mq6vwvjg528vwrxgl7n4d13gfhwbA48qbwmc5zg046dhzwkdc392vtvk6A8b7gx6Ah60960fgwctdwzg059wncrlvpA71vv7cq9dwdgv9k2246y4cf4jhtfz28nytb9dr7tjlmqph02476gy9p76fbxhpv5ghct63lljwkmm1rjArx9q5t8rqcs6303kj0xzAnwcs73gxm0c5.pdf

Full Transcript

Chapter 4: Security Issues in E-Commerce
Introduction
E-commerce security threats are causing destruction in online trading.
The industry experiences up to 32.4% of all successful threats annually.
What are common E-commerce threats?
Common E-commerce threats include malware and ransomware attacks, social engineering (phishing), cross-site
scripting (XSS), brute force attacks, denial of service (DoS) and distributed denial of service (DDoS) attacks,
malicious bots, SQL injection, and API attacks.
Hackers usually target e-commerce store admins, users, and employees using a myriad of malicious techniques.
Are you experiencing credit card frauds, scamming, phishing, bad bots, DDoS attacks, or any other security
threat?
Cyber-security is very important if you are to succeed online.
It is used to counter the 21st century cyberwar like Deep Fake.
Hackers are getting better at their games, which means you need a dedicated team that will
stay updated with security issues and provides around-the-clock protection to your websites.
 What is security?--Overview
Types of Hackers? Criminal Hackers, Hacktivists,
Cyberattacks? Cyberwarfare
Brainstorming?
Cybersecurity? Individual level (White-hat, Gray-hat, Black-hat)

Computer Security - generic name for the collection of tools
designed to protect data and to prevent hackers
Network Security - measures to protect data during their
transmission
Internet Security - measures to protect data during their
transmission over a collection of interconnected networks
Internet Security
protect systems and the activities of employees and other users
while connected to the internet, web browsers, web apps,
websites, and networks.

3
Introduction
Cybersecurity is the practice of protecting systems, networks, and programs from digital
attacks.
It is used to counter the 21st century cyberwar like Deep Fake.
Cyberattacks are usually aimed at accessing, changing, or destroying sensitive information;
extorting money from users via ransomware; or interrupting normal business processes.
Deepfake (also spelled deepfake) is a type of artificial intelligence used to create convincing
images, audio and video hoaxes. The term, which describes both the technology and the
resulting bogus content, is a portmanteau of deep learning and fake.
Deepfake content is created by using two competing AI algorithms -- one is called the
generator and the other is called the discriminator. The generator, which creates the phony
multimedia content, asks the discriminator to determine whether the content is real or
artificial.
 Network Security: Example
 Alice wants to send confidential message m to Bob
KS
E(KS, m)
m E(KS, m) D(E(KS, m), KS) m

+ Internet - KS

KS D(E(KB+,KS), KB-)
E(KB+,KS) E(KB+,KS)
+ -
KB
KB

Alice: Bob:
 Generates random symmetric key, KS  Uses his private key to
 Encrypts message with KS (symmetric decrypt and recover KS
encryption is more efficient)  Uses KS to decrypt and
 Also encrypts KS with Bob’s public key recover m
 Sends both to Bob
Introduction
The Internet is a huge place that hosts several millions of people.
As all the people are not honest, illegal activity’ is expected.
There are two basic types of criminal activities:
1. The person who tries to understand and learn the various systems and capabilities of any
private network. In this case the person has no intentions to do any damage or to steal any
resources but tries to observe the system functionality. For example teenagers who tries to
enter into a network out of curiosity till they are caught.

