Chapter 4: Security Issues in E-Commerce PDF
Document Details
Uploaded by ObtainableDallas
Tags
Summary
This document covers security issues in e-commerce, including common threats like malware, ransomware, and social engineering. It outlines the importance of cybersecurity in online trading and various security solutions such as encryption, firewalls, and anti-malware software. It also touches upon the concept of public key encryption.
Full Transcript
Chapter 4: Security Issues in E-Commerce Introduction E-commerce security threats are causing destruction in online trading. The industry experiences up to 32.4% of all successful threats annually. What are common E-commerce threats? Common E-commerce threats include malware and ransomware...
Chapter 4: Security Issues in E-Commerce Introduction E-commerce security threats are causing destruction in online trading. The industry experiences up to 32.4% of all successful threats annually. What are common E-commerce threats? Common E-commerce threats include malware and ransomware attacks, social engineering (phishing), cross-site scripting (XSS), brute force attacks, denial of service (DoS) and distributed denial of service (DDoS) attacks, malicious bots, SQL injection, and API attacks. Hackers usually target e-commerce store admins, users, and employees using a myriad of malicious techniques. Are you experiencing credit card frauds, scamming, phishing, bad bots, DDoS attacks, or any other security threat? Cyber-security is very important if you are to succeed online. It is used to counter the 21st century cyberwar like Deep Fake. Hackers are getting better at their games, which means you need a dedicated team that will stay updated with security issues and provides around-the-clock protection to your websites. What is security?--Overview Types of Hackers? Criminal Hackers, Hacktivists, Cyberattacks? Cyberwarfare Brainstorming? Cybersecurity? Individual level (White-hat, Gray-hat, Black-hat) Computer Security - generic name for the collection of tools designed to protect data and to prevent hackers Network Security - measures to protect data during their transmission Internet Security - measures to protect data during their transmission over a collection of interconnected networks Internet Security protect systems and the activities of employees and other users while connected to the internet, web browsers, web apps, websites, and networks. 3 Introduction Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. It is used to counter the 21st century cyberwar like Deep Fake. Cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users via ransomware; or interrupting normal business processes. Deepfake (also spelled deepfake) is a type of artificial intelligence used to create convincing images, audio and video hoaxes. The term, which describes both the technology and the resulting bogus content, is a portmanteau of deep learning and fake. Deepfake content is created by using two competing AI algorithms -- one is called the generator and the other is called the discriminator. The generator, which creates the phony multimedia content, asks the discriminator to determine whether the content is real or artificial. Network Security: Example Alice wants to send confidential message m to Bob KS E(KS, m) m E(KS, m) D(E(KS, m), KS) m + Internet - KS KS D(E(KB+,KS), KB-) E(KB+,KS) E(KB+,KS) + - KB KB Alice: Bob: Generates random symmetric key, KS Uses his private key to Encrypts message with KS (symmetric decrypt and recover KS encryption is more efficient) Uses KS to decrypt and Also encrypts KS with Bob’s public key recover m Sends both to Bob Introduction The Internet is a huge place that hosts several millions of people. As all the people are not honest, illegal activity’ is expected. There are two basic types of criminal activities: 1. The person who tries to understand and learn the various systems and capabilities of any private network. In this case the person has no intentions to do any damage or to steal any resources but tries to observe the system functionality. For example teenagers who tries to enter into a network out of curiosity till they are caught. 2. The persons who uses the Internet and the Web to benefit themselves by doing illegal activities such as, stealing software’s, information and causing damage to resources. This type of criminal activity raises the concern for network security. Categories of Active Attacks 1. Spoofing or Masquerading: also called fabrication: An attack on authenticity 2. Modification or Alteration: An attack on integrity 3. Delay: Could be classified as an attack on availability 4. Denial of Service (DOS) or degrading of service or Interruption: An attack on availability Source Destination Attack Normal flow of information Modification Fabrication Interruption 10 Type of Computer Criminals Hacker: is a person who has good knowledge about computers and tries to open the data packets and steal the information transmitted through the Internet. Cracker: is someone who specifically breaks into computer systems by bypassing or by guessing login passwords. Freaks: are persons who hack phone systems. FREAK vulnerability allows hackers to gain access to a website's private key by intercepting HTTPS connections between clients and vulnerable servers. Phracker: is the combination of freak and cracker. A phracker breaks into phone systems and computer systems and specializes in total network destruction. the most notable of hackers 1. Jonatan James-NASA, Department of Pentagon 2. Adrian Limo (the homeless hacker)- Hacked Microsoft, Nework times, Yahoo, NASA 3. Alberto Gonzalez---Credit card fraud, 170,0000,0000 credit cards stolen by SQL injection There are six key issues to e-commerce security 1. Integrity: prevention against unauthorized data modification 2. Nonrepudiation: prevention against any one party from reneging on an agreement after the fact. 3. Authenticity: authentication of data source (Identity Verification) 4. Confidentiality: protection against unauthorized data disclosure 5. Privacy: provision of data control and disclosure 6. Availability: prevention against data delays or removal In reality there are three