SECURITY IN E-COMMERCE

EMIS-528 (Information Security Management System)

Submitted To
Md. Rakibul Hoque
Assistant Professor
Department of Management Information Systems
University of Dhaka

Submitted By
MD. ABDULLAH AL AHAD | ID: 61323-16-029
MAHMUD PARVEJ | ID: 61325-18-052
SHUVAJYOTI ROY | ID: 61426-19-020

MBA (Evening) Program,

Department of Management Information Systems
University of Dhaka

Executive Summary
Electronic Commerce may include any computer mediated business process, but a
common usage is to use it to describe commerce (buying and selling of a product or
service) taking place using the World Wide Web (WWW) as an enabling transport [1].
Since the invention of WWW in 1989, Internet-based electronic commerce has been
transformed from a mere idea into reality. Consumers browse through catalogues,
searching for best offers, order goods, and pay them electronically. Most financial
institutions have some sort of online presence, allowing their customers to access and
manage their accounts, make financial transactions, trade stocks, and so forth.
Electronic mails are exchanged within and between enterprises, and often already
replace fax copies. Soon there is arguably no enterprise left that has no Internet
presence, if only for advertisement reasons [2].
Thus, doing some electronic business on the Internet is already an easy task. As is
cheating and snooping. Several reasons contribute to this insecurity: The Internet does
not offer much security per-se. Eavesdropping and acting under false identity is
simple. Stealing data is undetectable in most cases. Popular PC operating systems
offer little or no security against virus or other malicious software, which means that
users cannot even trust the information displayed on their own screens. At the same
time, user awareness for security risks is threateningly low. In this paper, various
probable crime through e-commerce along with their potential reasons and plausible
security measures are outlined.

1|Page

Security in E-Commerce

Table of Contents
Introduction ................................................................................................................ 3
Security Issues in E-commerce .................................................................................. 5
Dimensions of E-commerce Security .................................................................................................. 5
The Tension between Security and Other Values ............................................................................... 6
Security Threats in the E-commerce Environment ............................................................................. 6
A Typical e-commerce transaction ................................................................................................. 6
Vulnerable Points ............................................................................................................................ 7
Detailing of Security vulnerabilities in electronic commerce ............................................................. 7
Viable causes behind Security Threats ............................................................................................... 9

Probable Crimes in E-commerce Environment ........................................................ 10

Most Common Security Threats in the E-commerce Environment .................................................. 10
Unwanted Programs ......................................................................................................................... 10
Phishing and Identity Theft ............................................................................................................... 11
Hacking and Cyber vandalism ........................................................................................................... 11
Credit Card Fraud .............................................................................................................................. 11
Spoofing (Pharming) and Spam (Junk) Web Sites ............................................................................. 12
DoS and DDoS Attacks ...................................................................................................................... 12
Denial of Service ............................................................................................................................... 13
SMURF Attack ................................................................................................................................... 13
Other Security Threats ...................................................................................................................... 13

Security Steps to Protect E-Commerce .................................................................... 14

Technology Solutions ........................................................................................................................ 15
Protecting Internet Communications: Encryption ........................................................................ 15
Network Transport Security .......................................................................................................... 17

Conclusion ............................................................................................................... 21
References ............................................................................................................... 22

2|Page

Security in E-Commerce

Introduction
The utilization of the internet is increasing rapidly every year; availability of low cost
peripheral devices. and wider internet accessibility options are key contributing
factors [3]. The progression of technology over the recent years have enabled the
consumer a broader and much more enriched interactive experience [4]. The
availability of a wide variety of applications and simple point and click interfaces has
further contributed to this experience by its ease of usability.

A wide variety of commerce is conducted via e-Commerce, including electronic funds

transfer, supply chain management, Internet

marketing,

online

transaction

processing, electronic data interchange (EDI), inventory management systems, and

automated data collection systems. US online retail sales reached $175 billion in 2007
and are projected to grow to $335 billion by 2012 [5].

Due to this, IT usage in present times has become a common practice.

