Potential Vulnerabilities of Automated Points Accumulating System and Countermeasures

Ⅰ. Introduction

In the early 2000s, electronic commerce became popular and the number of related companies increased significantly[1]-[3]. As the scale of electronic commerce grows, they have delegated their electronic payment tasks to specialized electronic payment service providers. On the other hand, electronic commerce companies issue and provide online properties called points, which can be used like cash. Points help to reduce commission for transactions on credit, advertise their company, and encourage people to use electronic commerce by stimulating to use points and simplifying steps needed to buy products on the Internet.

Furthermore, the remarkable features of electronic commerce are that companies easily construct a database of users’ information and the products they bought. Most companies analyze this database to find out suitable marketing strategies and provide some points to customers to attract them to revisit their mall, which leads to better sales.

Many offline shops also issue points or coupons to take advantage of electronic commerce. However, side effects are clearly shown: it is easy to lose coupons and takes a long time to add points manually in front of the cashier. Also, it is difficult to gather customers’ information manually. For these reasons, small offline shop owners had been looking for ways to overcome these shortcomings.

Fig. 1.

Process of a purchase and a refund with a cash

At that time, automated points accumulating system which satisfy all needs of offline shop owners is developed, and it is widely used these days. This system helps to attract consumers to be absorbed in accumulating points by removing inconvenient steps, gathering as much information about consumers and products they buy as possible, and finding out proper marketing strategies from the information it gathers.

Fig. 2.

Process of a purchase and a refund with points

We can consider the advantages that electronic commerce takes are transplanted into a small offline shop. In short, this automated points accumulating system which takes almost no time to accumulate points, gathers and manages customers’ information automatically, and helps for an owner to get proper promotion strategies to attract customers to visit their shop again satisfies them successfully.

Theoretically, this system sounds good, however, its vulnerabilities might cause severe financial loss. However, the security issues of this system are not regulated properly by current laws even though this system is concerned with online property, which is because current laws only deal with cash itself. To solve the problem mentioned above, we would like to explain this system in detail in chapter 2 and introduce all kinds of expected vulnerabilities and mitigation techniques of this system in chapter 3. We hope these mitigations are applied to further updates.

Ⅱ. Explanation of Points Accumulating System

As mentioned above, some small offline shop owners are getting interested in automated points accumulating systems operated in additional devices. Devices needed to operate this system are a tablet and a POS. The structure of this system is depicted in Fig. 3 above.

Fig. 3.

Structure of points accumulating system

The tablet is positioned in area 1, which can be accessed by all customers and is managed by the shop owner. The manager application is operated on the tablet which takes phone numbers from customers and then adds a certain amount of point automatically when POS allows. The shop owner has to sign-in on the application and synchronize it with a program running on a POS. Whether the connection between the POS and the tablet is direct or via the server is up to the company.

A POS device and the router are in area 2 which can be only accessed and managed by the shop owner. No customers are allowed to access and control these. In other words, area 1 is outside of checkout, area 2 is inside of checkout, and both areas represent inside of the store. The program operated on the POS monitors customers’ information and allows the tablet to add points. The shop owner also has to sign-in on the program and synchronize it with the application running on the tablet.

Information that the tablet takes is saved at a server, physically allocated in the company only for one shop, and the shop owner can use part of this information for certain purposes. The server is in area 3, which is in a remote place from the shop and only accessed by the company which provides and monitors all points system running. The shop owner cannot access the information on this server directly.

Ⅲ. Expected Vulnerabilities and Mitigations

This chapter explains the types of vulnerabilities that might exist or already exist in this system based on pre-inspections. First, this system depends on the telecommunication among nodes, the tablet, POS, and the server. So we deal with whether this system guarantee integrity, confidentiality when they exchange packets. Second, according to the static analysis of tablet applications, many companies load a light web browser in the application. It means each activity of an application is just a web page. So we thought inspections of the safety of the web are needed. Finally, non-technical security issues such as people looking down security riskiness are also addressed.

