Vulnerabilities in e-Commerce Systems

Client-Side Risks

Spyware is any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet; however, it should be noted that the majority of shareware and freeware applications do not come with spyware. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.
Types of Malware A computer Virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity; some viruses cause only mildly annoying effects while others can damage your hardware, software, or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. A Worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the ability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its ability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its ability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers, and individual computers to stop responding. In more recent worm attacks such as the much talked about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.
A Trojan Horse at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Network Protocol Risks

Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which quickly became the method of choice for securing data transmissions across the Internet. SSL is an integral part of most web browsers and web servers and makes use of the public-and-private key encryption system developed by RSA. The RSA algorithm has become the standard for industrial-strength encryption, specially for data sent over the Internet. It is built into many software products, including Netscape Navigator and Microsoft Internet Explorer. The technology is so powerful that the U.S. government has restricted exporting it to foreign countries.
Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.
In order to make an SSL connection, the SSL protocol requires that a
server should have a digital certificate installed. A Digital Certificate is an electronic file that uniquely identifies individuals and servers. Digital certificates serve as a kind of digital passport or credential which authenticate the server prior to the SSL session being established.
Typically, digital certificates are signed by an independent and trusted
third party to ensure their validity. The “signer” of a certificate is known as a Certification Authority (CA), such as Thawte or Verisign. Digital certificates are critical tools for the secure and trusted use of electronic networks, as they enable protected information to be sent, received, and accessed securely. If a digital certificate is suspected of being compromised, it is revoked.
Encryption,the translation of data into a secret code, is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypted data is referred to as cipher text. There are two main types of encryption: asymmetric encryption (also called public-key encryption) and symmetric encryption.
A Digital Signature is a type of electronic identification that can
confirm the identity of the sender of a message, whether the message
is encrypted or not. Digital signatures can only be generated by the
signer. They can be verified, are tamperproof, cannot be forged or
repudiated, and ensure that the information contained in the message
is not changed during transmission.
A Firewall acts as a barrier between internal and external computers in a network, controlling the flow of information between the two. When a computer outside the firewall tries to communicate with a computer inside, it must first communicate with the firewall, which drops, allows or denies requests before it passes them to the destination computer. This process protects the destination computer from unauthorized access.

Other Server Exploits

Configuration-Web server may sacrifice security for performance
HTML and Server Side Includes-Web pages themselves offer problems such as hidden data and SSI which allows embedding of directives in HTML
Private Documents in public view
Database (SQL Injections)