Business to customer (B2C) transactions and business (B2B) transactions are
commonly used in the market. The fusion and integration of these two types of
transactions has produced e-commerce [6] [7]. Chen and Dhillon have defined
e- commerce as the transaction of goods and services over the internet [4]. It is also
described as the sharing, transferring and exchanging of information [8]. Over the
past few years E-commerce has maintained a rapid yet steady pace. It has been
a dynamic force, a catalyst in changing the nature of business transactions and
operations all around the world [9]. It should also be noted that unlike traditional
commerce; EC does not allow physical interaction between the consumers and
retailers or suppliers for that matter [4]. This fact raises a number of risks and issues
including technological, security, privacy, trust, legal and other related issues [9]. The
following research focuses on two of these issues, security and privacy. The
factoring of Security and privacy in e-commerce models is of considerable
importance to consumers, businesses, and regulators [10]. The majority of
customers feel insecure towards the existing policies and guidelines with respect
to privacy and security online. Such insecurities have a negative impact upon any
economic model. That said, online security breaches can be considered as a fast
3|Page

Security in E-Commerce

spreading menace in current day economical settings around the world. E-Commerce
providers must also protect against a number of different external security
threats, most notably Denial of Service (DoS). The financial services sector still bears
the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced
the greatest increase in the number of attacks was e-Commerce. Attacks in this sector
have risen by 15% from 2006 to 2007 [11].

4|Page

Security in E-Commerce

Security Issues in E-commerce

In e-commerce development security is a critical factor to consider [12]. It is one of the
pivotal success factors of e-commerce. Security is defined as the protection of
data

against

accidental

or

intentional disclosure to unauthorized persons, or

unauthorized modifications or destruction [13]. It usually refers to the provision of

access control, privacy, confidentiality, integrity, authentication, non-repudiation,
availability and effectiveness [9][14][15]. Surveys conducted and compiled recently
shows increasing concerns on security risks and have become a global issue [6].
When customers lose confidence in a systems ability to protect
confidential

data

such

as

credit

card

information

its

sensitive

feasibility

and

will

be

compromised. The system t thus will be rendered helpless [16].

Electronic commerce has been weakened by the deterioration of confidence
held towards it by the consumer public. This in turn poses an immense threat to the
overall expansion and success of it.

[13]. In fact, Hoffman et al. stated that 63%

of online end-users intentionally delay when providing personal information due

to diminished confidence and trust in sites [4]. If credibility is to be achieved,
improvised security and privacy protocols should be incorporated . At present
security is pivotal and concerns surrounding its efficiency is perhaps the key cause
for web users not making online purchases [13]. The US- based Better Business
Bureau confirmed that online security was a great concern in 2001[4]. Types
of security threats include identity theft i.e. the illegal use of personal information and
is in fact the USAs leading

occurrence of fraud [17]. List of other threats include

gaining physical access to premises, accessing wiretaps, unauthorized acquiring

of information, viruses, lack of integrity, financial fraud, vandalism, etc [16][9].
Dimensions of E-commerce Security
Integrity: ability to ensure that information being displayed on a Web site or
transmitted/received over the Internet has not been altered in any way by an
unauthorized party

Nonrepudiation: ability to ensure that e-commerce participants do not deny

(repudiate) online actions

Authenticity: ability to identify the identity of a person or entity with whom you
are dealing on the Internet

5|Page

Security in E-Commerce

Confidentiality: ability to ensure that messages and data are available only to
those authorized to view them

Privacy: ability to control use of information a customer provides about

himself or herself to merchant

Availability: ability to ensure that an e-commerce site continues to function as

intended Copyright

The Tension between Security and Other Values

Security vs. ease of use: the more security measures added, the more
difficult a site is to use, and the slower it becomes

Too much security can harm profitability, while not enough security can put
you out of business

Tension between the desire of individuals to act anonymously (to hide their
identity) and the needs to maintain public safety that can be threatened by
criminals or terrorists.

