SlideShare a Scribd company logo

Analysis the attack and E-commerce security

Download as DOCX, PDF
Army Institute Of Business Administration,Savar, profile picture
Army Institute Of Business Administration,Savar

The document discusses the importance of security in e-commerce, highlighting that it encompasses buying and selling online, as well as the critical need to protect sensitive information. It outlines various security measures, threats, and attack scenarios within e-commerce, emphasizing the relationship between technology, strategy, and user trust. The research aims to analyze these challenges while suggesting preventive strategies and improvements to foster a safer online shopping environment.

Internet
Related topics:
E-commerce Management Information System
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1 | P a g e CHAPTER 1: INTRODUCTION E-commerce is buying and selling goods and services over the Internet. Ecommerce is part of e-business as specified in E-business is a structure that includes not only those transactions that center on buying and selling goods and services to generate revenue, but also those transactions that support revenue generation. These activities include generating demand for goods and services, offering sales support and customer service, or facilitating communications between business partners. One of the critical success factors of e-commerce is its security. Without the assurance of security, e-commerce may not work normally. And it is a complexity issue, because ecommerce security relates to the confidence between sellers and buyers, credit card and extremely sensitive personal information. Therefore, the security of e-commerce depends on a complex interrelationship among applications platforms, database management systems and software and network infrastructure and so on. Any single weakness can jeopardize the ecommerce security. 1.1 Objectives  To know the overview of E-commerce security.  To know the online shopping - steps to place an order.  To know the reasons of security in E-commerce. 1.2 Justificationof The Study In this research main justification is incentive of criminal activities. As well as finding the attacks and how to secure the E- Commerce sites from the attacks that destroyed e- commerce in this days. Also find out the points of attacker’s target in this term paper. 1.3 Scope of The Study This is a technology base era and e-commerce increasing. As a result, this study has very large scope to work. Some scopes are given below:  We can use different security issues in E-commerce.  We can follow the secure online shopping guidelines.  We can find out the points attacker can target.
2 | P a g e CHAPTER 2: LITERATURE REVIEW Previously there has been few reports done on the ‘ANALYSIS THE ATTACK AND E- COMMERCE SECURITY” But in some scattered articles/webpage’s/blogs a few short notes on different topics about the ANALYSIS THE ATTACK AND E-COMMERCE SECURITY” According to MA. Fedrick Hanson A secure system accomplishes its task with no unintended side effects. Using the analogy of a house to represent the system, you decide to carve out a piece of your front door to give your pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You have created an unintended implication and therefore, an insecure system. In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement. Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail.
3 | P a g e CHAPTER 3: METHODOLOGY Planning: To start working for this term paper at first, we make a plan about how we will work for it. Data collecting: After planning we start working for this term paper and start collecting data. There is no primary data. We only collect data from secondary sources. Here we used internet for gathering the information of the topic. As this is a research work on “ANALYSIS THE ATTACK AND E-COMMERCE SECURITY”, we took the references from various website. All the information provided on this term paper is from secondary sources, such as various links, web pages and some books. Data analyzing: After collecting data we start analyzing those data. We eliminate and process those data for analyzing. Make a conclusion: After analyzing data we try to make a proper conclusion of this term paper based on data analyzing. Providing recommendations and Show the future work: Then we provide some recommendations to use “E-COMMERCE SECURITY” and show the future of “ANALYSIS THE ATTACK AND E-COMMERCE SECURITY” in changing world based on my data analyzing. Planning Data collection from external various source Elimination And selection Analyze process Selected data and representing them Providing recommendation
4 | P a g e CHAPTER 4: PROJECT DESCRIPTION 4.1 E-commerce Security E-commerce Security is a part of the Information Security framework and is specifically applied to the components that affect e-commerce that include Computer Security, Data security and other wider realms of the information Security framework. E-commerce security has its own particular nuances and is one of the highest visible security components that affect the end user through their daily payment interaction with business. Today, privacy and security are a major concern for electronic technologies. M-commerce shares security concerns with other technologies in the field. Privacy concerns have been found, revealing a lack of trust in a variety of contexts, including commerce, electronic health records, e-recruitment technology and social networking, and this has directly influenced users. Security is one of the principal and continuing concerns that restrict customers and organizations engaging with ecommerce. Web e-commerce applications that handle payments (online banking, electronic transactions or using debit cards, credit cards, PayPal or other tokens) have more compliance issues, are at increased risk from being targeted than other websites and there are greater consequences if there is data loss or alteration. Online shopping through shopping websites having certain steps to buy a product with safe and secure. The e- commerce industry is slowly addressing security issues on their internal networks. There are guidelines for securing systems and networks available for the ecommerce systems personnel to read and implement. Educating the consumer on security issues is still in the infancy stage but will prove to be the most critical element of the e-commerce security architecture. Trojan horse programs launched against client systems pose the greatest threat to e-commerce because they can bypass or subvert most of the authentication and authorization mechanisms used in an ecommerce transaction. These programs can be installed on a remote computer by the simplest of means: email attachments. Privacy has become a major concern for consumers with the rise of identity theft and impersonation, and any concern for consumers must be treated as a major concern for e-commerce providers.
