Internet and E-Commerce Security

With the huge growth of the Internet, more and more companies are beginning to realise how important it is that they should have a presence. Many will simply advertise their presence and contact details on the World Wide Web and leave it at that. However a growing number now realise the potential of moving beyond simple contact details and actually selling their products and services "online." This presents them with the new problems of the logistics of providing a method of payment for their customers. There is the need to ensure that customers' credit card details are safely and securely passed from customer to merchant, card details are securely stored by the merchant, and that the card details are successfully passed to the bank. In addition a lone merchant is faced with the prospect of convincing the customer of their security and integrity. This is where NetBanx is able to assist by relieving the merchant of these responsibilities.

Companies like NetBanx have resolved the problems of securely acquiring the customers credit card details so that a payment to the merchant's account is made automatically. Just one company doing this for many merchants has many advantages. Firstly only one company needs the knowledge of how to deal directly with the banks, rather than there being hundreds of potential links. Any link from one computer system to another is inherently a risk and therefore the less connections there are the smaller the risk is. Having only a few companies dealing with credit card transactions can theoretically make them a greater target. However those few can then be prepared for that risk by concentrating on their security. This leaves the merchant able to concentrate their own site content knowing that the payment process is in professional hands.

There is also an additional advantage to a single company such as NetBanx handling all the transactions, and that is customer confidence. Any person who is faced with the prospect of buying goods or services over the world wide web has the problem of having to deal with a company who they potentially have never met. They may have no other contact details other than the companies web address and so they may naturally feel uneasy about giving out their credit card details. Where a merchant forwards the customer onto NetBanx for the payment the customer is able to see that a well known company is receiving their credit card details. This of course also benefits the merchant as the customer is more likely to proceed with the purchase. However being well known as such a convenient location to authorise credit cards can have disadvantages from its ability to determine which cards are real. Netbanx has however put into place processes to detect and deny this.

As mentioned before the major drawback of centralisation of online credit card transactions is the problem of becoming a greater target. It is therefore important that companies such as NetBanx take security very seriously. There are several different type of security that must be considered. The first and most basic is physical security. The most advanced security methods can be compromised by an unauthorised person, either from outside of the company, or even an employee of the company being able to gain direct physical access to your computer system. An example of this is the fact that a well known make of network router can be totally compromised in less than two minutes by just connecting a laptop computer. To this end as many measures as is appropriate should be put into place to prevent such access. You can start simply by using locked cabinets and doors, electronic locks such as key entry or credit card swipes, up through to retina scans, razor wire fences, armed guards, and vicious dogs. The more methods that can be put into place the better. Within reason of course.

Having dealt with the basic matter of not letting anyone in physically, companies are then face with "remote" access attempts. Taken to the extreme, the most effective way of neutralising these attempts would be to not be accessible remotely. I.e. take your computer system, unplug it, lock it in a safe, and bury it in concrete. This makes it very secure, but quite useless. More appropriately companies need to stop any remote access that is not explicitly required. In the case of NetBanx, the only remote access that is required is the ability for a client computer to request web pages from the servers, and to send credit card information to them. Therefore any other remote access is denied. Methods of doing this include but are not limited to "firewalls." Firewalls are computers that sit between a companies computer system and the Internet, and in some cases between different sections of the companies computer system. They are set up in such a way that only authorised connections may be made and allow the companies system administrators to concentrate on the single point of attack at the firewall rather than having to carefully examine every single machine on the network.

While being a good start, firewalls are not the only security mechanism that can be put in place and should not be the only one. Treat with caution any organization that states anything resembling "We are secure we have a firewall." Better still ins to combine firewalls used as the first line of defence with additional layers of security. To start with, only those machines that are required to be visible on the Internet should be visible. All others should be hidden away behind further layers of security. The normal configuration for this would be to only have the companies web servers and FTP servers visible to the Internet. And machines that are not required to be visible such as and especially, staff PCs should be given private IP addresses that cannot be on the Internet and any requests they make for data should be passed onto another machine that will forward the requests for them. Again this allows the system administrators to concentrate on securing just that single machine. Most operating systems tend to install "fully open" with all services enabled and all the associated security holes ready for exploitation, so having to only deal with these security issues by "hardening" just a small number of machines makes the task a whole lot easier.

An additional problem faced in dealing with securing a system is the problem that all systems have software, and that software is likely to have some bugs. Many server programs such as mail servers and web servers are so large and complex that it is extremely difficult to locate all the bugs and unfortunately hackers exploit these bugs in order to compromise the system. With most of these programs it is not possible to fix all these bugs and any organisation can only rely on vendor fixes coming out and installing them before a hacker exploits them on the system. The best defence to this is to protect these programs by running much more simple "proxies" in their place. These can then "sanitise" any input that goes to the real server process (on a hidden machine) and will generally be very short simple pieces of code that can be very carefully checked for exploitable bugs.

Despite all the security measures that may be implemented it is not possible to be 100% secure and there is always a risk that a company's system may be compromised. Therefore it is important to have appropriate procedures to deal with this eventuality. Of primary concern should be to stop any further penetration into the system, find and close the security hole, restoration of the system back into service and then finally potentially trace the source of the attack, in that order. In order to prevent penetration firewall and other security servers should be configured to "fail safe" I.e. they should shut down access when an attempt is made to compromise them. Good system logs should assist in determining the method of access. However system logs on a compromised server may be inaccurate so it is advisable for servers to log information remotely to a machine behind all the firewalls and so forth, where it should be the last machine to be attacked. All the machines should be backed up on a regular basis, especially those machines that are directly accessible from the Internet (I.e. web and FTP servers) in order to restore them to service as quickly as possible. Finally once again good system logs may assist in the trace of the person(s) involved.

Security for E-commerce therefore, introduces an additional process that requires particular security measures. These measures are in part laid out by the acquiring banks as prerequisites to having the authority to take payments over the Internet. This does not have to have an impact on the individual merchant as Payment Solution Providers (e.g. organisations like NetBanx) act as a convenient outsource of the problem. PSPs also remove burdens of cost and on-going maintenance of such systems too, and these factors together with the speed at which a business can be up and trading over the Internet provide great benefits for choosing to work with a PSP.

The need for a secure payment solution apart, E-commerce in itself does not introduce any new requirements for security. The technology and methodologies are well known and practised by some already. The need for Internet security for any particular organisation however, starts as soon as the organisation has a web presence. It becomes increasingly important as the contribution to overall revenues by the web presence rises as without security the entire organisation is put at risk.