Beruflich Dokumente
Kultur Dokumente
Submitted To
Md. Rakibul Hoque
Assistant Professor
Department of Management Information Systems
University of Dhaka
Submitted By
MD. ABDULLAH AL AHAD | ID: 61323-16-029
MAHMUD PARVEJ | ID: 61325-18-052
SHUVAJYOTI ROY | ID: 61426-19-020
Executive Summary
Electronic Commerce may include any computer mediated business process, but a
common usage is to use it to describe commerce (buying and selling of a product or
service) taking place using the World Wide Web (WWW) as an enabling transport [1].
Since the invention of WWW in 1989, Internet-based electronic commerce has been
transformed from a mere idea into reality. Consumers browse through catalogues,
searching for best offers, order goods, and pay them electronically. Most financial
institutions have some sort of online presence, allowing their customers to access and
manage their accounts, make financial transactions, trade stocks, and so forth.
Electronic mails are exchanged within and between enterprises, and often already
replace fax copies. Soon there is arguably no enterprise left that has no Internet
presence, if only for advertisement reasons [2].
Thus, doing some electronic business on the Internet is already an easy task. As is
cheating and snooping. Several reasons contribute to this insecurity: The Internet does
not offer much security per-se. Eavesdropping and acting under false identity is
simple. Stealing data is undetectable in most cases. Popular PC operating systems
offer little or no security against virus or other malicious software, which means that
users cannot even trust the information displayed on their own screens. At the same
time, user awareness for security risks is threateningly low. In this paper, various
probable crime through e-commerce along with their potential reasons and plausible
security measures are outlined.
1|Page
Security in E-Commerce
Table of Contents
Introduction ................................................................................................................ 3
Security Issues in E-commerce .................................................................................. 5
Dimensions of E-commerce Security .................................................................................................. 5
The Tension between Security and Other Values ............................................................................... 6
Security Threats in the E-commerce Environment ............................................................................. 6
A Typical e-commerce transaction ................................................................................................. 6
Vulnerable Points ............................................................................................................................ 7
Detailing of Security vulnerabilities in electronic commerce ............................................................. 7
Viable causes behind Security Threats ............................................................................................... 9
Conclusion ............................................................................................................... 21
References ............................................................................................................... 22
2|Page
Security in E-Commerce
Introduction
The utilization of the internet is increasing rapidly every year; availability of low cost
peripheral devices. and wider internet accessibility options are key contributing
factors [3]. The progression of technology over the recent years have enabled the
consumer a broader and much more enriched interactive experience [4]. The
availability of a wide variety of applications and simple point and click interfaces has
further contributed to this experience by its ease of usability.
marketing,
online
transaction
Security in E-Commerce
spreading menace in current day economical settings around the world. E-Commerce
providers must also protect against a number of different external security
threats, most notably Denial of Service (DoS). The financial services sector still bears
the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced
the greatest increase in the number of attacks was e-Commerce. Attacks in this sector
have risen by 15% from 2006 to 2007 [11].
4|Page
Security in E-Commerce
against
accidental
or
data
such
as
credit
card
information
its
sensitive
feasibility
and
will
be
Authenticity: ability to identify the identity of a person or entity with whom you
are dealing on the Internet
5|Page
Security in E-Commerce
Confidentiality: ability to ensure that messages and data are available only to
those authorized to view them
Too much security can harm profitability, while not enough security can put
you out of business
Tension between the desire of individuals to act anonymously (to hide their
identity) and the needs to maintain public safety that can be threatened by
criminals or terrorists.
Client
Server
Communications channel
6|Page
Security in E-Commerce
Vulnerable Points
A user must use a web site and at some point identify, or authenticate, himself
to the site. Typically, authentication begins on the users home computer and
its browser. Unfortunately, security problems in home computers offer hackers
other ways to steal e- commerce data and identification data from users. Some
current examples include a popular home-banking system that stores a users
account number in a Web cookie which hostile web-sites can crack [18];
ineffective encryption or lack of encryption for home wireless networks [19];
and, mail-borne viruses that can steal the user's financial data from the local
disk [20] or even from the user's keystrokes [21]. While these specific security
problems will be fixed by some software developers and web-site
administrators, similar problems will continue to occur. Alternatives to the home
7|Page
Security in E-Commerce
When a
The merchant back-end and database. A sites servers can weaken the
company's internal network.
servers need administrative connections to the internal network, but web server
software tends to have buggy security. Here, the cost of failure is very high,
with potential theft of customers identities or corporate data.
Additionally, the
back-end may connect with third party fulfillment centers and other processing
agents. Arguably, the risk of stolen product is the merchant's least-important
security concern, because most merchants' traditional operations already have
careful controls to track payments and deliveries. However, these third parties
can release valuable data through their own vulnerabilities.