Each vulnerability has attack scenarios and expected damages. We would like to introduce them first, and then propose proper mitigation techniques that can protect against each vulnerability. The concept that classifies vulnerabilities is helpful to find out and analyze vulnerabilities, however, not all vulnerabilities can be classified into several types clearly.

3.1 Network

All communications over the Internet protocol are always threatened by the possibility of sniffing and man in the middle(MITM) attack. The sniffing attack can be conducted simply by gathering packets in the air or spoofing attack over a LAN might precede before sniffing packets. If the sniffing were successful, an attacker might be able to be a middleman and monitor all packets between them. It makes replay attack possible.

For instance, if an attacker analyzes packets and parameters of them such as a phone number and the amount of points to add, the attacker can send malformed packets to add points. On the contrary, if packets were perfectly hidden and manipulated packets were ignored by the server, the system would be secure almost absolutely. The aim of security techniques at the network level is hiding data to the third party and distinguishing fake packets perfectly.

3.1.1 Cryptographic protocol

When an user put personal information into the input fields of an webpage of the tablet to sign in, it is transmitted to the web server via a router. If this information were transmitted in plain text, it would be easily sniffed through capturing packets. This means a malicious user can easily take a random user's information and authority of a shop owner. It also leads to illegal spending and adding points by analyzing packets’ structure.

So, using cryptographic protocols such as HTTPS and SSL pinning are highly recommended because these are efficient[4] to make eavesdropping and analyzing packets difficult[5]. As a result, creating malicious malformed packets and sending it to the server get impossible. Also, the cutting-of-edge technique used to prevent bypassing SSL pinning pretty intensifies the security level. Applying three mitigations: HTTPS, SSL pinning, anti-bypassing SSL pinning simultaneously helps to construct the security level of commercial banks in the world such as Bank of America and National Australia Bank[6].

3.1.2 Dynamic Cookie Value

Updating cookie value for every communication, called set cookies dynamic, is recommended to defend replay attack. If the system is built for a client to accept new cookie values for each request and send back a request with it, a simple replay attack just sending a captured packet without manipulating parameters is impossible. Dynamic cookie forces an attacker to analyze the structure of packets and strong cryptographic protocols make packet analysis impossible. As a result, the combination of both mitigations above considerably reduces the risk of network related attack.

Fig. 4.

A request packet with cookie and parameters

Fig. 5.

A response packet renewing next cookie value

Fig. 6.

Packets captured at Korail reservation website reveal personal information without encryption[7]

Fig. 7.

Packets concealing data with TLS cryptographic method

These mitigation techniques must be applied because repeating the same attacks is not difficult and the expected damage is massive. This kind of vulnerability is discovered at Korail website for a ticket reservation and reported to the Korea Internet and Security Agency(KISA).

3.3 Social Engineering

There must be non-technical attacks that take ungiven information. There are several techniques to prevent this sort of attack, which might cause discomfort of users because it is ambiguous to distinguish normal users’ abnormal behaviors and abnormal users’ normal behaviors. For instance, a user who tries repeated wrong signing in is blocked by the system, however, the service provider doesn’t know whether this user is an attacker or the right user. If the user is the right user, the service provider just has caused inconvenience to the user. In the case of APT attacks using email, lowering the threshold of detecting suspicious email and blocking them also increase the discomfort of email service users. Finally, it leads to less frequency of blocking. Eventually, finding an appropriate point between convenience and safety comes the most significant issue.

Also, some vulnerabilities come from the ignorance for the security of the public[11]. For example, many people even don’t know they should change the admin password of a router when they introduce it to provide public AP. Similar problems might happen in this system. If a shop owner who introduces this system doesn’t change the admin password of the tablet application or the POS program, the admin authority might be easily seized by attacks such as a dictionary attack. In the worst case, an attacker might perform brute force attack for ID with fixing the password as default password. Even though changing passwords into a strong one is efficient[12], they just don’t do this. The developers should think the identification process with id and password might not be safe and devise a more secure extra identification processes. The aim of techniques at this layer is preventing possible social engineering attacks with minimizing inconvenience of users.

3.3.1 Additional Certification Process

A service provider can require an extra password when users try to use some sensitive works, which helps to mitigate damage even if account information is already leaked. For example, one of the telecommunication companies in Korea requires to set an extra password for online payment to prevent damage from SMS sniffing when using an online payment service. Also, the extra password can be replaced with one time password call OTP using SMS or Internet protocol.

3.3.2 Password Management

A service provider can force users to change password when they use the service first. As an survey, 61% of applications allow users to use default password and pretty weak password[13]. Forcing users to change default password into strong password helps to reduce damages from dictionary attacks[12].

3.3.3 Defending Brute Force Attack

Brute Force Attack is a primitive attack technique, but it is still a valid and frequent attack method on the network environment[14]. This attack might be tried if the server of the systems takes inputs and identifies using these inputs. It might not only harm confidentiality but give too much burden to the server, which is the same effect as DoS(Denial of Service) attack. There is a lot of research going on to defend this technique, however, the easiest way which a developer can apply is to use reCAPTCHA.

It is a function that presents the random text in the form of an image that cannot be read by a computer easily and allows us to keep doing works only when an input is the same text as an image. This image probabilistically distinguishes a human and a robot, which means it can delay or even cancel robots’ tasks.

We can somehow defeat damages of brute force attack if we set reCAPTCHA activated when repetitive tasks conducted by a web scrapper and a script code are detected. As an experiment, an webpage with no reCAPTCHA is easily hacked by the python macro, however, web pages with reCAPTCHA successfully defend.

Fig. 8.

An example of reCAPTCHA[15] from Google

Fig. 9.

Python code trying brute force attack

Fig. 10.

Activated reCAPTCHA when figure 9 is executed

3.3.4 Monitoring Sign-in State

We can prevent unauthorized sign-in using multiple sign-in prevention and additional authentication requests based on the location where a trial of sign-in happens. Multiple sign-in protection is a feature that prevents signing in with one account to more than one device at the same time. It considers sign-in on an extra device while already signed in as an abnormal situation and blocks, which can prevent an unauthorized extra sign-in.

If account information is leaked in a long-distance network, an attacker tries to sign in far away from the original user. Recognizing this happens, requiring additional verification and declining sign-in help to reduce the risk of account information leaks.

Ⅳ. Conclusion

This paper first explains the expansion of electronic commerce and its merits which offline shop owners covet: being easy to create a dataset of customers and products they bought, add points quickly, analyze them automatically and find out proper marketing strategies. After that, the details of the automated points accumulating system and the security issues are discussed. The potential security vulnerabilities mentioned above are mainly related to financial issues. For example, if the admin password of this system in the store were leaked, a malicious attacker could issue an unlimited amount of points. Also, a malicious attacker can spend points illegally if he or she takes user accounts information. Finally, the leak of users’ personal information causes lots of unforeseen additional damages. These kinds of security accidents have happened many times even in the system that conglomerate developed and managed[16].

There have been a lot of regulations and suggestions that emphasize secure online financial transactions. But the target of them has been just money itself, and online properties such as points were not in the spotlight. For this reason, the current point systems are pretty more vulnerable than other financial transactions on the Internet. So we emphasize the importance of managing points securely, offer potential vulnerabilities, and suggest a guideline for future development and further patches.

Acknowledgments

We thanks to anonymous reviewers and their constructive comments that help to improve this paper. This paper is improved and partially translated from the preliminary version[17], which was presented at CISC-W’19.

References

• Thompson S. H. Teo and Yuanyou Yu, "Online buying behavior: a transaction cost economics perspective", Omega, Vol. 33, No. 5, pp. 451-465, Oct. 2005. [https://doi.org/10.1016/j.omega.2004.06.002]
• How big is the global e-commerce market?, https://hackernoon.com/how-big-is-the-global-e-commerce-market-93920e61f687, [accessed : Oct. 28, 2019]
• Korea Online Shopping Association, 2015 Online Shopping Trends and Prospects, http://www.korcham.net/FileWebKorcham/OnlineSeminar/File/20151202_05.pdf, . [accessed: Oct. 28, 2019]
• Veelasha Moonsamy and Lynn Batten, "Mitigating man-in-the-middle attacks on smartphones-a discussion of SSL pinning and dnssec", Proceedings of the 12th Australian Information Security Management Conference, Edith Cowan University, Perth, Western Australia., pp. 5-13, Dec. 2014.
• Lucky Onwuzurike and Emiliano De Cristofaro, "Danger is my middle name: experimenting with SSL vulnerabilities in Android apps", Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, ACM, Article No. 15, pp. 1-6, Jun. 2015. [https://doi.org/10.1145/2766498.2766522]
• Francisco José Ramírez-López and Ángel Jesús Varela-Vaca, et al., "A Framework to Secure the Development and Auditing of SSL Pinning in Mobile Applications: The Case of Android Devices", Entropy, Vol. 21, No. 12, pp. 1136-1136, Nov. 2019. [https://doi.org/10.3390/e21121136]
• A Vulnerability of a Website for Train Ticket Reservation on Lunar New Year’s Day, Using Plaintext Transfer Protocol, https://www.boannews.com/media/view.asp?idx=45037&kind=1, [accessed : Oct. 28, 2019]
• Marius Steffens and Christian Rossow, et al., "Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild", Network and Distributed Systems Security (NDSS) Symposium 2019, San Diego, CA, USA, Feb. 2019. [https://doi.org/10.14722/ndss.2019.23009]
• Shellie Wedman, Annette Tetmeyer, and Hossein Saiedian, "An analytical study of web application session management mechanisms and HTTP session hijacking attacks", Information Security Journal: A Global Perspective, Vol. 22, No. 2, pp. 55-67, Mar. 2013. [https://doi.org/10.1080/19393555.2013.783952]
• Zhang, Jingchi, Jou, Yu-Tsern, and Li, Xiangyang, "Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages", Proceedings of the 52nd Hawaii International Conference on System Sciences, pp. 1-10, Jan. 2019. [https://doi.org/10.24251/HICSS.2019.860]
• Jinsook Cho, "Likelihood to abort an online transaction: influences from cognitive evaluations, attitudes, and behavioral variables", Information & Management, Vol. 41, No. 7, pp. 827-838, Sep. 2004. [https://doi.org/10.1016/j.im.2003.08.013]
• Chun-Li LIN, Hung-Min SUN, and Tzonelih HWANG, "Attacks and solutions on strong-password authentication", IEICE transactions on communications, Vol. 84, No. 9, pp. 2622-2627, Sep. 2001.
• Brandon Knieriem and Philip Levine, et al., "An overview of the usage of default passwords", in International Conference on Digital Forensics and Cyber Crime", International Conference on Digital Forensics and Cyber Crime, Prague, Czech Republic, pp. 195-203, Oct. 2017. [https://doi.org/10.1007/978-3-319-73697-6_15]
• NAJAFABADI, Maryam M., et al., "Machine learning for detecting brute force attacks at the network level", 2014 IEEE International Conference on Bioinformatics and Bioengineering, IEEE, pp. 379-385, 2014. [https://doi.org/10.1109/BIBE.2014.73]
• Google reCaptcha Bypass Technique Uses Google’s Own Tools, https://threatpost.com/google-recaptcha-bypass-technique-uses-googles-own-tools/124006/, [accessed : Oct. 29, 2019]
• Sameer Saxena, Sonali Vyas, B. Suresh Kumar, and Shaurya Gupta, "Survey on Online Electronic Paymentss Security", 2019 Amity International Conference on Artificial Intelligence (AICAI), IEEE, Dubai, pp. 756-751, Feb. 2019. [https://doi.org/10.1109/AICAI.2019.8701353]
• Yonghyeon-Park, Minju-Jo, Namhyeong-Kim, Jaeyoung–Jeong, Kyeongmin-Lee, Junbeom-Lee, and Hongjin-Kim, "Security Methods for Secure E-Commerce: An Aspect of Online Property", CISC-W, Seoul, Korea, Nov. 2019.