E-commerce Security

The E-commerce Security

Environment

 For most law-abiding citizens , the Internet holds the promise

of a huge, convenient, global marketplace, providing access to
people, goods, services and business worldwide, at a bargain
price
 For criminals, the Internet has created entirely new – and
lucrative – ways to steal from the more than billion customers
worldwide
 It’s less risky to steal online anonymously
 Internet is an open, vulnerable-design network
 The actions of cybercriminals are costly for both businesses
and consumers
 What Is Good E-commerce Security?

 To achieve highest degree of security

 New technologies available should be used
 Organizational policies and procedures required to ensure the
technologies are not subverted
 Industry standards and government laws are required to enforce
payment mechanism as well as investigate and prosecute violators of law
 Other factors
 Time value of money
 Cost of security vs. potential loss
 Security often breaks at weakest link
The E-commerce Security Environment
 Dimensions of E-commerce Security

 Six key dimensions: integrity, nonrepudiation, authenticity,

confidentiality, privacy, and availability
 Integrity refers to the ability to ensure that information
being displayed on a Web site, or transmitted or received
over the Internet, has not been altered in any way by an
unauthorized party
 Nonrepudiation refers to the ability to ensure that e-
commerce participants do not deny their online actions
 Authenticity refers to the ability to identify the identity of
a person or entity with whom you are dealing on the
Internet
 Dimensions of E-commerce Security

 Confidentiality refers to the ability to ensure that

messages and data are available only to those who are
authorized to view them
 Privacy refers to the ability to control the use of
information about oneself
 Availability refers to the ability to ensure that an e-
commerce site continues to function as intended
 E-commerce security is designed to protect these six
dimensions; When any one of them is compromised, it
is a security issue
 The Tension Between Security and
Other Values

 Computer security adds overhead and expense to business

operations, and also gives criminals new opportunities to
hide their intentions and their crimes
 Ease of use
 The more security measures added, the more difficult a site is
to use, and the slower it becomes
 Public safety and criminal uses of the Internet
 Internet is both anonymous and pervasive; Use of technology
by criminals to plan crimes or threaten nation-state
 Security Threats in the
E-commerce Environment

Three key points of vulnerability in

e-commerce environment:
1. Client
2. Server
3. Communications pipeline (Internet
communications channels)
 Security Threats in the E-commerce Environment

 Three key points of vulnerability: the client, the server,

and the communications pipeline
 Some most common and most damaging forms of
security threats to e-commerce consumers and site
operators:  Denial of Service (DoS)
 Malicious code
 Distributed Denial of
 Unwanted programs
Service (DDoS)
 Phishing and identity theft
 Sniffing
 Hacking and cybervandalism
 Credit card fraud/theft  Insider attacks
 Spoofing (pharming)  Poorly designed server
 Spam (junk) Web sites and client softwares
A Typical E-commerce Transaction
Vulnerable Points in an E-commerce Transaction
 Security Threats in the E-commerce Environment

 Malicious Code:
Sometimes referred to as“malware”
Includes a variety of threats such as viruses, worms, Trojan
horses, ransomware and bots
Virus is a computer program that has the ability to replicate
or make copies of itself, and spread to other files; In
addition, most computer viruses deliver a “payload”; The
payload may be relatively benign, such as the display of a
message or image, or it may be highly destructive –
destroying files, reformatting the computer’s hard drive, or
causing programs to run improperly
Security Threats in the E-commerce Environment

 Computer viruses fall into several major categories like

macro viruses, file-infecting viruses, script viruses
 Macro viruses are application specific, meaning that the
virus affects only the application for which it was written
 File-infecting viruses infect executable files, such as .com,
.exe, .drv, and .dll
 Script viruses are written in script programming
languages; The viruses are activated simply by double-
clicking an infected script file; For example ILOVEU virus
(also known as the Love Bug)
Security Threats in the E-commerce Environment

Instead of just spreading from file to file, worm is a malware

that is designed to spread from computer to computer; A
worm does not necessarily need to be activated by a user or
program in order for it to replicate itself
A Trojan horse is a software program that appears to be
gentle, but then does something other than expected; The
Trojan horse is not itself a virus because it does not
replicate, but is often a way for viruses or other malicious
code such as bots or rootkits (a program whose aim is to
subvert control of the computer’s operating system) to be
introduced into a computer system
Security Threats in the E-commerce Environment