The Internet is both anonymous and pervasive, an ideal communication tool

for criminal and terrorist groups (Coll and Glasser 2005)

Security Threats in the E-commerce Environment

Three key points of vulnerability:

Client

Server

Communications channel

A Typical e-commerce transaction

6|Page

Security in E-Commerce

Vulnerable Points

Detailing of Security vulnerabilities in electronic commerce

There are many points of failure, or vulnerabilities, in an e-commerce environment.

Even in a simplified e-commerce scenario a single user contacts a single web site,
and then gives his credit card and address information for shipping a purchase many
potential security vulnerabilities exist. Indeed, even in this simple scenario, there are
a number of systems and networks involved. Each has security issues:

A user must use a web site and at some point identify, or authenticate, himself
to the site. Typically, authentication begins on the users home computer and
its browser. Unfortunately, security problems in home computers offer hackers
other ways to steal e- commerce data and identification data from users. Some
current examples include a popular home-banking system that stores a users
account number in a Web cookie which hostile web-sites can crack [18];
ineffective encryption or lack of encryption for home wireless networks [19];
and, mail-borne viruses that can steal the user's financial data from the local
disk [20] or even from the user's keystrokes [21]. While these specific security
problems will be fixed by some software developers and web-site
administrators, similar problems will continue to occur. Alternatives to the home

7|Page

Security in E-Commerce

computer include Point-of-Sale (POS) terminals in brick-and-mortar stores, as

well as a variety of mobile and handheld devices.

The users web browser connects to the merchant front-end.

When a

consumer makes an online purchase, the merchant's web-server usually

caches the order's personal information in an archive of recent orders. This
archive contains everything necessary for credit-card fraud. Further, such
archives often hold 90 days' worth of customers' orders. Naturally, hackers
break into insecure web servers to harvest these archives of credit card
numbers. Several recent thefts netted 100,000, 300,000, and 3.7 million creditcard data, respectively. Accordingly, an e-commerce merchant's first security
priority should be to keep the web servers' archives of recent orders behind the
firewall, not on the front-end web servers [22]. Furthermore, sensitive servers
should be kept highly specialized, by turning off and removing all inessential
services and applications (e.g., ftp, email). Other practical suggestions to
secure web servers can be found in [23] and [24], among many others.

The merchant back-end and database. A sites servers can weaken the
company's internal network.

This not easily remedied, because the web

servers need administrative connections to the internal network, but web server
software tends to have buggy security. Here, the cost of failure is very high,
with potential theft of customers identities or corporate data.

Additionally, the

back-end may connect with third party fulfillment centers and other processing
agents. Arguably, the risk of stolen product is the merchant's least-important
security concern, because most merchants' traditional operations already have
careful controls to track payments and deliveries. However, these third parties
can release valuable data through their own vulnerabilities.
This is a simplified model of an e-commerce architecture; yet even in its simplicity,
there are a number of security problems.

Note that encrypted e-commerce

connections do little to help solve any but network security problems. While other
problems might be ameliorated by encryption, there are still vulnerabilities in the
software clients and servers that must use the data.

We will discuss the

implications of these vulnerabilities below users who may themselves release

data or act in ways that place sites at jeopardy, the constant pressure of new
technologies and the resulting constant threat of new vulnerabilities, as well as the
8|Page

Security in E-Commerce

requirements for critical organizational processes. However, before discussing

potential requirements for e-commerce sites and their consumers, it is important to
survey potential security technologies.
Viable causes behind Security Threats

Reasons for high security risks include the imperfection of e-commerce laws,
regulations, systems, technology and the internet .

Security is a key integral

issue for users, regardless of what the application maybe, ranging from locking a
computer to conducting business via the internet [17]. The rapid development of ebusiness and e-commerce applications have resulted in increased the amount
of illegal infiltration into information systems which were deemed initially safe [6].
Since E-commerce is completely reliant on IT, it could be stated that future
developments in e-commerce will solely depend on IT security and risk management.
Garg et al. states that "a percentage between 36 and 90 percent of organizations
confirmed security breaches in the past year alone [6]. These statistics help increase
or maintain customers negative perception of the e-market and explains why a lot of
people are fearful or insecure about buying or performing sensitive transactions online.
It seems like the only solution to extract the problem and increase e-sales is to provide
fully secured networks that guarantee confidentiality and safety. It is however not that
simple.