places where data can be intercepted In the browser Between the browser and the server In the server In the browser, the users often type sensitive data into a form field and continue their Web session. If the user leaves the computer tuned on and unattended, anyone can access that computer and view the last user’s personal data. When the crucial information (credit card) is sent to a server even by using a secure method it is often encrypted and stored or sent as e-mail. During this process it could be intercepted. During transactions, communications…… For example, a hacker can access to the e-mail system and the crucial data sent by the e-mail. There is currently huge cry for secure commerce server that will make credit card transactions fairly safe. Although such servers might protect consumers from having their credit card information Measures to ensure Security Major security measures are following Encryption − The process by which plaintext is converted into ciphertext It is a very effective and practical way to safeguard the data being transmitted over the network. Sender of the information encrypts the data using a secret code and only the specified receiver can decrypt the data using the same or a different secret code. Symmetric key cryptography--The same key is used to encrypt and decrypt a message Public key cryptography is a form of cryptosystem in which encryption and decryption are performed using different keys - one public key (KE) and one private key (KD) - that form a unique pair Digital Signature − Digital signature ensures the authenticity of the information. A digital signature is an e-signature authenticated through encryption and password. Security Certificates − Security certificate is a unique digital id used to verify the identity of an individual website or user. Most common threats: oHacking and cyber vandalism- Cyber-vandalism is damage or destruction that takes place in digital form. Cyber vandals operate by defacing a website (such as Wikipedia), creating malware that damages electronic files or elements that interrupt its normal utilization, or removing a disk drive to disable a computer system. oCredit card fraud/theft- Credit card fraud is a form of identity theft that involves an unauthorized taking of another's credit card information for the purpose of charging purchases to the account or removing funds from it. oSpoofing-Spoofing is a cyber attack that happens when an attacker pretends to be a trusted brand or contact in an attempt to trick a target into revealing sensitive information. oMalicious code-Malicious code is unwanted files or programs that can cause harm to a computer or compromise data stored on a computer. Various classifications of malicious code include viruses, worms, and Trojan horses. oDenial of service attacks-A Denial-of-Service (DoS) attack is an attack on a computer network that limits, restricts, or stops authorized users from accessing system resources. DoS attacks work by flooding the target with traffic or sending it data that causes it to crash. oSniffing-packet Sniffing is listening in on other people's communications. Packet Spoofing is the dynamic presentation of fake network traffic that impersonates someone else. oInsider jobs- An insider attack is a malicious attack perpetrated on a network or computer system by a person with authorized system access. Most common threats: Man in The Middle (MITM) A hacker may listen in on the communication taking place between your e- commerce store and a user. Walgreens Pharmacy Store experienced such an incident. If the user is connected to a vulnerable Wi-Fi or network, such attackers can take advantage of that. Brute force The online environment also has players who can use brute force to attack your admin panel and crack your password. These fraudulent programs connect to your website and try out thousands of combinations in an attempt to obtain you site’s passwords. Always ensure to use strong, complex passwords that are hard to guess. Additionally, always change your passwords frequently. Bots Some attackers develop special bots that can scrape your website to get information about inventory and prices. Such hackers, usually your competitors, can then use the data to lower or modify the prices in their websites in an attempt to lower your sales and revenue. Most common threats: SQL Injection It is a malicious technique where a hacker attacks your query submission forms to be able to access your backend database. They corrupt your database with an infectious code, collect data, and later wipe out the trail. Malware Hackers may design a malicious software and install on your IT and computer systems without your knowledge. These malicious programs include spyware, viruses, trojan, and ransomware. The systems of your customers, admins, and other users might have Trojan Horses downloaded on them. These programs can easily swipe any sensitive data that might be present on the infected systems and may also infect your website. Spamming Some bad players can send infected links via email or social media inboxes. They can also leave these links in their comments or messages on blog posts and contact forms. Once you click on such links, they will direct you to their spam websites, where you may end up being a victim. E-commerce security solutions that can ease your life 1. HTTPS and SSL certificates HTTPS protocols not only keep your users’ sensitive data secure but also boost your website rankings on Google search page. They do so by securing data transfer between the servers and the users’ devices. Therefore, they prevent any interception. Do you know that some browsers will block visitors’ access to your website if such protocols are not in place? You should also have an updated SSL certificate from your host. 2. Anti-malware and Anti-virus software An Anti-Malware is a software program that detects, removes, and prevents infectious software (malware) from infecting the computer and IT systems. Since malware is the umbrella term for all kinds of infections including worms, viruses, Trojans, etc getting an efficient Anti-Malware would do the trick. On the other hand, Anti-Virus is a software