This is a simplified model of an e-commerce architecture; yet even in its simplicity,
there are a number of security problems.
connections do little to help solve any but network security problems. While other
problems might be ameliorated by encryption, there are still vulnerabilities in the
software clients and servers that must use the data.
Security in E-Commerce
Reasons for high security risks include the imperfection of e-commerce laws,
regulations, systems, technology and the internet .
issue for users, regardless of what the application maybe, ranging from locking a
computer to conducting business via the internet [17]. The rapid development of ebusiness and e-commerce applications have resulted in increased the amount
of illegal infiltration into information systems which were deemed initially safe [6].
Since E-commerce is completely reliant on IT, it could be stated that future
developments in e-commerce will solely depend on IT security and risk management.
Garg et al. states that "a percentage between 36 and 90 percent of organizations
confirmed security breaches in the past year alone [6]. These statistics help increase
or maintain customers negative perception of the e-market and explains why a lot of
people are fearful or insecure about buying or performing sensitive transactions online.
It seems like the only solution to extract the problem and increase e-sales is to provide
fully secured networks that guarantee confidentiality and safety. It is however not that
simple.
are very expensive and in most cases not easily acquired. Web based e-commerce
is comprised of hyperlinked web pages alongside applications and incompatible
technologies to bring about business transactions amongst different companies
spanning the globe [7]. Therefore, even if a business tries to deploy error free security
software, success is not guaranteed as there are many factors influencing the
flow and security of information in cyberspace. Moreover, in order for e-commerce
to develop customer trust, the change has to be done in a collective manner,
not just a few companies. In the case of small to medium businesses it is
difficult and costly to incorporate complete IT security [6]. Leaving aside the
multifaceted technologies required, e-commerce systems are founded and based on
the World Wide Web which coincidently has a history of exposure to a variety of
security threats [7]
9|Page
Security in E-Commerce
Phishing/identity theft
Sniffing
Insider attacks
Viruses: computer programs that have ability to replicate and spread to other
files; most also deliver a payload of some sort (destructive or benign);
include macro viruses, file-infecting viruses, and script viruses
Trojan horse: Appears to be benign, but then does something other than
expected
Unwanted Programs
10 | P a g e
Security in E-Commerce
Spyware: Can be used to obtain information, such as a users keystrokes, email, IMs, etc
Most popular type: e-mail scam letter, e.g., Nigerians rich former oil minister
seeking a bank account to deposit millions of dollars, fake account
verification emails from eBay or CitiBank asking to give up personal account
info, bank account no., and credit card no.
197,000 unique new phishing emails sent within the first 6 months of 2007,
18% increased
Cracker: Hacker with criminal intent (two terms often used interchangeably)
Fear that credit card information will be stolen deters online purchases
11 | P a g e
Security in E-Commerce
Overall rate of credit card fraud is lower than users think, 1.6-1.8% of all
online card transactions.
USs federal law limits liability of individuals to $50 for a stolen credit card.
Hackers target credit card files and other customer information files on
merchant servers; use stolen data to establish credit under false identity
Spoofing (Pharming)
Threatens integrity of site by stealing business from the true site, or altering
orders and sending them to the true site for processing and delivery.
Use domain names similar to legitimate one, redirect traffic to spammerredirection domains
Hackers flood Web site with useless traffic to inundate and overwhelm
network
12 | P a g e
Security in E-Commerce
No. of DoS attacks per day grew from 119 during last 6 months of 2004 to
927 during first 6 months of 2005, a 679% increase [11].
Denial of Service
Ping Flooding
SMURF Attack
13 | P a g e
Security in E-Commerce
Server software is constantly under test and attack by the user community.
Although there have been cases of insecurities, a system administrator keeping
up with the latest patches and vendor information can provide a high degree of
confidence in the security of the server itself.
Operating systems used for hosting E-Commerce servers are securable, but
rarely shipped from the vendor in a default configuration that are secure. ECommerce servers must protect the database of customer information
accumulating on the server as well as provide security while the server is
handling a transaction. If it is easier for a thief to compromise the server to
obtain credit card numbers, why bother sniffing the network for individual credit
card numbers?
Session transport between the client and server uses network protocols that
may have little or no built-in security. In addition, networking protocols such as
TCP/IP were not designed to have confidentiality or authentication capabilities
14 | P a g e
Security in E-Commerce
Technology Solutions
In the mass media, the most visible security technologies are the encryption
algorithms. For a general introduction to these technologies see [25]; a popularization
can be found in [26]. Two classic textbooks are [27] and [28], and encyclopedic
compendia include [29] and [30].
