Secure transactions

In July 2000, banking giant Barclays was forced to temporarily close down its Internet banking service when customers found that they could randomly access other peoples' account details. The breach occurred as a result of bugs in an upgrade to its iBank Internet banking platform which, ironically, had been intended to improve security.

According to reports, the problem was that an upgrade to iBank, a bespoke online banking platform Barclays developed in collaboration with database giant Oracle, could not reliably handle "multiple threading", a common database feature that enables several jobs to be run simultaneously across different nodes of a clustered system.

Under the pressure of a high volume of customers trying to access the site, the iBank multiple threading failed. Barclays therefore had to "roll back" to the previous version of iBank before it could re-open the service and then spend a further three months improving the platform before its "new security infrastructure" could be implemented. It was not until December 2000 that the upgrade was finally rolled out.

Although the bank was deeply humiliated by the affair, Barclays could count itself lucky that its customers were honest: None of its 1.2 million online users took advantage of the problem to help themselves to the contents of another customer's bank account.

But this is not an isolated case. A plethora of organisations have been the victims of serious security breaches in recent years. And companies themselves are often guilty of leaving gaping security holes in their online systems.

During the late 1990s, in the rush to roll out online services many organisations paid scant attention to security. "In the dot-com rush, software engineering was not high up on the list of many organisations," says Graham Titterington, senior analyst at market research group Ovum.

In particular, the threat to an organisation's IT systems increases significantly when they start providing online transaction capabilities, compared to web sites that simply provide information about products and services, or 'brochure ware'.

In offering ecommerce or other transaction capabilities over the Internet, organisations have to let customers inside their firewalls to access application processes. This is the reverse of the security philosophy of trying to keep people out that organisations have followed since the first mainframe was plugged in the 1950s.

In addition, transactions require 'water-tight' protection of customer data. Typically this means that organisations must deploy technology such as Secure Socket Layer (SSL) to encrypt the link between customer and server.


Alan Wall, Symantec


But organisations also need to establish an overall architecture for their system that always keeps customers a couple of steps away from 'live' data held on back-end databases, says Alan Wall, a security analyst at Internet security product specialist Symantec.

Failure to do so can have grave consequences. For example, if a hacker gained access to the account details of corporate banking customers, the results could be catastrophic.

So what are the core components of providing a secure web site for online transactions?

Establishing a robust security system will vary depending on an organisation's needs. However, specific security products including firewalls, access control mechanisms, and intrusion detection systems are fundamental to most organisations providing online transactions.

The most basic requirement is still a firewall, says Ovum's Titterington. A firewall is intended to prevent unauthorized access to or from a private network. A core function of a firewall is to examine data requests so that only users from previously identified Internet Protocol (IP) addresses are allowed through.


Richard Barber, Integralis


But firewall installations need to be regularly reviewed. "We tend to find that 80% of firewall installations are inadequate," says Richard Barber, future technologies architect at Integralis, an information security consultancy. "This is usually not the fault of the firewall product, but is down to changes that have occurred in the firewall over time, which have not been updated," adds Barber.

As a result, more and more holes are punched in the firewall as new servers are deployed or the system architecture is changed, yet no one thinks to re-configure their firewall accordingly.

Access control
Access control products enable organisations to define policies for user access to specific applications. Within an online banking application there are often multiple levels of capability. For example, while a gold card account holder might be allowed to transfer £2,000 between accounts, a silver card member may only be allowed to check their balance.

For basic access control, identification and passwords – or maiden names – are standard, but for more advanced services, policies have to be tied to additional mechanisms to ensure correct authentication and authorisation.

A bank, for example, may issue its top corporate customers with smart token devices, such as RSA Security's SecurID tokens. These feature an apparently random number that changes every minute. When users log-in, they also need to tap in the six-figure digit on their SecurID display, which will match-up on the SecurID server.