Technologies that provide flawless security measures and guarantees

are very expensive and in most cases not easily acquired. Web based e-commerce
is comprised of hyperlinked web pages alongside applications and incompatible
technologies to bring about business transactions amongst different companies
spanning the globe [7]. Therefore, even if a business tries to deploy error free security
software, success is not guaranteed as there are many factors influencing the
flow and security of information in cyberspace. Moreover, in order for e-commerce
to develop customer trust, the change has to be done in a collective manner,
not just a few companies. In the case of small to medium businesses it is
difficult and costly to incorporate complete IT security [6]. Leaving aside the
multifaceted technologies required, e-commerce systems are founded and based on
the World Wide Web which coincidently has a history of exposure to a variety of
security threats [7]

9|Page

Security in E-Commerce

Probable Crimes in E-commerce Environment

Most Common Security Threats in the E-commerce Environment

Malicious code (viruses, worms, Trojans)

Unwanted programs (spyware, browser parasites)

Phishing/identity theft

Hacking and cyber vandalism

Credit card fraud/theft

Spoofing (pharming)/spam (junk) Web sites

DoS and dDoS attacks

Sniffing

Insider attacks

Poorly designed server and client software

Try to impair computers, steal email addresses, logon credentials, personal

data, and financial info.

Viruses: computer programs that have ability to replicate and spread to other
files; most also deliver a payload of some sort (destructive or benign);
include macro viruses, file-infecting viruses, and script viruses

Worms: Designed to spread from computer to computer; can replicate without

being executed by a user or program like virus

Trojan horse: Appears to be benign, but then does something other than
expected

Bots: Can be covertly installed on computer; responds to external commands

sent by the attacker to create a network of compromised computers for
sending spam, generating a DDoS attack, and stealing info from computers

Unwanted Programs

Installed without the users informed consent

Browser parasites: Can monitor and change settings of a users browser

Adware: Calls for unwanted pop-up ads

10 | P a g e

Security in E-Commerce

Spyware: Can be used to obtain information, such as a users keystrokes, email, IMs, etc

Phishing and Identity Theft

Any deceptive, online attempt by a third party to obtain confidential

information for financial gain

Most popular type: e-mail scam letter, e.g., Nigerians rich former oil minister
seeking a bank account to deposit millions of dollars, fake account
verification emails from eBay or CitiBank asking to give up personal account
info, bank account no., and credit card no.

One of fastest growing forms of e-commerce crime

197,000 unique new phishing emails sent within the first 6 months of 2007,
18% increased

Hacking and Cyber vandalism

Hacker: Individual who intends to gain unauthorized access to computer

systems

Cracker: Hacker with criminal intent (two terms often used interchangeably)

Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site

Types of hackers include:

White hats hired by corporate to find weaknesses in the firms computer

system

Black hats hackers with intention of causing harm

Grey hats hackers breaking in and revealing system flaws without

disrupting site or attempting to profit from their finds

Credit Card Fraud

Fear that credit card information will be stolen deters online purchases

11 | P a g e

Security in E-Commerce

Overall rate of credit card fraud is lower than users think, 1.6-1.8% of all
online card transactions.

USs federal law limits liability of individuals to $50 for a stolen credit card.

Hackers target credit card files and other customer information files on
merchant servers; use stolen data to establish credit under false identity

One solution: New identity verification Mechanisms

Spoofing (Pharming) and Spam (Junk) Web Sites

Spoofing (Pharming)

Misrepresenting oneself by using fake e-mail addresses or masquerading as

someone else

Threatens integrity of site; authenticity

Spoofing a Web site is called pharming, which involves redirecting a Web

link to another IP address different from the real one

Pharming is carried out by hacking local DNS servers.