2. The persons who uses the Internet and the Web to benefit themselves by doing illegal
activities such as, stealing software’s, information and causing damage to resources. This type
of criminal activity raises the concern for network security.
 Categories of Active Attacks
1. Spoofing or Masquerading: also called fabrication: An attack on
authenticity
2. Modification or Alteration: An attack on integrity
3. Delay: Could be classified as an attack on availability
4. Denial of Service (DOS) or degrading of service or Interruption: An
attack on availability

Source Destination Attack

Normal flow of information
Modification

Fabrication
Interruption 10
Type of Computer Criminals
Hacker: is a person who has good knowledge about computers and tries to open the data
packets and steal the information transmitted through the Internet.

Cracker: is someone who specifically breaks into computer systems by
bypassing or by guessing login passwords.

Freaks: are persons who hack phone systems. FREAK vulnerability allows
hackers to gain access to a website's private key by intercepting HTTPS
connections between clients and vulnerable servers.

Phracker: is the combination of freak and cracker. A phracker breaks into phone
systems and computer systems and specializes in total network destruction.
 the most notable of hackers

1. Jonatan James-NASA, Department of Pentagon
2. Adrian Limo (the homeless hacker)- Hacked Microsoft, Nework times, Yahoo, NASA
3. Alberto Gonzalez---Credit card fraud, 170,0000,0000 credit cards stolen by SQL
injection
There are six key issues to e-commerce security
1. Integrity: prevention against unauthorized data modification
2. Nonrepudiation: prevention against any one party from reneging on an agreement after
the fact.
3. Authenticity: authentication of data source (Identity Verification)
4. Confidentiality: protection against unauthorized data disclosure
5. Privacy: provision of data control and disclosure
6. Availability: prevention against data delays or removal
In reality there are three places where data can be intercepted
In the browser
Between the browser and the server
In the server
 In the browser, the users often type sensitive data into a form field and continue their Web
session. If the user leaves the computer tuned on and unattended, anyone can access that
computer and view the last user’s personal data.

When the crucial information (credit card) is sent to a server even by using a secure method it
is often encrypted and stored or sent as e-mail. During this process it could be intercepted.
During transactions, communications……
For example, a hacker can access to the e-mail system and the crucial data sent by the e-mail.

