Unit IV

Threats in E-commerce
E-commerce security threats are causing havoc in online trading. The industry experiences up to 32.4%
of all successful threats annually. Hackers usually target e-commerce store admins, users, and
employees using a myriad of malicious techniques. The major security threats/issues are as follows:
1. Financial frauds
Ever since the first online businesses entered the world of the internet, financial fraudsters have been
giving businesses a headache. There are various kinds of financial frauds prevalent in the e-commerce
industry, but we are going to discuss the two most common of them.
a. Credit Card Fraud
It happens when a cybercriminal uses stolen credit card data to buy products on your e-commerce
store. Usually, in such cases, the shipping and billing addresses vary. You can detect and curb such
activities on your store by installing an AVS – Address Verification System.
Another form of credit card fraud is when the fraudster steals your personal details and identity to
enable them to get a new credit card.
b. Fake Return & Refund Fraud
The bad players perform unauthorized transactions and clear the trail, causing businesses great losses.
Some hackers also engage in refund frauds, where they file fake requests for returns.
2. Phishing
Several e-commerce shops have received reports of their customers receiving messages or emails from
hackers masquerading to be the legitimate store owners. Such fraudsters present fake copies of your
website pages or another reputable website to trick the users into believing them. For example, see this
image below. A seemingly harmless and authentic email from PayPal asking to provide details.
3. Spamming
Some bad players can send infected links via email or social media inboxes. They can also leave these
links in their comments or messages on blog posts and contact forms. Once you click on such links,
they will direct you to their spam websites, where you may end up being a victim. Apart from lowering
your website security, spamming also reduces its speed and severely affects performance.
4. DoS & DDoS Attacks
Many e-commerce websites have incurred losses due to disruptions in their website and overall sales
because of DDoS (Distributed Denial of Service) attacks. What happens is that your servers receive a
deluge of requests from many untraceable IP addresses causing it to crash and making unavailable to
your store visitors.
5. Malware
Hackers may design a malicious software and install on your IT and computer systems without your
knowledge. These malicious programs include spyware, viruses, trojan, and ransomware.
The systems of your customers, admins, and other users might have Trojan Horses downloaded on
them. These programs can easily swipe any sensitive data that might be present on the infected systems
and may also infect your website.
6. Exploitation of Known Vulnerabilities
Attackers are on the lookout for certain vulnerabilities that might be existing in your e-commerce store.
Often an e-commerce store is vulnerable to SQL injection (SQLi) and Cross-site Scripting (XSS). Let’s
take a quick look at these vulnerabilities:
a. SQL Injection
It is a malicious technique where a hacker attacks your query submission forms to be able to access
your backend database. They corrupt your database with an infectious code, collect data, and later wipe
out the trail.
b. Cross-Site Scripting (XSS)
The attackers can plant a malicious JavaScript snippet on your e-commerce store to target your online
visitors and customers. Such codes can access your customers’ cookies and compute. You can
implement the Content Security Policy (CSP) to prevent such attacks.
7. Bots
Some attackers develop special bots that can scrape your website to get information about inventory
and prices. Such hackers, usually your competitors, can then use the data to lower or modify the prices
in their websites in an attempt to lower your sales and revenue.
8. Brute force
The online environment also has players who can use brute force to attack your admin panel and crack
your password. These fraudulent programs connect to your website and try out thousands of
combinations in an attempt to obtain you site’s passwords. Always ensure to use strong, complex
passwords that are hard to guess. Additionally, always change your passwords frequently.
9. Man in The Middle (MITM)
A hacker may listen in on the communication taking place between your e-commerce store and a user.
Walgreens Pharmacy Store experienced such an incident. If the user is connected to a vulnerable Wi-
Fi or network, such attackers can take advantage of that.
10. e-Skimming
E-skimming involves infecting a website’s checkout pages with malicious software. The intention is
to steal the clients’ personal and payment details.
M-commerce
M-commerce (mobile commerce) is the buying and selling of goods and services through wireless
handheld devices such as smartphones and tablets. M-commerce is a form of e-commerce that enables
users to access online shopping platforms without the use of a desktop computer.
Examples of m-commerce are as follows:
• Financial services: Mobile banking and brokerage transactions are done from mobile devices.
• Telecommunications: Handheld devices are used to make service changes and bill payments,
