Task 4 – Report of the Security Issues

1.0 Introduction

E-commerce was one of the significant end-products of “Internet”. With E-commerce,

customers have a broader choice of products and pricing; they are not limited to one
region or country. They can order and pay online and track the goods throughout the
delivery process (Smith, 2004). In addition to the ease of eliminating the business
intermediaries and providing 24 hours a day-seven days a week services, E-commerce
has given customer a satisfying alternative to the traditional physical shops (Turban et
al, 2008).

However, immediately after the emergence of internet, the battle between angels and
devils - ‘Internet Users/Programmers Versus Conmen/Hackers’ has never been
alleviated, but only to evolve into higher level in every minute. In spite of all the
positives, there are some downsides of E-commerce. Hackers can attack websites at
will from anywhere in the world. They can deface WebPages, knock a site down with
a denial of Service (DoS) attack, or penetrate the web servers (Smith, 2004). In many
case, they can download credit card and other sensitive information to use in frauds or
simply to embarrass an organization. They can also plant viruses and Trojan programs
on the machines, install back doors, and steal client passwords (Smith, 2004).

2.0 Security Issues

The following elements should be included in E-commerce security model (Qingping

et al, 2009):

1. Authenticity and validity: It means that the transaction identity must be real
and applicable.
2. Integrity: The action to prevent the information from being created, modified
and deleted as well as avoid the loss and repetition of the information during
the
3. Confidentiality: it is indispensable to take suitable security solutions to prevent
the commercial secret revelation.
4. Reliability and non-repudiation: to guarantee validated users’ access to the
information and the resources will not be rejected
Before developing a e-commerce platform, Razvan and Eduard (2010) suggested that
the company must take an overview on the service-side problems, transaction
problems, client-side problems and legal and regulatory problems which may appear
in the transactions (Razvan and Eduard, 2010). Transaction issue is essential for
building consumer confidence in an E-commerce site. Transaction issues include the
organization’s ability to ensure privacy, authenticity, integrity, availability and the
blocking of unwanted intrusions (Marchany and Tront, 2002).

According to Turban et al (2008), the attacks in the E-commerce world can be divided
into two types – nontechnical and technical. Example of nontechnical attacks is
‘Social engineering’ is a type of attack that uses some tricks to make users into
disclosing private information or performing an action that compromises a computer
or network. For instance, phishing could rely on social engineering by posting links of
fake websites on the social networks.

Software and systems knowledge are used to impose technical attacks (Turban et al,
2008). These attacks can be classified into several types which are: Denial of service,
Zombies, phishing, web server hijacking, virus, worm, spyware and etc. For
examples, a malicious spyware may work behind a user’s computer for certain
purpose.

2.1 Denial of Service Attacks

Denial of Service (DoS) attacks consist of overwhelming a server, a network or a

website in order to paralyze its normal activity (Lejeune, 2002) .A major difficulty in
refraining these attacks is to trace the source of the attack, as they often use flexible or
spoofed IP source addresses to mask the origin of the attack (Kim and Kim, 2006).

DoS can make a particular website running at a very low speed and condemn the
availability. For example of one of the attacking style, ICMP Flood (Smurf Attack) –
where perpetrators will send large numbers of IP packets with the source address
faked to appear to be the address of the victim. The network's bandwidth is quickly
used up, preventing legitimate packets from getting through to their destination.

2.2 Botnets and Distributed Denial-of-Service Attacks

A botnet is a huge number of hijacked Internet computers that have been set up to
forward traffic, including spam and virus as well as DOS attacks (Turban et al, 2008).

Distributed Denial of Service (DDoS) attacks are the greatest security fear for –
commerce owners. Within a few minutes, tons of zombie computers can flood the
victim website by choking legitimate traffic (Tariq et al., 2006). A distributed denial
of service attack (DDoS) occurs when multiple compromised systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. The

most famous DDoS attacks occurred in February 2000 where websites including

Yahoo, Buy.com, eBay, Amazon and CNN were attacked and left unreachable for

several hours each (Todd, 2000).

2.3 Brute Force Attacks

Brute force attack is a method of bypassing a cryptographic scheme by trying a large

number of possibilities; for example, a large number of the possible keys in a key
space in order to decrypt a message. In 2007, the internet infrastructure in Estonia was
run down by substantially persisted brute force attacks against commercial institutions
and government in that country (Sausner, 2008).

