Are e-commerce users defenceless?

We are interested in new ways of threats and attack on the e-commerce. The server side of e-commerce platform is usually very well protected and secured. Unfortunately, this is not true for the client side. End users are usually undereducated in the field of computer security. They use Internet clients such as Web browsers and e-mail programs to do their e-commerce business. Their platform that is used to run these programs can hardly be trusted. This paper focuses on the attacks on system and application infrastructure. The main idea of our approach is to take advantage of existing applications and attack them while they are executing. We analyze the steps that need to be taken in such attacks and point out the properties of the applications and execution environments that can be exploited. To demonstrate the findings, we present two case studies of such attacks. The first exploits a Web browser which uses SSL (Secure Sockets Layer) and the second an e-mail client which uses digital signatures. In both cases we are able to successfully perform the attack which escapes the end user´s notice. In the final part of the paper we present a possible defence against such attack together with our work on a security enforcement system.