Widespread weaknesses in UK e-commerce systems - NTA Monitor

Widespread weaknesses in UK e-commerce systems - NTA Monitor

UK credit card information and other personal data is at risk due to security flaws in e-commerce systems, according to research by Internet security tester NTA Monitor.

NTA claims poor authentication systems, defective log-out facilities and Web server flaws are the most widespread problems.

The most high-risk fault regularly discovered by the research was a lack of security behind the 'front door' exposing 'root' access Web server flaws, giving hackers access to critical systems once they have gained entry.

Roy Hills, technical director, NTA Monitor, says, "Our experience shows that simple faults are worryingly common - and on a level that can be exploited even by the most unsophisticated hackers."

Customers most at risk are those using public access terminals for e-commerce transactions. Faulty logout systems where users are told by the Website they have logged out but are acutally still logged in, allow the next person using the PC to continue the session with full access to accounts and personal details.

"Given that security issues are the biggest inhibitor for online buyers, we were surprised to find that companies are not sealing their defences more thoroughly," adds Hills.

A weak password mechanism, where the system allows users to choose insecure passwords, or where there is no facility to change passwords, is also one of the more common flaws found. Hills says these weaknesses are aggravated by the fact that most end users do not put in place sufficiently secure passwords.

The research also identified other frequent flaws such as e-commerce systems that store authentication token cookies on local machines, allowing anybody logging on to access the accounts of the previous user, and authentication fields that are not obscured during entry.

NTA Monitor recommends that, when developing e-commerce systems, companies implement a secure design across networks, operating systems, Web servers and applications. In addition, firms that outsource the production of e-commerce solutions should add a 'security quality of service' line item into the contract.

The company says regular, independent security testing prior to launch and on a regular basis is most important, as well as planning tests prior to the release of major version changes.

Hills adds: "Good security is about doing the fundamentals. Our results, combined with the rapid spread of the SQL slammer worm recently, illustrate that people still fail to get the basics right."

Comments: (0)