There is currently huge cry for secure commerce server that will make credit card transactions
fairly safe. Although such servers might protect consumers from having their credit card
information
Measures to ensure Security
Major security measures are following
Encryption − The process by which plaintext is converted into ciphertext
It is a very effective and practical way to safeguard the data being transmitted
over the network. Sender of the information encrypts the data using a secret
code and only the specified receiver can decrypt the data using the same or a
different secret code.
 Symmetric key cryptography--The same key is used to encrypt and decrypt a message
Public key cryptography is a form of cryptosystem in which encryption and
decryption are performed using different keys - one public key (KE) and one
private key (KD) - that form a unique pair
Digital Signature − Digital signature ensures the authenticity of the information.
A digital signature is an e-signature authenticated through encryption and
password.
Security Certificates − Security certificate is a unique digital id used to verify
the identity of an individual website or user.
Most common threats:
oHacking and cyber vandalism- Cyber-vandalism is damage or destruction that takes place
in digital form. Cyber vandals operate by defacing a website (such as Wikipedia), creating
malware that damages electronic files or elements that interrupt its normal utilization, or
removing a disk drive to disable a computer system.
oCredit card fraud/theft- Credit card fraud is a form of identity theft that involves an
unauthorized taking of another's credit card information for the purpose of charging purchases
to the account or removing funds from it.
oSpoofing-Spoofing is a cyber attack that happens when an attacker pretends to be a trusted
brand or contact in an attempt to trick a target into revealing sensitive information.
oMalicious code-Malicious code is unwanted files or programs that can cause harm to a
computer or compromise data stored on a computer. Various classifications of malicious code
include viruses, worms, and Trojan horses.
oDenial of service attacks-A Denial-of-Service (DoS) attack is an attack on a computer network
that limits, restricts, or stops authorized users from accessing system resources. DoS attacks work
by flooding the target with traffic or sending it data that causes it to crash.
oSniffing-packet Sniffing is listening in on other people's communications. Packet Spoofing is
the dynamic presentation of fake network traffic that impersonates someone else.
oInsider jobs- An insider attack is a malicious attack perpetrated on a network or computer
system by a person with authorized system access.
Most common threats:
Man in The Middle (MITM)
A hacker may listen in on the communication taking place between your e-
commerce store and a user. Walgreens Pharmacy Store experienced such an
incident. If the user is connected to a vulnerable Wi-Fi or network, such attackers
can take advantage of that.
Brute force
The online environment also has players who can use brute force to attack your
admin panel and crack your password. These fraudulent programs connect to your
website and try out thousands of combinations in an attempt to obtain you site’s
passwords. Always ensure to use strong, complex passwords that are hard to guess.
Additionally, always change your passwords frequently.
Bots
Some attackers develop special bots that can scrape your website to get
information about inventory and prices. Such hackers, usually your competitors,
can then use the data to lower or modify the prices in their websites in an attempt
to lower your sales and revenue.
Most common threats:
SQL Injection
It is a malicious technique where a hacker attacks your query submission forms to
be able to access your backend database. They corrupt your database with an
infectious code, collect data, and later wipe out the trail.
Malware
Hackers may design a malicious software and install on your IT and computer
systems without your knowledge. These malicious programs include spyware,
viruses, trojan, and ransomware.
The systems of your customers, admins, and other users might have Trojan Horses
downloaded on them. These programs can easily swipe any sensitive data that
might be present on the infected systems and may also infect your website.
Spamming
Some bad players can send infected links via email or social media inboxes. They
can also leave these links in their comments or messages on blog posts and contact
forms. Once you click on such links, they will direct you to their spam websites,
where you may end up being a victim.
E-commerce security solutions that can ease your life
1. HTTPS and SSL certificates
HTTPS protocols not only keep your users’ sensitive data secure but also boost your
website rankings on Google search page. They do so by securing data transfer
between the servers and the users’ devices. Therefore, they prevent any
interception.
Do you know that some browsers will block visitors’ access to your website if such
protocols are not in place? You should also have an updated SSL certificate from
your host.
2. Anti-malware and Anti-virus software
An Anti-Malware is a software program that detects, removes, and prevents
infectious software (malware) from infecting the computer and IT systems. Since
malware is the umbrella term for all kinds of infections including worms, viruses,
Trojans, etc getting an efficient Anti-Malware would do the trick.
On the other hand, Anti-Virus is a software that was meant to keep viruses at bay.
Although a lot of Anti-virus software evolved to prevent infection from other
malware as well. Securing your PC and other complementary systems with an Anti-
Virus keeps a check on these infections.
E-commerce security solutions that can ease your life
3. Securing the Admin Panel and Server
Always use complex passwords that are difficult to figure out, and make it a
habit of changing them frequently. It is also good to restrict user access and