Threatens integrity of site by stealing business from the true site, or altering
orders and sending them to the true site for processing and delivery.

Threatens authenticity by making it hard to discern the true sender of a

message.

Spam (Junk) Web sites

Use domain names similar to legitimate one, redirect traffic to spammerredirection domains

DoS and DDoS Attacks

Denial of service (DoS) attack

Hackers flood Web site with useless traffic to inundate and overwhelm
network

Use of bot networks built from hundreds of compromised workstations.

12 | P a g e

Security in E-Commerce

No. of DoS attacks per day grew from 119 during last 6 months of 2004 to
927 during first 6 months of 2005, a 679% increase [11].

Distributed denial of service (DDoS) attack

Hackers use numerous computers to attack target network from numerous

launch points

Microsoft and Yahoo have experienced such attacks

Denial of Service

Ping Flooding

Attacker sends a flood of pings to the intended victim

The ping packets will saturate the victims bandwidth

SMURF Attack

Uses a ping packet with two extra twist

Attacker chooses an unwitting victim

Spoofs the source address

Sends request to network in broadcast mode

Other Security Threats

Sniffing: Type of eavesdropping program that monitors information traveling

over a network; enables hackers to steal proprietary information from
anywhere on a network

Insider jobs: Single largest financial threat

64% of business firms experienced an inside security breach in their

systems in 2006.

Poorly designed server and client software : Increase in complexity of

software programs (e.g., MSs Win32 API) has contributed to MS s increase is
vulnerabilities that hackers can exploit

13 | P a g e

Security in E-Commerce

Security Steps to Protect E-Commerce

There are many relevant technologies, including cryptographic technologies that can
mitigate the previously mentioned vulnerabilities. However, none is comprehensive or
airtight by itself.

Accordingly, we next present a brief overview of the major

technologies, also considering the advantages and disadvantages of each.

There are four components involved in E-Commerce Security: client software, server
software, the server operating system, and the network transport. Each component
has its own set of issues and challenges associated with securing them:

Client software is becoming increasingly more security-focused, however

single-user desktop operating systems historically have had no security
features implemented. E-Commerce software that relies on the security of the
desktop operating system is easily compromised without the enforcement of
strict physical controls.

Server software is constantly under test and attack by the user community.
Although there have been cases of insecurities, a system administrator keeping
up with the latest patches and vendor information can provide a high degree of
confidence in the security of the server itself.

Operating systems used for hosting E-Commerce servers are securable, but
rarely shipped from the vendor in a default configuration that are secure. ECommerce servers must protect the database of customer information
accumulating on the server as well as provide security while the server is
handling a transaction. If it is easier for a thief to compromise the server to
obtain credit card numbers, why bother sniffing the network for individual credit
card numbers?

Session transport between the client and server uses network protocols that
may have little or no built-in security. In addition, networking protocols such as
TCP/IP were not designed to have confidentiality or authentication capabilities

14 | P a g e

Security in E-Commerce

Technology Solutions

Protecting Internet communications (encryption)

Securing channels of communication (SSL, S-HTTP, VPNs)

Protecting networks (firewalls)

Protecting servers and clients

Protecting Internet Communications: Encryption

In the mass media, the most visible security technologies are the encryption
algorithms. For a general introduction to these technologies see [25]; a popularization
can be found in [26]. Two classic textbooks are [27] and [28], and encyclopedic
compendia include [29] and [30].
Encryption: Process of transforming plain text or data into cipher text that cannot be
read by anyone other than the sender and receiver
Purpose: Secure stored information and information transmission
Provides:

Message integrity

Nonrepudiation

Authentication

Confidentiality

Symmetric Key Encryption:

Symmetric key encryption is also known as secret key encryption. Secret-key
cryptography is the more traditional form, and has been used for all kinds of
communications throughout the ages. In this method, one "key" is used to both
encrypt and decrypt the data. A key can be anything from a secret-decoder ring
found in a cereal box to a highly complex mathematical algorithm; keys really
only differ in the ease with which they can be broken by third parties. In secretkey cryptography, the sender and receiver must have the same key in order for
the transmission to work correctly.

