Feeds

UK e-commerce sites: Top 10 flaws

Basic errors

  • alert
  • submit to reddit

Internet Security Threat Report 2014

UK customer credit card details and sensitive data is at risk because of simple e-commerce flaws, according to a study published this week.

Web server flaws, poor authentication mechanisms and faulty log-out facilities are the most widespread problems, with most flaws caused by relatively basic mistakes, according to security testing outfit NTA Monitor.

The top ten most common e-commerce flaws discovered by NTA Monitor, listed in order of frequency, are:

  • Lack of security behind the 'front door' exposes 'root' access Web server flaws
  • Logout facility not working: although the web site tells users they have logged out, they are actually still logged in, so anyone using the PC directly afterwards can continue the session with full access to their account
  • Predictable authentication tokens: this makes it possible to guess valid authentication tokens to access other accounts on the system
  • Web server allows unencrypted access to secure areas: this allows information to be sent in the clear across the Internet - and sniffed in transit
  • Authentication token cookie is cached on disk: anyone using the PC directly afterwards can log back into the session with full access to their account
  • Authentication fields are not obscured during entry: so people looking over a victim's shoulder can see access details
  • Account lockout mechanism does not work: leaving data unprotected from malicious 'brute force' attacks
  • No protection against keystroke loggers: this allows an attacker to log confidential information entered by the user
  • Weak password mechanisms: system allows users to choose insecure passwords, or there is no facility to change password
  • Account enumeration possible: this enables an attacker to repeat attempts until valid user accounts are confirmed

Roy Hills, technical director, NTA Monitor, said, "Our experience shows that simple faults are worryingly common - and on a level that can be exploited even by the most unsophisticated hackers. Given that security issues are the biggest inhibitor for online buyers, we were surprised to find that companies are not sealing their defences more thoroughly."



NTA Monitor recommends that companies should enforce security policies to take account of the flaws it highlights. More detailed advice can be found here.

NTA Monitor's research was conducted from October 2002 to January 2003 and is based on flaws commonly discovered by NTA during security assessments of authenticated web access and e-commerce systems. Further details of the Top 10 list are available here. ®

Related Stories

Want to know the ten most critical web app vulnerabilities?
FBI names 20 most unwanted security flaws

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.