define user roles. Every user should perform only up to their roles on the
admin panel. Furthermore, make the panel to send you notifications
whenever a foreign IP tries to access it.
4. Securing Payment Gateway
Avoid storing the credit card information of your clients on your database.
Instead, let a third party such as PayPal and Stripe handle the payment
transactions away from your website. This ensures better safety for your
customers’ personal and financial data. Did you know storing credit card data
is also a requirement for getting PCI-DSS compliant?
5. Deploying Firewall
Effective firewalls keep away fishy networks, XSS, SQL injection, and other
cyber-attacks that are continuing to hit headlines. They also help in regulating
traffic to and from your online store, to ensure passage of only trusted traffic.
E-commerce security solutions that can ease your life
6. Educating Your Staff and Clients
Ensure your employees and customers get the latest knowledge concerning
handling user data and how to engage with your website securely. Expunge
former employees’ details and revoke all their access to your systems.
7. Additional security implementations
Always scan your websites and other online resources for malware
Back up your data. Most e-commerce stores also use multi-layer security to
boost their data protection.
Update your systems frequently and employ effective e-commerce security
plugins.
Lastly, get a dedicated security platform that is secure from frequent cyber-
attacks. You can read more about the security steps you need to take for your
e-commerce store.
E-commerce security solutions that can ease your life
8. Perform a risk assessment a list of information assets and their value to the
firm
9. Develop a security policy à a written statement on:
* what assets to protect from whom?
* why these assets are being protected?
* who is responsible for what protection?
* which behaviors are acceptable and unacceptable?
10. Develop an implementation plan à a set of action steps to achieve security
goals
11. Create a security organization à a unit to administer the security policy
12. Perform a security audit à a routine review of access logs and evaluation of
security procedures
Communication channel protection
– Encryption
* Public-key encryption (asymmetric) vs Private-key encryption (symmetric)
* Encryption standard: Data Encryption Standard (DES), Advanced Encryption
Standard (AES), RSA
– Protocol
* Secure Sockets Layer (SSL)
* Secure HyperText Transfer Protocol (S-HTTP)
 – Digital signature
Bind the message originator with the exact contents of the message
–A hash function is used to transform messages into a 128-bit digest
(message digest).
–The sender’s private key is used to encrypt the message digest (digital
signature)
–The message + signature are sent to the receiver
–The recipient uses the hash function to recalculate the message digest
–The sender’s public key is used to decrypt the message digest
–Check to see if the recalculated message digest = decrypted message digest
 Server protection
– Access control and authentication
* Digital signature from user
* Username and password
* Access control list
– Firewalls
International Computer Security Association's classification:
· Packet filter firewall: checks IP address of incoming packet and rejects
anything that does not match the list of trusted addresses (prone to IP
spoofing)
· Application level proxy server: examines the application used for each
individual IP packet (e.g., HTTP, FTP) to verify its authenticity.
· Stateful packet inspection: examines all parts of the IP packet to determine
whether or not to accept or reject the requested communication.
Technology Solutions for Security threats
 Protecting Internet communications (encryption).
 Securing channels of communication (SSL, S-HTTP, VPNs).
 Protecting networks (firewalls).
 Protecting servers and clients.
Tools Available to Achieve Site Security:
Drawbacks of Symmetric key encryption:
In this digital age, computers are so powerful and fast that these ancient means of
encryption can be broken quickly.
Symmetric key encryption requires that both parties share the same key. In order to share
the same key, they must send the key over a presumably insecure medium where it could be
stolen and used to decipher messages.
In a population of millions of users, thousands of millions of keys would be needed to
accommodate all e-commerce customers. Clearly this situation would be too unwieldy to
work in practice.

Public Key Encryption
Public key cryptography solves symmetric key encryption problem of having to exchange
secret key.
It uses two mathematically related digital keys – public key (widely disseminated) and
private key (kept secret by owner).
Both keys are used to encrypt and decrypt message.
Once key is used to encrypt message, same key cannot be used to decrypt message.
For example, sender uses recipient’s public key to encrypt message; recipient uses his/her
private key to decrypt it.
 Digital certificates are electronic credentials issued by a trusted party.
Digital certificates are not only verifies the identity of the owner or sender, but also verifies
that the owner owns’ the public key.

Digital Certificates and Public Key Infrastructure (PKI)
It is an attempt to solve the problem of digital identity.
Digital certificate is a digital document that includes:
Name of subject or company
Subject’s public key
Digital certificate serial number
Expiration date
Issuance date
Digital signature of certification authority (trusted third party (institution) that issues
certificate
Other identifying information
CAs (Certification Authorities): these are trusted third parties that issue digital certificates.
 Review Questions:-

1.What is security and the advantage of security in e-commerce
2.Discussed different criminal that applied on e-commerce
3.Discussed security issues in e-commerce
4.Write and discussed different types of hackers
5.What is encryption in computer security
6.Discussed and write different keys in computer encryption
 The End of Chap 4