that was meant to keep viruses at bay. Although a lot of Anti-virus software evolved to prevent infection from other malware as well. Securing your PC and other complementary systems with an Anti- Virus keeps a check on these infections. E-commerce security solutions that can ease your life 3. Securing the Admin Panel and Server Always use complex passwords that are difficult to figure out, and make it a habit of changing them frequently. It is also good to restrict user access and define user roles. Every user should perform only up to their roles on the admin panel. Furthermore, make the panel to send you notifications whenever a foreign IP tries to access it. 4. Securing Payment Gateway Avoid storing the credit card information of your clients on your database. Instead, let a third party such as PayPal and Stripe handle the payment transactions away from your website. This ensures better safety for your customers’ personal and financial data. Did you know storing credit card data is also a requirement for getting PCI-DSS compliant? 5. Deploying Firewall Effective firewalls keep away fishy networks, XSS, SQL injection, and other cyber-attacks that are continuing to hit headlines. They also help in regulating traffic to and from your online store, to ensure passage of only trusted traffic. E-commerce security solutions that can ease your life 6. Educating Your Staff and Clients Ensure your employees and customers get the latest knowledge concerning handling user data and how to engage with your website securely. Expunge former employees’ details and revoke all their access to your systems. 7. Additional security implementations Always scan your websites and other online resources for malware Back up your data. Most e-commerce stores also use multi-layer security to boost their data protection. Update your systems frequently and employ effective e-commerce security plugins. Lastly, get a dedicated security platform that is secure from frequent cyber- attacks. You can read more about the security steps you need to take for your e-commerce store. E-commerce security solutions that can ease your life 8. Perform a risk assessment a list of information assets and their value to the firm 9. Develop a security policy à a written statement on: * what assets to protect from whom? * why these assets are being protected? * who is responsible for what protection? * which behaviors are acceptable and unacceptable? 10. Develop an implementation plan à a set of action steps to achieve security goals 11. Create a security organization à a unit to administer the security policy 12. Perform a security audit à a routine review of access logs and evaluation of security procedures Communication channel protection – Encryption * Public-key encryption (asymmetric) vs Private-key encryption (symmetric) * Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES), RSA – Protocol * Secure Sockets Layer (SSL) * Secure HyperText Transfer Protocol (S-HTTP) – Digital signature Bind the message originator with the exact contents of the message –A hash function is used to transform messages into a 128-bit digest (message digest). –The sender’s private key is used to encrypt the message digest (digital signature) –The message + signature are sent to the receiver –The recipient uses the hash function to recalculate the message digest –The sender’s public key is used to decrypt the message digest –Check to see if the recalculated message digest = decrypted message digest Server protection – Access control and authentication * Digital signature from user * Username and password * Access control list – Firewalls International Computer Security Association's classification: · Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing) · Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to verify its authenticity. · Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject the requested communication. Technology Solutions for Security threats Protecting Internet communications (encryption). Securing channels of communication (SSL, S-HTTP, VPNs). Protecting networks (firewalls). Protecting servers and clients. Tools Available to Achieve Site Security: Drawbacks of Symmetric key encryption: In this digital age, computers are so powerful and fast that these ancient means of encryption can be broken quickly. Symmetric key encryption requires that both parties share the same key. In order to share the same key, they must send the key over a presumably insecure medium where it could be stolen and used to decipher messages. In a population of millions of users, thousands of millions of keys would be needed to accommodate all e-commerce customers. Clearly this situation would be too unwieldy to work in practice. Public Key Encryption Public key cryptography solves symmetric key encryption problem of having to exchange secret key. It uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner). Both keys are used to encrypt and decrypt message. Once key is used to encrypt message, same key cannot be used to decrypt message. For example, sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it. Digital certificates are electronic credentials issued by a trusted party. Digital certificates are not only verifies the identity of the owner or sender, but also verifies that the owner owns’ the public key. Digital Certificates and Public Key Infrastructure (PKI) It is an attempt to solve the problem of digital identity. Digital certificate is a digital document that includes: Name of subject or company Subject’s public key Digital certificate serial number Expiration date Issuance date Digital signature of certification authority (trusted third party (institution) that issues certificate Other identifying information CAs (Certification Authorities): these are trusted third parties that issue digital certificates. Review Questions:- 1.What is security and the advantage of security in e-commerce 2.Discussed different criminal that applied on e-commerce 3.Discussed security issues in e-commerce 4.Write and discussed different types of hackers 5.What is encryption in computer security 6.Discussed and write different keys in computer encryption The End of Chap 4