5 | P a g e 4.2 E-commerce SecurityTools  Public Key infrastructure  Encryption software  Digital certificates  Digital Signatures  Passwords  Locks and bars – network operations center 4.3 RelatedWorks Security is one of the principal and continuing concerns that restrict customers and organizations engaging with commerce. The aim of this paper is to explore the perception of security in e-commerce B2C and C2C websites from both customer and organizational perspectives. 1. With the rapid development of E-commerce, security issues are arising from people's attention. The security of the transaction is the core and key issues of the development of E-commerce. This paper about the security issues of e-commerce activities put forward solution strategy from two aspects that are technology and system, so as to improve the environment for the development of E-commerce and promote the further development of E-commerce. 2. Ecommerce web site owners on one side are thinking of how to attract more customers and how to make the visitors feel secured when working on the site, on the other side how the end users should rate an ecommerce website and what they should do to protect themselves as one among the online community. Our objective of writing this research analysis journal is to make the readers to have clarity of thoughts on the technology which helps all of us to do secure transactions along with safety tips. And how ecommerce site owners, have to make their online visitors to be of much comfort or Trust an ecommerce site via Trust marks, and by their security strategies. 3. Due to the increase in warnings by the media from security and privacy breaches like identity theft and financial fraud, and the elevated awareness of online customers about the threats of performing transactions online, e-commerce has not been able to achieve its full potential. Many customers refuse to perform online transactions and relate that to the lack of trust or fear for their personal information.
6 | P a g e 4. The traditional authentication mechanism is based on identity to provide security or access control methods; in addition, traditional encryption and authentication algorithm require high computing power of computer equipment. Therefore, how to improve the authentication mechanism and optimize the traditional encryption and authentication algorithm may be the focus of P2P e-commerce. 5. Information security, therefore, is an essential management and technical requirement for any efficient and effective payment transaction activities over the internet. Still, its definition is a complex endeavor due to the constant technological and business change and requires a coordinated match of algorithm and technical-solutions. 4.4 Digital E-commerce Cycle Security is very important in online shopping sites. Now days, a huge amount is being purchased on the internet, because it’s easier and more convenient. Almost anything can be bought such as music, toys clothing, cars, food and even porn. Even though some of these purchases are illegal we will be focusing on all the items you can buy legally on the internet. Some of the popular websites are eBay, iTunes, Amazon, HMV, Mercantila, dell, Best Buy and much more. 4.4.1 Securityissues of E-commerce The rapid development of Internet has promoted electronic commerce explosion. However, at the same time, the internet businesses have brought large security issues such as International Journal of Security and Its Applications and with the development of electronic commerce, these issues have obtained more and more attentions. 4.4.2 Mutual Trust in Business In the traditional commerce, participant can face to face, so there may be little distrust. However, there is difference in electronic commerce. For example, in electronic commerce, the location of the business and the goods are unknown. More important, there is not personal contact between the seller and the buyer. In addition, there is lack of a clear legal framework in electronic commerce. Therefore, how to enhance mutual trust is an important issue.