Encryption: Process of transforming plain text or data into cipher text that cannot be
read by anyone other than the sender and receiver
Purpose: Secure stored information and information transmission
Provides:
Message integrity
Nonrepudiation
Authentication
Confidentiality
15 | P a g e
Security in E-Commerce
Both the sender and receiver use the same digital key to encrypt and decrypt
message
Uses two mathematically related digital keys public key (widely disseminated)
and private key (kept secret by owner)
Once key used to encrypt message, same key cannot be used to decrypt
message
For example, sender uses recipients public key to encrypt message; recipient
uses his/her private key to decrypt it
16 | P a g e
Security in E-Commerce
Digital signatures
Models such as SET, CAF, DigiCash, First Virtual, and Millicent provide a secure
payment method. However, the transaction still depends on the privacy and
authentication of the data stream. Basic TCP/IP networking protocols do not include
encryption and strong authentication. Higher level protocols such as HTTP, FTP, and
Telnet do little to provide advanced security measures beyond user id and password
authentication. All information sent using these protocols is unencrypted, so the data
stream lacks confidentiality.
17 | P a g e
Security in E-Commerce
The Internets lack of security may leave you leery. What can you do if you just want
to give company insiders and a few select business partners and customers easy and
relatively secure remote access to company data via the Internet? You can set up a
virtual private network.
Virtual Private Networking technology provides the medium to use the public Internet
backbone as an appropriate channel for private data communication. With encryption
and encapsulation technology, a VPN essentially carves out a private passageway
through the Internet. VPNs will allow remote offices, company road warriors, and even
business partners or customers to use the Internet, rather than pricey private lines, to
reach company networks. So the companies can save a lot of money.
You can also use VPNs to link remote LANs together or give traveling staffers, workat-home employees, and business partners a simple way to reach past company
firewalls and tap into company resources. Virtual private networks are flexible. They
are point-to-multipoint connections, rather than point-to-point links. They can be set
up or closed down at the network administrator's will, making them ideal for short-term
projects.
VPN has many advantages: It is much cheaper for connecting WANs than 800
numbers or dedicated T1 lines. It provides encryption and authentication services for
a fairly good measure of privacy. Maintenance of the WAN-to-WAN connection is left
to Internet Service Providers. It is highly flexible, and can be set up and taken down
very easily.
18 | P a g e
Security in E-Commerce
IPSec (Ipv6)
IPSec is a framework of open standards developed by the Internet Engineering Task
Force (IETF). IPSec provides security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the network layer, protecting
and authenticating IP packets between participating IPSec devices ("peers"), such as
Cisco routers.
Security in E-Commerce
20 | P a g e
Security in E-Commerce
Conclusion
In summary, the e-commerce industry faces a challenging future in terms of the
security risks it must avert. With increasing technical knowledge, and its widespread
availability on the internet, criminals are becoming more and more sophisticated
in the deceptions and attacks they can perform. Novel attack strategies and
vulnerabilities only really become known once a perpetrator has uncovered and
exploited them.
Both privacy and security are still ongoing research problems.
Privacy is now
21 | P a g e
Security in E-Commerce
References
[1]
http://www.msen.com/~chad/ecomm_sec.html
[2]
[3]
[4]
Bruce Chien-Ta ho and Kok-Boon Oh, An empirical study of the use of esecurity seals in e-commerce. E-security seals in e-commerce, 2008.
[5]
[6]
Atul Gupta and Rex Hammond, Information systems security issues and
decisions for small businesses. IS security issues and decisions 2003.
[7]
[8]
[9]
[10]
[11]
[12]
Xin Tian, Wei Dai, Study on information management and security of ecommerce system. LEE, 2101. (9/10)
[13]
[14]
22 | P a g e
Security in E-Commerce
[15]
[16]
[17]
[18]
Graves, P., and M. Curtin. 2000. Bank One Online Puts Customer Account
Information At Risk. http://www.interhack.net/pubs/bankone-online.
[19]
[20]
[21]
Neyses, J. 2002. Higher Education Security Alert From the U.S. Secret
Service: List of Keystroke Logging Programs.
http://www.unh.edu/tcs/reports/sshesa.html.
[22]
[23]
[24]
Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical Unix
Internet Security. Cambridge, MA: O'Reilley.
[25]
[26]
Levy, Steven. 2001. Crypto: How the Code Rebels Beat the Government-Saving Privacy in the Digital Age. New York: Viking.
[27]
[28]
[29]
Schneier, B. 1996. Applied Cryptography. New York: John Wiley & Sons.
[30]
Menezes, Alfred J., Van Oorschot, Paul C., and Scott A. Vanstone. 1996.
Handbook of Applied Cryptography. New York: CRC Press.
23 | P a g e
Security in E-Commerce