2.4 Web Server and Webpage Hijacking

These can be done by using server redirecting technique. The unsuspecting users will
be control and redirected to a scam or phishing site. This exploit allows any Web
master such as the criminal to have his or her “virtual page’ rank for pages belonging
to the original ones (Turban et al, 2008).

2.5 Viruses, Worms and Trojans

Unless a sound virus-protection strategy is used by the E-commerce solutions firm,

these malicious agents can compromise the credibility of all E-commerce services
(Razvan and Eduard, 2010). Virus can breed within the systems and multiply at
extreme speed. Consequently, they can cripple the entire system at worst. A virus is a
piece of software code that enters to a host, including the operating system and waits
for events to trigger it execution (Turban, et al). Unlike viruses, worms can multiply
by themselves and runs independently; whereas, Trojan houses allow a remote user to
control, examine, monitor any information on the target PC. At the beginning, it can
turn out to be an useful progam.

3.0 E-commerce Security Technology

The technology that helps securing the E-commerce can be divided into two major
groups which are: those designed to secure the communication across the network and
those to protect the servers and clients on the network (Turban et al, 2008).

Network is the basis for E-commerce systems, so the network service layer is the first
of E-commerce security system. Secondly, encryption and authentication methods are
the essential to ensure the E-commerce security. Thirdly, the security protocol layer is
the comprehensive use and perfect for encryption technology and security control
technology. The various layers are interdependent and interrelated and they achieve
the security of E-commerce systems together (Qingping et al, 2009).

3.1 Network Service Layer

Those designed to protect the servers and clients on the network are fallen to the
category of Network Service Layer which is the most fundamental for E-commerce
system security; network security involves many aspects, such as Firewall technology,
network monitoring, network vulnerability scans and various anti-hacking
technologies. Among these technologies, Firewall technology is the most essential
technology as it develops a protective barrier between internal network and public
network through the hardware and software combination, it uses the defined strategies
to filtering, analysis and audit the network data to restrict the outside user’ access of
the internal network data and mange the inside user’ privilege on external public
network.

3.2 Encryption Technology Layer

Those designed for those designed to secure the communication across the network
keep the danger of outspreading confidentiality at bay, the most effective technique
for masking a message is encryption. In E-commerce, encryption technology is the
primary means to prevent unauthorized information leakage. Simply speaking, it is
the use of cryptographic algorithms to reorganize data. This makes the other people
outside the legitimate receiver are difficult to understand the real content of the
information. Encryption consists of cipher algorithms and key. A cipher algorithm is
some mathematical formulas and rules or procedures. Examples of Encryption
Technology are Symmetric or Asymmetric encryption (Qingping et al, 2009).
3.3 Secure Authentication Layer
Secure authentication technology is a necessary mean to ensure that the identity of the
two sides in the E-commerce activities and the documents they use are authenticity.
Secure authentication technology include Digital digest, digital signature, digital
certificates, digital time-stamping, digital envelopes, and etc. For instance, Digital
Digest: The Technology of Digital digest is used to address the problem of the
integrity of information. It uses a Hash function to transform long information with
any length into certain length short information.

3.4 Security Protocol Layer

In order to guarantee the security of E-commerce, besides all kinds of safety control
technology, it needs to unify the perfect safe transaction protocol; the typical ones are
SSL and SET. SSL, Secure Socket Layer protocol is a kind of network security
protocol developed by Netscape. SSL uses the public key and the private key
technology to guarantee that the Web server can carry on secretly complete
correspondence with the client Whereas, SET, Secure Electronic Transaction Protocol
is a profession standard which used in E-commerce, promoted by American Visa and
the MasterCard two big credit card companies. SET was designed to solve the
transaction agreement, information security, material completion as well as ID
authentication of credit cards in E-commerce transaction.

4.0 Conclusion
To solve the security problem of E-commerce and develop a sound E-commerce
security system, security technology alone is not enough. E-commerce regulation and
law, social credibility as well as the ethics and education standards throughout society
are influential to the business. Therefore, it is essential for the E-commerce owners to
regularly update their system and expertise to ensure that the system is always
keeping up to the opponents – hackers and scammers.