 Bots (short for robots) are a typical malicious code

that can be covertly installed on your computer when
attached to the Internet; Once installed, the boot
responds to external commands sent by the attacker
 Botnets are collections of captured computers used
for malicious activities
 Ransomware (scareware) locks computer or flies to
stop you from accessing them and display notice to
pay to unlock the computer
 Security Threats in the E-commerce Environment

 Unwanted Programs:
 Unwanted programs such as adware, browser parasites,
spyware, and other applications install themselves on a
computer, typically without the user’s informed consent; once
installed, these applications are usually exceedingly difficult to
remove from the computer
 Adware is typically used to call for pop-up ads to display when
the user visits certain sites
 Browser parasite is a program that can monitor and change
the settings of a user’s browser
 Spyware is a program used to obtain information such as
user’s keystrokes, copies of e-mail and instant messages, and
even take screenshots
 Security Threats in the E-commerce Environment

 Phishing and Identity Theft:

 Phishing is any deceptive, online attempt by a third party
to obtain confidential information for financial gain; The
most popular phishing attack is the e-mail scam letter
 Hacking and Cybervandalism:
 A hacker is an individual who intends to gain
unauthorized access to a computer system
 Within the hacking community, the term cracker is
typically used to denote a hacker with criminal intent,
although in the public press, the terms hacker and cracker
are used interchangeably
Security Threats in the E-commerce Environment

Cybervandalism is the intentional disruption, defacement,

or even destruction of a Web site or corporate information
system
Types of hackers:
 White hats – good hackers who help organizations locate
and fix security flows
 Black hats – hackers who act with the intention of causing
harm
 Grey hats – hackers somewhere in the middle are the
grey hats who believe they are pursuing some greater
good by breaking in and revealing system flaws
 Security Threats in the E-commerce Environment

 Credit Card Fraud/Theft:

 Fear of stolen credit card information deters online
purchases
 Hackers target merchant servers; use data to establish
credit under false identity
 Online companies at higher risk than offline
 Spoofing (Pharming) and Spam (Junk) Web Sites:
 Spoofing is, generally, the act of one person pretending
to be someone else
 Hackers attempt to hide their true identity by using fake
email address or masquerading as someone else
 Security Threats in the E-commerce Environment

Spoofing a Web site is also called “pharming”, which

involves redirecting a Web link to an address different from
the intended one, with a site masquerading as the intended
destination
Spam Web sites promise to offer some product or service,
but in fact are a collection of advertisements for other sites,
some of which contain malicious code
 Denial of Service (DoS) and Distributed Denial of Service
(DDoS) Attacks:
In DoS attack, hackers flood a network server or Web server
with many thousands of false communications or requests
for services to crash the network
 Security Threats in the E-commerce Environment

 A DDoS attack uses numerous computers to inundate

and overwhelm the network form numerous launch
points
Sniffing:
 A sniffer is a type of eavesdropping program that
monitors information traveling over a network
 Sniffers enable hackers to steal proprietary
information from anywhere on a network,
including email messages, company files, and
confidential reports
 Security Threats in the E-commerce Environment

 Insider Attacks:
 The largest financial threats to business institutions come from
insiders
 Malicious intruders seeking system access sometimes trick
employees into revealing their passwords by pretending to be
legitimate members of the company in need of information
 Employees can introduce errors by entering faulty data or by not
following the proper instructions for processing data and using
computer equipment
 Information systems specialists can also create software errors as
they design and develop new software or maintain existing
programs
 Security Threats in the E-commerce Environment

Poorly Designed Server and Client Software:

 Many security threats prey on poorly designed server
and client software, sometimes in the operating
system and sometimes in the application software,
including browsers
 The increase in complexity and size of software
programs has contributed to an increase in software
flaws or vulnerabilities that hackers can exploit
 Technology Solutions

 The threats to e-commerce are very real, potentially devastating and

likely to be increasing in intensity along with the growth in e-
commerce
 There are two lines of defense: technology solutions and policy
solutions
 Technology solutions
 Protecting Internet communications
 Cryptography
 Securing channels of communication
 SSL, TLS, VPNs, Wi-Fi
 Protecting networks
 Firewalls, proxy servers, IDS, IPS
 Protecting servers and clients
 OS security, anti-virus
Tools Available to Achieve Site Security
 Encryption