15 | P a g e

Security in E-Commerce

Both the sender and receiver use the same digital key to encrypt and decrypt
message

Requires a different set of keys for each transaction

Advanced Encryption Standard (AES): Most widely used symmetric key

encryption today; offers 128-, 192-, and 256-bit encryption keys; other
standards use keys with up to 2,048 bits

Public Key Encryption:

The key management problem inherent to secret-key cryptography needed to be

addressed in order for large-scale, secure use of data encryption techniques. In 1976,
Whitfield Diffie, a cryptographer and privacy advocate, and Martin Hellman, an
electrical engineer, working together discovered the concept of public-key encryption.
Instead of having one key shared among both users of an encrypted transmission,
each user has his or her own public/private key pair. A user makes the public key open
and available to anyone (by publishing it on-line or registering it with a public key
server), and keeps the private key hidden away where (hopefully) no one can get at it.
The private key is mathematically derived from the public key, and thus the two are
linked together. In order to send someone a message, the sender encrypts the
transmission with the receiver's public key. This can then only be decrypted by the
receiver's private key. Thus, anyone can encrypt a message with someone else's
public key, but only that person would ever be able to read it.

Solves symmetric key encryption problem of having to exchange secret key

Uses two mathematically related digital keys public key (widely disseminated)
and private key (kept secret by owner)

Both keys used to encrypt and decrypt message

Once key used to encrypt message, same key cannot be used to decrypt
message

For example, sender uses recipients public key to encrypt message; recipient
uses his/her private key to decrypt it

16 | P a g e

Security in E-Commerce

Digital signatures

Public-key also provides a mechanism for authenticating messages that secret-key

techniques do not: digital signatures. The sender of a message completes a
calculation (performed by a hash function) involving the actual file structure to be
transmitted, and his or her private key, and the result of this (the digital signature itself)
is appended to the end of the transmission. The receiver can then perform a
calculation involving the received message and the sender's public key, and if
everything is valid, the sender's identity will have been verified. A benefit of this
signature method is that it not only verifies the sender's identity; it also verifies that the
original contents of the transmission have not been altered in anyway. Because the
signature is derived from both the key and the data itself, changing the data later on
will cause the receiver's verification to fail. This provides authentication that is even
better than a signature on a paper document: a signature can be forged, or the
contents of the document could somehow be secretly altered, but with public-key
authentication, this cannot be done.

Network Transport Security

Models such as SET, CAF, DigiCash, First Virtual, and Millicent provide a secure
payment method. However, the transaction still depends on the privacy and
authentication of the data stream. Basic TCP/IP networking protocols do not include
encryption and strong authentication. Higher level protocols such as HTTP, FTP, and
Telnet do little to provide advanced security measures beyond user id and password
authentication. All information sent using these protocols is unencrypted, so the data
stream lacks confidentiality.

17 | P a g e

Security in E-Commerce

Virtual Private Networking (VPN)

The Internets lack of security may leave you leery. What can you do if you just want
to give company insiders and a few select business partners and customers easy and
relatively secure remote access to company data via the Internet? You can set up a
virtual private network.

Virtual Private Networking technology provides the medium to use the public Internet
backbone as an appropriate channel for private data communication. With encryption
and encapsulation technology, a VPN essentially carves out a private passageway
through the Internet. VPNs will allow remote offices, company road warriors, and even
business partners or customers to use the Internet, rather than pricey private lines, to
reach company networks. So the companies can save a lot of money.

You can also use VPNs to link remote LANs together or give traveling staffers, workat-home employees, and business partners a simple way to reach past company
firewalls and tap into company resources. Virtual private networks are flexible. They
are point-to-multipoint connections, rather than point-to-point links. They can be set
up or closed down at the network administrator's will, making them ideal for short-term
projects.

VPN has many advantages: It is much cheaper for connecting WANs than 800
numbers or dedicated T1 lines. It provides encryption and authentication services for
a fairly good measure of privacy. Maintenance of the WAN-to-WAN connection is left
to Internet Service Providers. It is highly flexible, and can be set up and taken down
very easily.

18 | P a g e

Security in E-Commerce

IPSec (Ipv6)
IPSec is a framework of open standards developed by the Internet Engineering Task
Force (IETF). IPSec provides security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the network layer, protecting
and authenticating IP packets between participating IPSec devices ("peers"), such as
Cisco routers.

Secure Socket Layer (SSL)

SSL is the Secure Sockets Layer protocol. Version 2.0 originated by Netscape
Development Corporation, and version 3.0 was designed with public review and input
from industry. SSL (Secure Sockets Layer) is a communication system that ensures
privacy when communicating with other SSL-enabled products. Technically speaking,
SSL is a protocol that runs above TCP/IP and below HTTP or other top-level protocols.
It is symmetric encryption nested within public-key encryption, authenticated through
the use of certificates. An SSL connection can only occur between an SSL-enabled
client and an SSL-enabled server. In fact, when a server is running in SSL mode, it
can only communicate through SSL.
S-HTTP was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP
connections. S-HTTP provides a wide variety of mechanisms to provide for
confidentiality, authentication, and integrity. Separation of policy from mechanism was
an explicit goal. The system is not tied to any particular cryptographic system, key
infrastructure, or cryptographic format. The Internet draft is fairly clear in its
presentation of the protocol, although implementation details are sketchy.

S-HTTP is a superset of HTTP, which allows messages to be encapsulated in various

ways. Encapsulations can include encryption, signing, or MAC based authentication.
This encapsulation can be recursive, and a message can have several security
transformations applied to it. S-HTTP also includes header definitions to provide key
transfer, certificate transfer, and similar administrative functions. S-HTTP appears to
be extremely flexible in what it will allow the programmer to do. S-HTTP also offers the
potential for substantial user involvement in, and oversight of, the authentication &
encryption activities.
19 | P a g e

Security in E-Commerce

How SSL relates to TCP/IP and application protocols.

An SSL connection is initiated by a network browser when it asks a server to send a

document through HTTPS, LDAPS, SNEWS, or other secure protocol.

Transport Layer Security (TLS)

TLS, more commonly known as SSL, is a popular mechanism for enhancing TCP
communications with privacy and authentication. TLS is in wide use with the HTTP
protocol, and is also being used for adding security to many other common protocols
that run over TCP.

20 | P a g e

Security in E-Commerce

Conclusion
In summary, the e-commerce industry faces a challenging future in terms of the
security risks it must avert. With increasing technical knowledge, and its widespread
availability on the internet, criminals are becoming more and more sophisticated
in the deceptions and attacks they can perform. Novel attack strategies and
vulnerabilities only really become known once a perpetrator has uncovered and
exploited them.
Both privacy and security are still ongoing research problems.

Privacy is now

understood, by many, to be a social construction with expectations the largest

consideration. Yet, privacy is also considered a public issue by regulators, who have
nonetheless largely allowed technology to unfold to date. Security is now understood
to be largely imperfect, the continual cat-and-mouse game of security expert and
hacker.
In saying this, there are multiple security strategies which any e-commerce provider
can instigate to reduce the risk of attack and compromise significantly. Awareness of
the risks and the implementation of multi-layered security protocols, detailed and
open privacy policies and strong authentication and encryption measures will go
a long way to assure the consumer and insure the risk of compromise is kept minimal.

21 | P a g e

Security in E-Commerce

References
[1]

http://www.msen.com/~chad/ecomm_sec.html

[2]

Peixian LI, Issues of Security and Privacy in Electronic Commerce

[3]

Mayor.S.Desai, Thomas.C.Richards and Kiran.J.Desai, E-commerce

policies and customer privacy. Information management and computer
security, 2003(11/1).

[4]

Bruce Chien-Ta ho and Kok-Boon Oh, An empirical study of the use of esecurity seals in e-commerce. E-security seals in e-commerce, 2008.

[5]

MULPURU, S. (2008) B2C eCommerce Expected To Top $300B In Five

Years. Forrester, Research, 17.

[6]

Atul Gupta and Rex Hammond, Information systems security issues and
decisions for small businesses. IS security issues and decisions 2003.

[7]

M.T.Chan and L.F.Kwok, Integrating security design into the software

development process for e-commerce
systems. Information
management and computer security, 2001(9/3).

[8]

Xiaoming Meng, Analyze and prevent the security risks of e-commerce

privacy.International conference on management of e-commerce and egovernment, 2008(7/8).

[9]

George. S. Oreku, Jianzhong Li, Rethinking e-commerce security. CIMGAIAWTIC, 2005(0/05).

[10]

Mauricio. S. Featherman, Anhtony. D. Miyazaki and David. E. Sprott,

Reducing online privacy risk to facilitate e- service adoption: the influence of
perceived ease of use and corporate credibility. Journal of services marketing,
2010(24/3).

[11]

SYMANTEC (2007) Attacks rise as e

tailers lag finance sector on security. Computer, Weekly, 44.

[12]

Xin Tian, Wei Dai, Study on information management and security of ecommerce system. LEE, 2101. (9/10)

[13]

Godwin. J. Udo, Privacy and Security. Information management and computer

security, 2001(9/4)

[14]

Licun Wang, Changing Zou, Shubin Zhang, A study on the commerce

security characteristics for electronic business. International conference
one-business and e-government, 2010. (3/10)

22 | P a g e

Security in E-Commerce

[15]

Ralph Holbein, Thomas Gaugler, IT security in electronic commerce:

from cost to value driver. International Workshop on Database and Expert
Systems Applications, 1999. (4/7)

[16]

Someswar Kashe, Sam Ramanujan, Sridhar Nerur, A framework for analyzing

e-commerce security. Information management and computer security,
2001(10/4).

[17]

Norman Desmarais, Body language. Library Hi Tech, 2000(18/1).

[18]

Graves, P., and M. Curtin. 2000. Bank One Online Puts Customer Account
Information At Risk. http://www.interhack.net/pubs/bankone-online.

[19]

Borisov, N., I. Goldberg, and D. Wagner. 2001. Intercepting Mobile

Communications: The Insecurity of 802.1. Proceedings of the Seventh Annual
International Conference on Mobile Computing and Networking : 180-189.

[20]

Roberts, P. 2002. Bugbear Virus Spreading Rapidly. PC World Online,

Ocotober 2, 2002,

[21]

Neyses, J. 2002. Higher Education Security Alert From the U.S. Secret
Service: List of Keystroke Logging Programs.
http://www.unh.edu/tcs/reports/sshesa.html.

[22]

Winner, D. 2002. Making Your Network Safe for Databases. SANS

Information Security Reading Room, July 21, 2002,

[23]

Tipton, Harold, and Micki Krause. 2002. Information Security Management

Handbook. New York: CRC Press.

[24]

Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical Unix
Internet Security. Cambridge, MA: O'Reilley.

[25]

Treese, G. Winfield, and Lawrence C. Stewart. 1998. Designing Systems For

Internet Commerce. New York: Addison-Wesley.

[26]

Levy, Steven. 2001. Crypto: How the Code Rebels Beat the Government-Saving Privacy in the Digital Age. New York: Viking.

[27]

Denning, D. 1983. Cryptography and Data Security. New York: AddisonWesley.

[28]

Koblitz, N. 1994. A course in number theory and cryptography. Berlin:

Springer-Verlag.

[29]

Schneier, B. 1996. Applied Cryptography. New York: John Wiley & Sons.

[30]

Menezes, Alfred J., Van Oorschot, Paul C., and Scott A. Vanstone. 1996.
Handbook of Applied Cryptography. New York: CRC Press.

23 | P a g e

Security in E-Commerce