106 brands were reported to have been phished, notable rises in the use of the larger banks names as well as many credit unions. Financial services made up 81.2% of reported incidents, Internet Service Providers made up 11.8%, Retail 3.5% and the final 3.5% was reported as miscellaneous. Phishing involves a customer being sent a 'spoof' email from an institution with which they have dealings with. The email will usually explain that there is an issue with their account, and asks the customer to click on a link which will take them to a spoof site. For example, they may send you can email from Natwest saying there has been suspicious activity on your bank account and so unknowingly, you would click and sign in. This then sends an email to the fraudster with all your details. This type of security breach is fairly hard to defend against; the only way in which firms can beat this system is through educating customers how to recognise a secure website. There are ways of tracking where the email came from, by doing this, the source of the email can be found and prosecuted. The most common firms which are targeted are Visa, eBay and PayPal.
Another threat faced by firms is the threat from "script kiddies." Script kiddies are inexperienced hackers who use common hacking tools to find known holes in a web server or network's security and exploit them. By hacking into the system, they are then able to maliciously alter text or graphics and access data which they shouldn't have access to. Script kiddies can access credit card information and any other sensitive information, depending obviously on how secure the website or network is. Script kiddies use basic hacking to gain unauthorised access to data, however there are several other forms of hacking. One of these is Packet Sniffing. A Packet is a fragment of data. Data transmissions are broken up into packets. Each packet contains a portion of the data being sent as well as header information which includes the destination address." A packet sniffer was originally designed for a system administrator to monitor the network and seek out any problematic packets and prevent any bottlenecks in the network and to ensure the fluent transmission of data. However, a packet sniffer can also be used maliciously. The sniffer reads the information packets which can contain passwords and usernames which are often in clear text. Normally, the packet sniffer will capture only those packets meant for that machine; however, the packet sniffer can be set up to intercept all packages moving around the network, regardless of their destination. Clearly packet sniffers are a risk to customers buying from firms online, as their passwords can be viewed and their accounts accessed.
In order for a hacker to access the secure data, they must first use a technique called "IP Spoofing." By IP Spoofing, the hacker sends messages to the intended computer. The receiving computer thinks it is coming from a safe source. This is because the hacker's computer has assumed the IP of a trusted computer. Using IP spoofing, the hacker can gain access to packets designed for a different computers. The hacker can disrupt the connection between the customer and, for example, its bank, and then steps in and communicates with the bank. The banks system believes it is communicating with the customer, as the attacking computer has taken the customer's computer's IP.
All of these systems of breaching a firm's security are used to obtain sensitive data. Firm's can lose a lot of business and income through having their website sabotaged. A Zombie attack, also known as a DoS (denial of service) attack is a way in which an attack can be launched which temporarily paralyses a website. The attacker sends a 'Zombie' through an open port. The attacker then instructs that zombie computer to send the target system a huge amount of packets of useless information, usually around 500 packets per second. The huge number of packets overloads the system as it tries to take in all of the information and find some information that makes sense. During this time, the system is unable to operate and therefore 'crashes.' This will obviously cause massive problems for firms trading online, because they are unable to make any sales until the problem has been sorted out. There are around 4000 DoS attacks per week, aimed at home users, small foreign internet service providers, although larger firms such as AOL and Amazon have been hit. Although these DoS attacks can cause huge problems for firms, they are not actually illegal. In a case currently ongoing in the UK, a teenage boy is being charged with the Computer misuse act because he sent his ex-boss 5million emails and thus forcing the email server offline. The process of sending spam emails to consumer's email addresses is illegal; the Computer Misuse Act does not protect businesses. Clearly, in this case, the firm which was targeted would have lost contact with its clients through email; people would not have been able to contact the firm through email; and clients may have been put off from doing business with them because of the problem.
Other way hackers can affect a network or computer is by using a Trojan horse. Trojan Horses are sent to people and they are tricked into opening them as they are disguised as harmless programs. Trojan horses, like worms and viruses, have varying severity. Some can just have annoying effects such as changing desktop features, and other effects can be more serious such as deleting files and damage hardware and software. Trojans are also capable of "creating a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised." This can obviously jeopardise customer's details on their computers or they could gain access to a network with customer's data on it.
Clearly there are several challenges faced by firms, when attempting to ensure internet security. The most simple to do, is to ensure that the firm's customers who use their online services are educated in internet security. For example, almost all banks have warnings on their websites. They have messages saying, "Remember NatWest will never ask you for your PIN or Password in an e-mail. The website also offers other information to customers with regards to staying safe online. It warns about relying on the padlock icon at the bottom of the window when accessing a website, to judge whether it is safe or not. This icon alone is not proof of security, customers must also look at the address bar at the top of the window, 'http://' is not a secure site, whereas 'https://' is. An http website uses a plain text system socket, this is the easiest form of text to transfer, as it is used by almost all applications on a computer, however, it is also easily read by hackers. Therefore, the https system was developed. The data is encrypted by either the Secure Socket Layer (SSL) protocol or Transport Layer Security (TLS) protocol. This ensures that the customer has some protection from people trying to gain access to sensitive data; this encryption is known as cryptography.
The most basic for of encryption is single key cryptography. This method of encryption uses one key to encrypt and decrypt a message. For example, if user A is sending a message to user B, then user A must send user B his/her key. User B will then encrypt the message and send it to user A, who will decrypt the message. This method clearly has several problems, one of which being that user must trust the person they are sending their key to. They could easily send the key to rivals. A more advanced system for encrypting is the Public Key Infrastructure (PKI). This system uses two keys, one which is freely available (Public Key) and so customers use it to send their data and encrypt it, and this data can only be decrypted with the other key which is the 'private key.' The firm receiving the data has that key, and obviously without it, the data sent cannot be decrypted, so preventing anyone gaining unauthorised access to it.
All of these methods of security prevent hackers from packet sniffing and gaining access to secure data, however in order to provide a more secure system, the user must also protect themselves with a firewall. Firewalls are widely available and one of the most well known methods of protection. A firewall is used to scan all messages coming into and going out of a network or a computer, and it checks to ensure that they meet the security requirements as chosen by the user. The firewall has several methods of protecting the customer, one of which being Packet filtering. The firewall looks at each packet entering or leaving the network and it will either allow it or deny it access, depending on the user's settings. Packet filtering does have its drawbacks, for example IP Spoofing can sometimes beat the firewall, and it can also be fairly complex to set up. Another technique that firewalls use is an Application Gateway. Application Gateways
Apply security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.
Clearly, there are a lot of problems faced by firms and customers to ensure that data is secure. A recent survey in America stated that one in four customers won't shop online due to security concerns. From this, it is clear that despite all the security measures, customers do not have total faith in the security, although, the same survey found that 81% of those interviewed do use some form of security on their computer. This shows that customers are aware of the dangers of security on the internet. The most important thing for both customers and firms is to ensure that their internet security features are up to date. It is never possible to have a fully secure website safe from any hackers because hackers are always finding new ways to beat security systems, therefore those who provide internet security and fight the hackers have to continue to find new ways to combat them.
A article by Paris Wells
Website Manager for AJbiz.co.uk, a virtual assistant company who provides secretarial services.
0 comments:
Post a Comment