and to do account reviews.
• Service and retail: Consumers place and pay for orders on-the-fly through online stores.
• Information services: Financial, sports, traffic, weather and many other news updates are
accessed through mobile devices.
Types of m-commerce
M-commerce is categorized based on the following three basic functions:
• Mobile shopping: enables customers to buy a product using a mobile device with an
application such as Amazon or a web app. A subcategory of mobile shopping is app commerce,
which is a transaction that takes place over a native app.
• Mobile banking: is online banking designed for handheld technology. It enables customers to
access accounts and brokerage services, conduct financial transactions, pay bills and make
stock trades. This is typically done through a secure, dedicated app provided by the banking
institution. Mobile banking services may use SMS or chatbots and other conversational app
platforms to send out alerts and track account activities. For example, the WhatsApp chatbot
lets customers view their account balance, transfer funds, review loans and conduct other
transactions in real time through WhatsApp.
• Mobile payments: are an alternative to traditional payment methods, such as cash, check,
credit and debit cards. They enable users to buy products in person using a mobile device.
Digital wallets, such as Apple Pay, let customers buy products without swiping a card or paying
with cash. Mobile payment apps, such as PayPal, Venmo and Xoom serve the same purpose
and are popular options. Mobile consumers also use QR codes to pay for things on their mobile
phones. With mobile payments, users send money directly to the recipient's cell phone number
or bank account.
Advantages and Disadvantages of m-commerce
The advantages of m-commerce include the following:
 • Large customer base: M-commerce provides for a larger customer base and better retention
than e-commerce in general, because m-commerce capabilities are more widely and easily
accessible. Also, mobile analytics offers insights into customer shopping behavior, pattern and
history. To boost retention rates, businesses can use this data to target shoppers with
personalized offers and tailor-made discounts.
• Convenience: M-commerce makes it easier for customers to compare prices, read reviews and
make purchases when and where they want to do these things.
• Product variety: Customers can browse through a huge inventory of products while also
taking advantage of the competitive pricing.
• Automation: M-commerce automates a business's point of customer contact and sales with a
variety of mobile contactless payment options, such as Apple Pay, PayPal One Touch and Visa
Checkout. Many e-commerce sites also offer one-click checkout process functionality, which
enables users to add payment information only once and then use the one-click option for every
purchase made thereafter.
• Omnichannel experience: M-commerce creates an omnichannel experience where products
can be sold via multiple channels -- e-commerce websites, Amazon, eBay, Instagram. This
approach makes it easier for customers to buy whenever and wherever they want.
Disadvantages of m-commerce include the following:
• Poor execution: The smaller screens of mobile phones and tablets require specific navigation
functionality. Consequently, intuitive mobile user interfaces are complicated and expensive to
design. A poorly executed mobile customer experience can frustrate customers and deter them
from making purchases.
• Payment issues: Mobile payment options are not available in every geographic location and
may not support every type of digital wallet.
• Tax compliance: Businesses must know and comply with tax laws and regulations of all
countries they ship to. Some businesses will avoid this by only authorizing purchases from and
shipping to their country of origin.
• Security vulnerabilities: Many users are still hesitant to make purchases over a mobile device
because of security risks. Even with two-factor authentication, mobile fraud is on the rise and
many merchants have still not adopted fraud prevention practices for the smaller screen.
Attacks, such as SIM swaps and mobile malware, are becoming more common and can
discourage users from making payments through their mobile devices.
E-commerce vs M-commerce
M-computing
Mobile Computing is a technology that provides an environment that enables users to transmit data
from one device to another device without the use of any physical link or cables.
In other words, you can say that mobile computing allows transmission of data, voice and video via a
computer or any other wireless-enabled device without being connected to a fixed physical link. In
this technology, data transmission is done wirelessly with the help of wireless devices such as mobiles,
laptops etc.
This is only because of Mobile Computing technology that you can access and transmit data from any
remote locations without being present there physically. Mobile computing technology provides a vast
coverage diameter for communication. It is one of the fastest and most reliable sectors of the computing
technology field.
The concept of Mobile Computing can be divided into three parts:

Mobile
Computing

Mobile Mobile Mobile

Communication Hardware Software

Mobile Communication
Mobile Communication specifies a framework that is responsible for the working of mobile computing
technology. In this case, mobile communication refers to an infrastructure that ensures seamless and
reliable communication among wireless devices. This framework ensures the consistency and
reliability of communication between wireless devices. The mobile communication framework
consists of communication devices such as protocols, services, bandwidth, and portals necessary to
facilitate and support the stated services. These devices are responsible for delivering a smooth
communication process.
Mobile communication can be divided in the following four types:
 • Fixed and Wired: In Fixed and Wired configuration, the devices are fixed at a position, and
they are connected through a physical link to communicate with other devices. For Example,
Desktop Computer.
• Fixed and Wireless: In Fixed and Wireless configuration, the devices are fixed at a position,
and they are connected through a wireless link to make communication with other devices. For
Example, Communication Towers, WiFi router.
• Mobile and Wired: In Mobile and Wired configuration, some devices are wired, and some are
mobile. They altogether make communication with other devices. For Example, Laptops.
• Mobile and Wireless: In Mobile and Wireless configuration, the devices can communicate
with each other irrespective of their position. They can also connect to any network without
the use of any wired device. For Example, WiFi Dongle.
Mobile Hardware
Mobile hardware consists of mobile devices or device components that can be used to receive or
access the service of mobility. Examples of mobile hardware can be smartphones, laptops, portable
PCs, tablet PCs, Personal Digital Assistants, etc.
Mobile Software
Mobile software is a program that runs on mobile hardware. This is designed to deal capably with the
characteristics and requirements of mobile applications. This is the operating system for the
appliance of mobile devices. In other words, you can say it the heart of the mobile systems. This is
an essential component that operates the mobile device.
Mobile Computing Applications
Following is a list of some significant fields in which mobile computing is generally applied:
• Web or Internet access.
 • Global Position System (GPS).
• Emergency services.
• Entertainment services.
• Educational services.
Mobile Information Devices
Some of the most common forms of mobile computing devices are as follows.
Portable computers - compacted lightweight units including a full character set keyboard and
primarily intended as hosts for software that may be parametrized, as laptops, notebooks, notepads,
etc.
Mobile phones- including a restricted key set primarily intended but not restricted to for vocal
communications, as cell phones, smart phones etc.
Wearable computers - mostly limited to functional keys and primarily intended as incorporation of
software agents, as watches, wristbands, necklaces, keyless implants, etc.
Carputer - A carputer or car PC is a category of mobile computer or tablet designed or modified
specifically to be installed and run-in cars.
Wireless Application Protocol (WAP)
WAP stands for Wireless Application Protocol. It is a protocol designed for micro-browsers and it
enables the access of internet in the mobile devices. It uses the mark-up language WML (Wireless
Markup Language and not HTML), WML is defined as XML 1.0 application. It enables creating web
applications for mobile devices. In 1998, WAP Forum was founded by Ericson, Motorola, Nokia and
Unwired Planet whose aim was to standardize the various wireless technologies via protocols.
WAP protocol was resulted by the joint efforts of the various members of WAP Forum. In 2002, WAP
forum was merged with various other forums of the industry resulting in the formation of Open Mobile
Alliance (OMA).
WAP Model:
The user opens the mini-browser in a mobile device. He selects a website that he wants to view. The
mobile device sends the URL encoded request via network to a WAP gateway using WAP protocol.
The WAP gateway translates this WAP request into a conventional HTTP URL request and sends it
over the internet. The request reaches to a specified Web server and it processes the request just as it
would have processed any other request and sends the response back to the mobile device through
WAP gateway in WML file which can be seen in the micro-browser.
WAP Protocol Stack/Technology:

Application Layer:
This layer contains the Wireless Application Environment (WAE). It contains mobile device
specifications and content development programming languages like WML.
Session Layer:
This layer contains Wireless Session Protocol (WSP). It provides fast connection suspension and
reconnection.
Transaction Layer:
This layer contains Wireless Transaction Protocol (WTP). It runs on top of UDP (User Datagram
Protocol) and is a part of TCP/IP and offers transaction support.
Security Layer:
This layer contains Wireless Transaction Layer Security (WTLS). It offers data integrity, privacy and
authentication.
Transport Layer:
This layer contains Wireless Datagram Protocol. It presents consistent data format to higher layers of
WAP protocol stack.
Web Security
Web security refers to protecting networks and computer systems from damage to or the theft of
software, hardware, or data. It includes protecting computer systems from misdirecting or disrupting
the services they are designed to provide.
Web security is synonymous with cybersecurity and also covers website security, which involves
protecting websites from attacks. It includes cloud security and web application security, which defend
cloud services and web-based applications, respectively. Protection of a virtual private network (VPN)
also falls under the web security umbrella.
Web security is crucial to the smooth operation of any business that uses computers. If a website is
hacked or hackers are able to manipulate your systems or software, your website—and even your
entire network—can be brought down, halting business operations.
Firewall
A firewall is a security device — computer hardware or software — that can help protect your network
by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on your
computer. Not only does a firewall block unwanted traffic, it can also help block malicious software
from infecting your computer.
What does a firewall do?
A firewall acts as a gatekeeper. It monitors attempts to gain access to your operating system and blocks
unwanted traffic or unrecognized sources.
How does it do this? A firewall acts as a barrier or filter between your computer and another network
such as the internet. You could think of a firewall as a traffic controller. It helps to protect your network
and information by managing your network traffic. This includes blocking unsolicited incoming
network traffic and validating access by assessing network traffic for anything malicious like hackers
and malware.
Your operating system and your security software usually come with a pre-installed firewall. It’s a
good idea to make sure those features are turned on. Also, check your security settings to be sure they
are configured to run updates automatically.
How does a firewall work?
To start, a firewalled system analyzes network traffic based on rules. A firewall only welcomes those
incoming connections that it has been configured to accept. It does this by allowing or blocking specific
data packets — units of communication you send over digital networks — based on pre-established
security rules.
A firewall works like a traffic guard at your computer’s entry point, or port. Only trusted sources, or
IP addresses, are allowed in. IP addresses are important because they identify a computer or source,
just like your postal address identifies where you live.
Types of firewalls
There are software and hardware firewalls. Each format serves a different but important purpose. A
hardware firewall is physical, like a broadband router — stored between your network and gateway.
A software firewall is internal — a program on your computer that works through port numbers and
applications.
There also are cloud-based firewalls, known as Firewall as a Service (FaaS). One benefit of cloud-
based firewalls is that they can grow with your organization and, similar to hardware firewalls, do well
with perimeter security.

There are several different types of firewalls based on their structure and functionality. Here are the
various firewalls you can implement, depending on the size of your network and the level of security
you need.
• Packet-filtering firewalls
• Proxy service firewalls
• Stateful multi-layer inspection (SMLI) firewalls
• Unified threat management (UTM) firewalls
• Next-generation firewalls (NGFW)
• Network address translation (NAT) firewalls
• Virtual firewalls
Client-server Network
Client-server network is the medium through which clients access resources and services from a
central computer via either a Local Area Network (LAN) or a Wide Area Network (WAN), such as
the internet. A unique server called a daemon may be employed for the sole purpose of awaiting client
requests at which point the network connection initiated until the client request has been fulfilled.
It is a computer network in which one centralized, powerful computer (called server) is a hub to which
many less powerful personal computers or workstations (called clients) are connected. The clients run
programs and access data that are stored on the server.

Firewall and Network Security

Client-server security uses various authentication methods to make sure that only valid users and
programs have to the information resources such as databases.
Access control mechanisms must be set-up to ensure that properly authenticated users are allowed to
access only those resources that they are entitled to use. Such mechanisms includes firewalls,
password protection, encryptions etc.
Emerging Clients-server Security Threats
• Malwares
• Ransomware
• Viruses
• Trojans
• Worms
• Spyware
• Adware
• IoT Device Attacks
• Phishing
• Distributed Denial of Services (DDoS)