7 | P a g e 4.4.3. Intellectual Property Intellectual Property threats are a larger problem than they were prior to the wide spread use of the internet. It is relatively easy to use existing, material found on the internet without the owner’s Permission. Actual monetary damage resulting from a copyright violation is more difficult to measures than damage from secrecy, integrity, or necessity computer security violations. 4.5 A Model for Threat Classification& Control Measures of E-commerce This part will provide a model to analyze the threat classification and control measures of e- commerce. Firstly, we consider threats from two points of view: threat agents and threat techniques. Then we analyze the security control measures. There are some threat agents. Threat agents include 3 parts: environmental factors, authorized users and unauthorized users. 4.5.1 Environmental Factors Environmental factors are common sense. It is more prone to certain environmental influences and natural disasters than others in some areas. For example, fire is not geographically dependent. However, tornadoes and floods can be predicted in specific areas. In addition to the natural disasters, the danger of mechanical and electrical equipment failure should be paid to more attention. 4.5.2 Authorized Users There are some potential threats when authorized users and personnel are engaged in supporting operations. Especially they exceed their privileges and authorities. It may affect the ability of the system to perform its mission. Personnel should be considered as potential threats, when they have the access to a system or occupy positions of special trust. Because they have the capability or opportunity to abuse their access authorities, privileges or trusts. And it may bring danger to the system. 4.5.3 Unauthorized Users An unauthorized user can be anyone who is not engaged in the system. It can attempt to interrupt the operation of the system overtly or covertly. It may sabotage hardware and associated equipment. And it also could be accomplished through the manipulation of software.
8 | P a g e 4.5.4 SecurityControl Measures There are some detailed security control measures in the ISO 7498-2 Standard lists. For example, there are involving authentication, access Control, data confidentiality data integrity and non-repudiation. Computer security experts widely accept this classification. And they are also recommended by the authors good control measures. The threat agent, threat technique and security measures are shown in Fig.1. We can use Fig.1 to classify threats and security measures to confront these threats in ecommerce. For example, access control is one of the security measures. It can face the threats that may be caused by an unauthorized user through hardware. Totally, there are combinations with agents, threat techniques, and security measures. However, not all of these combinations are available. We just utilize this three- dimensional view for a better security risk management. 4.6 Security Threats Three types of security threats 1. Denial of service, 2. Unauthorized access, and 3. Theft and fraud 4.6.1 Security(DOS): Denialof Service (DOS)  Two primary types of DOS attacks: spamming and viruses  Spamming –Sending unsolicited commercial emails to individuals  E-mail bombing caused by a hacker targeting one computer or network, and sending thousands of email messages to it.  Surfing involves hackers placing software agents onto a third-party system and setting it off to send requests to an intended target. –DDOS (distributed denial of service attacks) involves hackers placing software agents into a number of third-party systems and setting them off to simultaneously send requests to an intended target  Viruses: self-replicating computer programs designed to perform unwanted events.
9 | P a g e 4.6.2 A Conceptual Risk Management Framework for E-Commerce To contain the complexity and maintain focus and relevance, this paper will restrict to issues related to the security of database and information system of e-commerce. And we put forward a conceptual risk management framework for e-commerce. According to the following five stages, we can firstly identify the vulnerabilities of a company, second evaluate the existing security measures, and then select the most appropriate and cost-effective countermeasures.  Analyze Value  Analyze Vulnerability and Risk  Calculate Losses caused by Threats and Benefits of Countermeasures  Select Countermeasures  Implement Countermeasures 4.6.3 Analyze Value The resource and application value analysis can be done in two phases. Firstly, determine the sensitivity of information. It can find the sensitivity level of each application and it is useful to find the most sensitive type of data, such as privacy, asset/resource and proprietary therefore, it is important for its detail and accuracy. Secondly, estimate the asset value. The asset involves the resources such as physical facility, equipment and supplies, software and so on 4.6.4 Analyze Vulnerability and Risk This analysis can be divided three parts. Firstly, identify vulnerabilities. Companies must identify the weakness or flaws in the design, implementation or operation of the security controls of a facility or system. It can be done through the analysis of the security measures or the related factors. Secondly, weight vulnerabilities. It should consider the seriousness and potential degree of exploitability to identify the vulnerabilities. Thirdly, assess threat probabilities. The probabilities should be documented. 4.6.5 Calculate LossesCausedby Threats & Benefits of Countermeasures Enterprises can calculate losses caused by threats and benefits of countermeasures through defining countermeasure at given levels the cost of the countermeasure at a given level involves its effectiveness, expected damage caused by threat and so on. It also includes the probability that the threat occurs, assessing changes in threat probabilities, expected benefit and loss of countermeasure.
