Lecture E-Commerce - Chapter 9: E-commerce security environment

In this chapter, the learning objectives are: Understand the scope of e-commerce crime and security problems, describe the key dimensions of e-commerce security, understand the tension between security and other values, identify the key security threats in the e-commerce environment.

CSC 330 E-Commerce

Teacher

Ahmed Mumtaz Mustehsan

GM-IT CIIT Islamabad

Virtual Campus, CIIT

COMSATS Institute of Information Technology

T1-Lecture-9

Understand the scope of e-commerce crime and

security problems

Describe the key dimensions of e-commerce security

Understand the tension between security and other

values

Identify the key security threats in the e-commerce

environment

Online Robbery - Introduction

In comparison to robbing a bank, internet banking can

be robbed remotely and more safely

Stealing a music / video CD from shop is harder than downloading from illegal websites

If you take internet as a global market place; Many

fake websites exists online to trap users by putting

some attractive contents and extra ordinary deals and offers, making the remote users to provide their credit card information etc

One can not break into physical home easily and

breach the privacy but if the password of social

networking account is hacked then the privacy is

compromised

Cyber Attack - Introduction

Denial of Service Attack (DOS):

When one computer sends or flood the high number of data packets to a targeted computer resulting in chocking the resources ( communication path, processor etc.)

Distributed Denial of Service Attack (DDOS)

when many computers attack on single websites, or

online system from many locations in a single time

resulting in overwhelming the system and creating

congestion and many other impairments and making the system or website unavailable for legitimate users

Cyber Attack - Introduction

Botnet:

Artificially intelligent or robot computers can work

together A group of such computers (even in millions) capable of being managed remotely by single person

attack on some online system or website

Example:

In 2007 1 million computers were used in an organized attack on govt of Estonia’s important servers

http://www.cs3­inc.com/pk_whatisddos.html 

CYBER Warfare Reference for study

Russia – Estonia Cyber war

Your PC may be part of Botnet

Botnets are responsible for over 80% of the spam sent

to the computer users

Some computer users download those spam files

because of having less knowledge

Some computers become infected because of

unavailability of antivirus software

Some computers are compromised by means of using pirated software

10 % of the world’s billion-plus computers on internet are capable of being captured by stealth malware

programs which are installed by clicking malicious links and downloading hidden files

The E-commerce Security Environment

Overall size and losses of cybercrime unclear

Reporting issues

2008 CSI survey:

49% respondent firms detected security breach in last year

Of those that shared numbers, average loss $288,000

Underground economy marketplace

Stolen information stored on underground economy

servers

Credit cards, bank information, personal identity etc etc are sold at these servers

Rates of different stolen objects at

Underground e market

1-Types of Attacks Against Computer Systems

What Is Good E-commerce Security?

To achieve highest degree of security

Use of New technologies

Organizational policies and procedures

Industry standards and government laws

Other factors to be looked in:

Time value of Information

Cost of security vs potential loss

Security often breaks at weakest link

1-The E-commerce Security Environment

Ideal E Commerce Environment

Capable of making secure commercial transaction

Achieving highest degree of security

Adopting new technologies

Giving awareness to users about online safety

Defining and understanding industrial standards

Implementing governments laws

Prosecuting the violators of laws

1-Dimensions of E-commerce Security

Typical Transection facilitated by Technologies

1-The Tension Between Security and Other Values

Security vs ease of use

◦The more security measures added, the more difficult

a site is to use, and the slower it becomes

Security vs desire of individuals to act anonymously

◦Use of technology by criminals to plan crimes or

threaten nation-state

Security Threats in the E-commerce

1-A Typical E-commerce Transaction

Vulnerable Points in an E-commerce

Environment

1-SOURCE: Boncella, 2000.

Most Common Security Threats

Malicious code

Viruses

◦virus is a computer program that has the ability to

replicate or make copies of itself, and spread to other files

Most Common Security Threats in the

◦ Monitors everything that you do and sends out reports to

 If you have ever loaded ICQ on your PC you have Spyware

 If you have ever loaded KAZAA on your PC you have Spyware

 If you have ever loaded Quicken or TurboTax you have Spyware

1-Most Common Security Threats

◦Use information to commit fraudulent acts (access

checking accounts), steal identity

Hacking and cyber-vandalism

unauthorized access to a computer system

Most Common Security Threats

community to demote a hacker with criminal intent

destroying Web site

grey hats are hackers who believe they are pursuing

some greater good by breaking in and revealing system flaws

1-Most Common Security Threats

Credit card fraud/theft

 Fear of stolen credit card information deters online purchases

 Hackers target merchant servers; use data to establish credit under false identity

 Online companies at higher risk than offline

 misrepresenting self by using fake e-mail address or other form of identification

spoofing a Web site also called Pharming:

 Redirecting a Web link to a new, fake Web site

 Spam/junk Web sites

 Splogs

Snoop and Sniff

1-Most Common Security Threats

Denial of service (DoS) attack

Hackers flood site with useless traffic to overwhelm

network

Distributed denial of service (DDoS) attack

Hackers use multiple computers to attack target

network

Sniffing

Eavesdropping program that monitors information

traveling over a network

Insider jobs

Single largest financial threat

Poorly designed server and client software

The Virus: Computer Enemy Number One

Most serious attack on a client computer or a server in

an Internet environment is the virus

A virus is a malicious code that replicates itself and can

be used to disrupt the information infrastructure

Viruses commonly compromise system integrity,

circumvent security capabilities, and cause adverse

operation by taking advantage of the information system

of the network

 Macro virus exploits the macro

commands in software applications such

as Microsoft Word

Levels of Virus Damage

1-Steps for Antivirus Strategy

Establish a set of simple enforceable rules for others to follow

Educate and train users on how to check for viruses on a disk

Inform users of the existing and potential

threats to the company’s systems and the

sensitivity of information they contain

Periodically update the latest antivirus software

Getting Rid of Viruses

Get a good Virus Projection Software

Free (not Recommended)

Do not give users administrator privileges

Configure an mail gateway to block all executable mail attachments

e-Ensure desktop antivirus software signatures are up to date - http://www.grisoft.com

End of: T1-Lecture-9

E Commerce Security Environment

Chapter-04

Part-I Thank You