In January 2017, the Vietnamese Prime Minister approved a non-cash payment project for the 2016-2020 period, paving the way for online transaction development. Nowadays, information technology is widely used in all sectors of the economy. In particular, information security in online transactions plays an important role. The proportion of online transactions is increasing, which has been shown in e-commerce sales reaching over $4 billion and growth rate 37% in 2015 (according to an e-commerce report by the Ministry of Industry and Trade). The higher payment value, the more essential user data protection and transaction security assurance.
In China, according to the National Bureau of Statistics of China, e-commerce transactions were worth over US$589 billion (2015), doubling that of the United States. Of this, the e-commerce trading platforms of Taobao and Tmall owned by Alibaba took the lead of the Chinese market with over 80% market share. In early 2016, the market witnessed an extremely big cyber-attack at the Taobao platform to provide false information of stores using this C2C platform. Based on the evidence obtained, from October 2015 to February 2016, the group has attackers used more than 100 million user accounts (including email addresses and passwords) stolen from a variety of sources to try to log in on Taobao, and over 20 million accounts were logged in successfully (equivalent to one fifth of the population of Vietnam). These accounts then were used to create a huge volume of data on fake bidding prices, provide false reviews, etc. In this case, the cyber-attack for stealing accounts and the weak configuration of the Taobao platform created a series of false information, leading to buyersâ false evaluation and purchase of products of unsatisfactory quality.
The United States is a country with long-developed e-commerce compared with the worldâs average. E-commerce in the US has been a fat target to cyber-attackers for years. In 2014 and 2015, for two consecutive years, the two leading American online retailers Target and HomeDepot have been hacked. In the case of Target, hackers have taken advantage of Targetâs service providers (third parties) to spread malware and penetrate into critical systems behind, including the POS system. This attack was discovered when a large amount of card user data was on sale in the black market. According to damage statistics, more than 40 million card user data items (card number, expiration date, CVV, etc.) have been stolen. The incident led to a serious crisis at Target and caused the resignation of the CEO of this retail chain. Most recently, in December 2016, Yahoo, one of the oldest and world famous Internet technology companies, released a shocking announcement that over one billion electronic mail account holders at this company have lost data, including user name, email address, password (encrypted), etc. This event caused a serious chain impact since many people used the same accounts to log in e-commerce sites.
In Vietnam, the e-commerce market is still young but enjoys a rapid growth. According to the latest report, Vietnamâs e-commerce growth rate doubled that of Japan (37% versus 15%). Up to now, there has been no official statistics on the status of information security in the field of e-commerce in Vietnam. E-commerce-based businesses also fail to provide any official information on data loss, if any. However, that does not mean e-commerce businesses are safe in Vietnam.
Operative for many years in the field of information security, Vietnamese Network Security JSC (VSEC) has received numerous requests for help from e-commerce businesses. The most common requests for support are to curb DOS/DDOS attacks; this type of attacks does not cause data losses, but cause business damages due to system stagnation and disruption of customer service delivery. 24/7 online services providers like online ticket booking services, hotel booking services, etc. most frequently suffer these attacks.
More in-depth studies revealed that serious e-commerce risks have long persisted and been taken advantage of by bad guys. In 2016, a striking example of the danger of cyber-attacks was the attack at the networks of Vietnamese airports and Vietnam Airlines. The attackers have exploited vulnerabilities in many ways, and had inserted malware into the networks very long before the attack (according to official information, it was from 2014), changed the website interface, and stole customer data. Although this incident was not directly related to e-commerce, it shows the danger of cyber-attacks when bad guys silently take advantage of vulnerabilities for their benefits without business owners being aware of it. Another more recent incident took place in early November 2016, where a subsystem of VietnamWorks.com got hacked and thousands of user accounts exposed. Notably, many accounts here were shared with other services elsewhere, and some banks had to warn their customers of changing account passwords.
Under the framework of cooperation with the Vietnam e-Commerce Association (VECOM), VSEC conducted an initial survey and assessment of the current status of information security of e-commerce websites in Vietnam. Websites serve as important connection points in e-commerce, so they represent the level of information security of e-commerce in general in Vietnam.
Survey and assessment method
VECOM members operate in various sectors: retail, payment, technology, logistics, etc. The survey and assessment was carried out directly on 12 e-commerce websites owned by VECOM members operating in the two most important sectors: retail and payment. The sites selected were highly popular and had large traffic. They possessed full features retail e-commerce platforms: product listing, pricing, account management, payment, etc. However, with interconnectivity of the information systems, vulnerabilities may come from many different positions and websites are not the only place, so obtaining information security is a process that requires synergy.