Ian Hendry, Entegrity


The system is based on a complex mathematical code and any attempt to open the token will automatically erase the device's memory. The idea is to provide a higher level of authentication, says Ian Hendry, director of European operations at security software vendor Entegrity Solutions.

But what happens if someone succeeds in breaking in? An increasingly popular response is to deploy intrusion detection system (IDS) software that can examine log files and network activity in an effort to detect potentially nefarious activity.

There are two main approaches to intrusion detection: Passive and active, says Glynn Geoghegan, principal consultant at Internet Security Systems (ISS).

Passive intrusion detection involves monitoring the network for anomalous behaviour. For example, monitoring the organisation's network administrators over a period of time to build a profile of them. This profile will include when they log-on and off, their IP addresses and the systems they access. Once a comprehensive profile is built up, radical changes to the routine can be flagged up.

Most intrusion detection products simply send out alerts, but vendors are starting to introducing products that also offer active, automated responses, says Ovum's Titterington. These systems can be configured to launch pre-configured responses to threats, which can include closing a connection from a specific IP address. Automated responses could also change the configuration of a firewall to block suspicious users permanently, or perhaps just for 10 minutes.

But even after all these security products have been deployed, vulnerabilities may still remain. This is because attackers are becoming more adept at targeting security flaws within applications. "Today, organisations putting systems on the Internet have usually reached a high level of security for their servers and overall network. The problem stems from an inability to protect an application and its bespoke software code," says Geoghegan.

Attackers initiate application layer attacks by 'abusing' the business rules that tie front end servers to back end transaction services. In the process, they can "pull credit card details, user details and buying products more cheaply than the price listed," says Integralis' Barber.

A number of start-ups have emerged to try to address this growing threat. These include Sanctum, KaVaDo and Entercept Security Technologies. KaVaDo's InterDo is intended to protect organisations against a number of specific threats.

These include : cookie poisoning, when the content of web site cookies is corrupted; Trojan horses, where malicious code is hidden inside apparently harmless programs; and buffer overflow attacks, which prevent applications from processing data due to an overload of requests.

But the bottom line, says Titterington, is that in an increasingly connected world, no system can be 100% secure. "The challenge from the security perspective is to provide defensive depth, incorporating multiple products, so that one single error does not result in a major catastrophe," he says.


Hands on: Market Harborough Building Society (MHBS)

The Market Harborough Building Society (MHBS) was by no means the first financial institution in the UK to get online, but Neil Williams, assistant general IT manager at MHBS, believes that he has learnt valuable lessons from the mistakes of the pioneers.

The key, says Williams, is a layered security architecture that enables mortgage and savings account holders to manage their accounts, without giving them direct access to live data on the MHBS's central database or other systems in the organisation's network. It calls its service You-View.

Launched in September 2000, You-View enables customers to view their mortgage account details. Authorised customers can transfer money between their own mortgage and savings accounts within the building society, as well as the accounts of their family members.

Its architecture is designed to give customers access only to a subset of data, which is held on the company's Microsoft SQL Server database at the web front-end, says Williams. This database is populated with data daily from MHBS's back-end Oracle database where the live, business-critical data is stored.

In addition, the customer data is held behind a second firewall. This separates it from the MHBS's web and email content held in the MHBS 'demilitarised zone'. The company's demilitarised zone comprises of two firewalls, its You-View Web server and its email filtering system.

MHBS has also deployed 128-bit Secure Sockets Layer (SSL) encryption and an intrusion detection system (IDS). "The IDS monitors web traffic for anomalous behaviour and, depending on the type of attack, can be configured to stop it," says Williams.

Crucially, before launching You-View, MHBS hired consultants from Integralis to carry out a thorough security audit to ensure that there were no glaring holes in its system architecture.

But such a comprehensive approach did not come cheap. "Half of the total cost of the You-View project went into security," says Williams.

However, he believes that this investment will pay off as MHBS conducts more and more of its business over the Internet; already, he points out, a fifth of all its mortgages are sold online. Just a small breach, says Williams, could be very costly indeed.



Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics