Electronic payments and security II

1.What are cookies and how are they used to improve security?

Ince (2004) notes that 'a cookie is a file which is placed on a client running a browser and which usually contains details of a particular transaction, for example the products which someone has bought from an e-tailing site.'

According to Wikipedia (2009), there are a few uses of cookies.

• Cookies were introduced to provide a way to implement a shopping cart a virtual device into which a user can store items they want to purchase as they navigate the site.
• Cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to a user who is not logged in.
• Many websites also use cookies for personalization based on users' preferences.
• Some websites use the cookies to track internet users' web browsing habits for on-line advertising purpose (e.g. Google).

Users typically log in by inserting their credentials into a login page; cookies allow the server to know that the user is already authenticated, and therefore is allowed to access services or perform operations that are restricted to a user who is not logged in. In this sense, cookies become the authentication token of users' login.

2.Can the use of cookies be a security risk?

In general, a cookie itself is not dangerous. They may potentially infringe upon the host's privacy, but they are easily removed. A tracking cookie cannot cause any system instability. However, the use of cookies might trigger the following security risks.

• Inaccurate identification - this problem might arise when multiple users share the same user account on a computer.
• Cookie hijacking - attackers can use packet sniffing to steel the cookies which are being sent back and forth over the unencrypted http connections and then, intercept the cookies of other users and impersonate them on the relevant websites.
• Cookie theft - by design the cookie specifications constrain cookies to be sent back only to the servers in the same domain as the server from which they originate. However, the client-side scripts can redirect the values of cookies to a different server. Thus, the attackers can collect the cookies of other users.
• Cookie poisoning - while cookies are supposed to be stored and sent back to the server unchanged, an attacker may modify the value of cookies before sending them back to the server.
• Cross-site cooking - this is similar to cookie poisoning, but the attacker exploits non-malicious users with vulnerable browsers, instead of attacking the actual site directly. The goal of such attacks may be to perform session fixation.
• Inconsistent state on client and server - the use of cookies may generate an inconsistency between the state of the client and the state as stored in the cookie. If the user acquires a cookie and then clicks the "Back" button of the browser, the state on the browser is generally not the same as before that acquisition.
  

References

Ince, D 2004, Developing distributed and e-commerce applications, 2nd edn, Harlow, Essex, UK: Addison – Wesley, pp. 305-306.

Wikipedia 2009, HTTP cookie, Wikipedia, The free encyclopedia, last modified 3 June 2009, Wikimedia Foundation, Inc., US, viewed 7 June 2009,<http://en.wikipedia.org/wiki/Intrusion_detection_system>.