Direct survey and assessment of websites means manual checks by engineers of websites against predefined information security risks. Checks were conducted totally externally, simulating attacks and exploits by hackers. Such assessment method ensured objective and true results, providing real data on the overall picture of information security in e-commerce.
Details of information security assessments
In e-commerce, the following technical issues on information security require attention:
- Confidentiality: e-commerce information is protected against unauthorized access.
- Integrity: transaction information is not to be changed on transmission
- Availability: necessary information should be available upon request, or upon access by users.
- Authentication: users are required authentication prior to access to their personal information or authorized information.
- Non-Repudiability: Transaction parties cannot refuse the information sent/received by themselves.
- Encryption: information should be encrypted so as to be accessed by only valid users
- Auditing: data shall be stored for cross-check in case of incidents, or as needed.
Due to limited time and the sites surveyed being big, the initial survey focused on the security tests that may lead to serious risks and impact on customers, transactions and servers. The first tests were those that led to user data being viewed illegally (A1), including the tests detecting breaches of confidentiality and authentication. The tests that led to user data being modified illegally (A2), including those that may lead to detection of breaches of authentication. The tests that led to transaction information being viewed illegally (A3), including those that may lead to detection of breaches of confidentiality and authentication. Finally, the tests that led to data on the server being viewed/modified illegally (A4), including those that may lead to detection of breaches of confidentiality and encryption.
E-commerce systems consisted of multiple components; the report focused on the two most important components: Account Management and Payment. Account management would include information authentication, processing and display of personal information, each customerâs order (name, age, card information, account balance, etc.) Online payment would include processing of purchases by customers, possibly directly or indirectly through electronic wallets or intermediate payment gateways.
Below is a chart showing the survey and assessment results of information security in e-commerce based on the above interpretation. The percentage of seriously risky websites is expressed in orange, while blue expresses that of websites without corresponding risks detected.
17% of surveyed sites suffer serious risks A1 i.e. customer data can be viewed illegally by other users. A customer using e-commerce services on these websites may be stolen his/her personal information: name, email, password (encrypted form) or banking information. Retail e-commerce websites normally have a large number of customers, so these data are a valuable asset for the bad guys. This information can be used for unauthorized access to information assets of the customers. Other serious risks A2, A3 and A4 accounted for 8%. This means when a customer provides information, data of transactions via such websites can be viewed illegally, especially serious risks A4 where an attacker can exploit the vulnerable server to control data. The survey even found out an e-commerce site with the top market share and a serious risk at the same time.
The survey and assessment showed that 33% of the e-commerce websites suffered from serious risks. This is a large percentage, which is corresponding to thousands of consumers at risk with their personal data. The blue part, 67%, represents the percentage of sites without serious risks in e-commerce. Due to the limitation of the survey, this part may include less serious risks, or such risks may be located elsewhere and need more comprehensive investigation and assessment.
Conclusions and solutions
According to a 2014 survey by the Korean Information Security Association (KISA), there were various reasons related to information security that made people afraid of e-commerce and online shopping: trust concerns, security concerns, privacy concerns (these reasons accounted for over 26%). This means information security assurance is a strong solution to e-commerce use motivation.
Some of the solutions that businesses can apply immediately. First, upon software development, companies need to design proper business processes, strictly control data access on the principle of âcustomersâ access to information with proper predefined authorization.â Second, strictly control and apply information security checks right from the stage of application development and after launch. Third, enterprises should conduct periodic review and reassessment of the security of their systems because the systems would often witness new vulnerabilities and risks over time.
The first survey on the status of information security of e-commerce websites showed serious risks and e-commerce businesses need to pay early attention to information security, raising awareness of information security in parallel with the business development process. With early awareness, businesses may make efficient investments and substantial savings upon occurrence of incidents, thus building consumersâ trust in their brand.
About the survey and assessment organization
This survey and assessment was conducted by the Vietnam e-Commerce Association in collaboration with Vietnamese Network Security Joint Stock Company (VSEC). VSEC started up with a team of engineers having a strong passion for information security (in 2005) and has had more than 7 years of operation to date, providing reputable information security products for the Vietnam market. VSEC operates with a strong belief that Vietnamese people can fully master information security technologies of the world. The survey and assessment work was performed fully by Vietnamese engineers, who were trained and work professionally on information security. The survey also ensured not to do any harm to the ongoing business activities of the companies surveyed. The results of the survey aimed to provide more information on the current status of e-commerce in Vietnam for sustainable development as well as ensure the interests of consumers and businesses. Feedback on this report shall be a catalyst for us and VECOM to conduct more detailed, better and deeper surveys for the benefits of the community.
Read more link