 Encryption
 Transforms data into cipher text readable only by sender and
receiver
 Key (or cipher) is any method for transforming plain text to
cipher text
 Secures stored information and information transmission
 Provides 4 of 6 key dimensions of e-commerce security:
 Message integrity
 Nonrepudiation
 Authentication
 Confidentiality
 Symmetric Key Cryptography

 Used extensively throughout the World War II and is

still a part of Internet encryption
 Sender and receiver use same digital key to encrypt
and decrypt message
 Requires different set of keys for each transaction
 Strength of encryption
 Length of binary key used to encrypt data
 Data Encryption Standard (DES) 56-bit encryption key
 Advanced Encryption Standard (AES)
 Most widely used symmetric key algorithm
 Uses 128-, 192-, and 256-bit encryption keys
 Other standards use keys with up to 2,048 bits
 Public Key Cryptography

 Uses two mathematically related digital keys

 Public key (widely disseminated)
 Private key (kept secret by owner)

 Both keys used to encrypt and decrypt message

 Once key used to encrypt message, same key
cannot be used to decrypt message
 Sender uses recipient’s public key to encrypt
message; recipient uses private key to decrypt it
Public Key Cryptography: A Simple Case
Public Key Cryptography using Digital
Signatures and Hash Digests

 Hash function:
 Mathematical algorithm that produces fixed-length number called
message or hash digest
 Hash digest of message sent to recipient along with
message to verify integrity
 Hash digest and message encrypted with recipient’s
public key
 Entire cipher text then encrypted with sender’s
private key—creating digital signature—for
authenticity, nonrepudiation
Public Key Cryptography with Digital
Signatures
 Digital Envelopes

 Address weaknesses of:

 Public key cryptography
 Computationally slow, decreased transmission speed, increased
processing time
 Symmetric key cryptography
 Insecure transmission lines
 Uses symmetric key cryptography to encrypt
document
 Uses public key cryptography to encrypt and
send symmetric key
Creating a Digital Envelope
 Digital Certificates and
Public Key Infrastructure (PKI)

 Ensures that people and institutions are who they claim to be

 Digital certificate includes:
Name of subject/company
Subject’s public key
Digital certificate serial number
Expiration date, issuance date
Digital signature of CA
 Public Key Infrastructure (PKI):
CAs and digital certificate procedures
PGP
Digital Certificates and Certification
Authorities
Securing Channels of Communication

 Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

 Establishes secure, negotiated client–server session
 Provides data encryption, server authentication, client
authentication and message integrity for TCP/IP connections
 Virtual Private Network (VPN)
 Allows remote users to securely access internal network via
the Internet using point-to-point tunneling
 Primary use of VPN is to establish secure communication
among business partner- large suppliers and customers
Secure Negotiated Sessions Using SSL/TLS
 Protecting Networks

 Firewall
 Firewalls and proxy servers are intended to build a wall around
your network and the attached server and clients
 Hardware or software that uses security policy to filter packets
 Packet filters – examine packets for prohibited port or from prohibited IP
 Application gateways – filters based on application being requested
 Can filter traffic based on packet attributes
 Proxy servers (proxies)
 Software servers that handle all communications from or sent to
the Internet ; spokesperson or bodyguard for organization
 Limit access of internal clients to external Internet server by
prohibiting users from communicating directly with the Internet
 Intrusion detection systems
 Intrusion prevention systems
Firewalls and Proxy Servers
Protecting Servers and Clients

 Operating system security enhancements

 Upgrades, patches

 Anti-virus software
 Easiest and least expensive way to prevent threats to
system integrity
 Requires daily updates
Developing an E-commerce Security Plan
The Role of Laws and Public Policy

 Laws that give authorities tools for identifying,

tracing, prosecuting cybercriminals:
 USA Patriot Act
 Homeland Security Act
 Private and private-public cooperation
 US-CERT
 CERT Coordination Center
 Government policies and controls on encryption
software
 OECD, G7/G8, Council of Europe, Wassener Arrangement