Security of Password in E-Commerce

By Dr. Sandeep Kumar Sood Ph. D (I.I.T, Roorkee)
11/17/2010 1

Outline of Presentation          Authentication Technologies Password based Authentication Protocols Dictionary Attacks Choice of Passwords Password Loopholes Tips for Password Selection Cookie Technology Phishing Attacks Conclusion 2 11/17/2010 .

 The selection of an environment appropriate authentication method is one of most crucial decisions in designing secure systems. public key cryptography. digital signature. smart card.  The current technologies used in authentication are password. passphrase.Authentication Technologies  Authentication is reliably identifying an entity. zero knowledge proof. 11/17/2010 3 . biometrics.

Password based Authentication Protocols    Password is the most commonly used technique for user authentication. Common practice adopted by the users is to choose a single strong password and use it for many accounts instead of choosing unique password for each account. Dictionary attack RTT or Capcha (Dictionary attack)   11/17/2010 4 . Main advantage of passwords is that users can memorize them easily without needing any hardware to store them.

when a visitor accesses google.  The RTT challenge produced by ebay.com.com and hence needs correct responses to RTT produced by ebay.Dictionary Attacks  Suppose an attacker wants to perform an online dictionary attack on the ebay.  An attacker have to host or hack a high volume website such as google. which initiates a fraudulent attempt to login at ebay. 11/17/2010 5 .com is redirected to the user trying to view the google.com.com.com page.com and install attack software.

concept of one time password is proposed to secure the user·s passwords in online transactions. 11/17/2010 6 .  In 2005. complex passwords might get lost or stolen when the users write them down. Example: password of one site to another site.  In 2004.Choice of Passwords  Short and easily memorized passwords are susceptible to attacks on insecure communication channels like the Internet. the concept of one time user·s identity is given in which a new dynamic identity is generated for each new session.  On the other hand.

 The personalized passwords such as phone number.  Password reuse rate increases because people accumulate more accounts with the same password.  Researchers have conducted empirical studies on password use and concluded that people tend to pick passwords which represent themselves. 11/17/2010 7 . pet·s name or a social security number can be cracked by giving a large enough dictionary tries.Password Loopholes  An insider or a person close to the user has the maximum ability to steal the user·s password because most of the users chosen passwords are limited to the user·s personal domain. vehicle number.

dropping of letters from a familiar phrase.  The average user finds it difficult to remember complex passwords. use of numbers. 11/17/2010 8 . avoid common literary names. create an acronym from an uncommon phrase. mix up two or more separate words. avoid passwords that contain login identity. Moreover. deliberate misspelling and use of punctuation in the password. most of the users lack motivation and do not understand the need of password security policies. at least six characters.Tips for Password Selection  Tips and rules for creating strong passwords: use of both uppercase and lowercase letters.

Cookie Technology  Cookie technology is the most innovative feature that made the web stateful.  A number of the web applications built on the top of Hyper Text Transfer Protocol (HTTP) need to be stateful and require cookies to maintain the user·s state.  The web server creates a cookie that contains the state information of a client and stores it on the client computer from where the request is originated.  It helps the web server to keep track of the user·s movement and his behavior on the visited web server. 11/17/2010 9 .

value.  The default parameters of HTTP cookie are cookie name. domain name and a flag to indicate whether the cookie had been sent using the SSL protocol. The web server retrieves the user·s information from this cookie.  The client·s browser attaches the cookie with each subsequent request made by the client to the same web server.  Cookies strengthen the connection between a legitimate client and a genuine web server across the web. URL path for which the cookie is valid. expiration date. 11/17/2010 10 .Cookie Technology  Cookie enabled server can maintain information related to the client that can be used by the server during subsequent login requests from the same client.

Cookie Technology  Therefore. a web server can obtain significant information about long term habits of its clients. The users are not aware of what information about them is being stored in the cookies. Cookies can be used in conjunction with passwords to provide different levels of authentication to users.  Cookies can persist for many years. for example Google search engine routinely sets an expiration date in the year 2038 for its cookies.  Third party cookies can be used by online business organizations to create detailed records on the user·s web browsing habits.  There is no notification mechanism to alert the users when the cookies are being placed on their computer. 11/17/2010 11 .

11/17/2010 12 . That causes a lot of inconvenience to the owners of the locked accounts.  Here an attacker can mount a denial of service attack by choosing a valid user identity and trying several passwords until the account gets locked.Account Locking  A different concept of account locking prevents an attacker from trying many passwords for a particular user identity because accounts get locked after a certain number of unsuccessful login attempts.

com instead of actual www. 11/17/2010 13 . www. a closed lock in the status bar to indicate the use of SSL protocol (public key certificate).com).  Two most common browser indicators are https:// than that of http:// in the URL bar containing the target domain name.paypal.  User may have disclosed sensitive data to an adversary during its visit to a bogus or unreliable server.paypai.  Phishing is an online identity theft that combines social engineering and web site spoofing techniques to trick a user into revealing confidential information.g.  Users do not reliably notice the absence of a security indicator and do not know how to use them.Phishing Attacks  Password based authentication is highly susceptible to Phishing by exploiting the visual similarities to allure victims (e.

the attacker sends a large number of spoofed e-mails to random Internet users that appear to be coming from a legitimate business organization such as a bank.  The e-mail requests the recipient to update his personal information and also warns that failure to reply the request will result in closure of his online banking account. 11/17/2010 14 .Phishing Attacks  In a phishing attack.  The victim follows the phishing link provided in the e-mail and is directed to a website that is under the control of the attacker.

logos and textual descriptions.  Phishing attacks are increasing despite the use of preventive measures like e-mail filters and content analysis. www.  Password based authentication is highly susceptible to phishing attacks by exploiting the visual resemblance of domain names to allure the victims (e.paypal.com instead of actual www.Phishing Attacks  The average user can not distinguish a well designed phishing website from the legitimate site because the phishing site is prepared in a manner that imitates visual characteristics of the target organization·s website by using similar colors.paypai.com). icons. 11/17/2010 15 .g.

Phishing Count 11/17/2010 Organization based Phishing Sites 16 .

corporate network and e-commerce applications require secure and practical remote user authentication solutions. 11/17/2010 17 .  The aim of this presentation is to make e-commerce transactions more reliable and secure. dictionary and other possible attacks. Phishing is doing direct damage to the financial industry and is also affecting the expansion of e-commerce.Conclusion  Password theft is growing significantly and shaking the confidence of customers in e-commerce.  Confidence of clients in e-commerce and other online transactions can be enhanced by negating phishing.  It is important to detect the phishing sites early because most of them are short-lived and cause the damage in the short time span between appearing online and vanishing. Therefore.

Thanks Q/A ? 11/17/2010 18 .