10 | P a g e 4.6.6 SelectCountermeasures This stage can be done in two phases: enumerate search program and mathematical method. The aim is to choose a countermeasure to minimize the total cost. 4.6.7 Implement Countermeasures This stage includes three phases. Firstly, set up a plan. It is mainly done by the senior management. And they need give the staffs much more encouragement. Secondly, implement countermeasures. It is the key link of the framework. Specific action can be completed in this phase. Thirdly, test the countermeasures. The aim is to ascertain that the proposed countermeasures produce the desired effect. And it does not result bad effects. 4.7 Security Features  AUTHENTICATION: Verifies who you say you are. It enforces that you are the only one allowed to logon to your  Internet banking account.  AUTHORIZATION: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill.  ENCRYPTION: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions.  AUDITING: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise.  INTEGRITY: Prevention against unauthorized data modification  ONREPUDIATION: prevention against any one party from reneging on an agreement after the fact  AVAILABILITY: prevention against data delays or removal  DDOS (DISTRIBUTED DENIAL OF SERVICE ATTACKS): involves hackers placing software agents onto a number of third-party systems and setting them off to simultaneously send requests to an intended target  SNIFFERS: software that illegally access data traversing across the network.
11 | P a g e 4.8 The criminal incentive Attacks against e-Commerce Web sites are so alarming, they follow right after violent crimes in the news. Practically every month, there is an announcement of an attack on a major Web site where sensitive information is obtained. Is e-Commerce software more insecure compared to other software? Did the number of criminals in the world increase? The developers producing e-Commerce software are pulled from the same pool of developers as those who work on other software. In fact, this relatively new field is an attraction for top talent. Therefore, the quality of software being produced is relatively the same compared to other products. The criminal population did not undergo a sudden explosion, but the incentives of an e-Commerce exploit are a bargain compared to other illegal opportunities. 4.9 Points the attackercantarget As mentioned, the vulnerability of a system exists at the entry and exit points within the system. The 3 shows an e-Commerce system with several points that the attacker can target:  Shopper  Shopper computer  Network connection between shopper and Web site's server  Web site's server  Software vendor 4.9.1 Attacks This section describes potential security attack methods from an attacker or hacker. Tricking the shopper. Some of the easiest and most profitable attacks are based on the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same ID and password
12 | P a g e on other sites. A common scenario is that the attacker calls the, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information. 4.9.2 Snooping the shopper's computer Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless. 4.9.3 Sniffing the network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The
13 | P a g e packets of a request sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent. Take the example of a shopper in Khulna purchasing goods from a store in Dhaka. Some packets for a request are routed through Rajshahi, where others are routed through Chittagong. A more practical location for this attack is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user's computer. 4.9.4 Site development best practices This section describes best practices you can implement to help secure your site. Security policies and standards. There are many established policies and standards for avoiding security issues. However, they are not required by law. Some basic rules include:  Never store a user's password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction.  Employ external security consultants (ethical hackers) to analyze your system.  Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies.  Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system.  When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed.  Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CCseems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure e-Commerce sites.
14 | P a g e 4.9.5 Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time. 4.9.6 Using denial of service attacks The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo!. In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker controls them at a predetermined time to bombard the target server with useless, but intensive resource consuming requests. This attack not only causes the target site to experience but also the entire Internet as the number of packets is routed via many different paths to the target. 4.9.7 Using known server bugs The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch.
15 | P a g e 4.9.8 Using server root exploits Root exploits refer to techniques that gain access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database.
16 | P a g e CHAPTER 5: CONCLUSION E-commerce is widely considered the buying and selling of products over the internet, but any transaction that is completed solely through electronic measures can be considered e- commerce. Day by day E-commerce and M-commerce playing very good role in online retail marketing and peoples using this technology day by day increasing all over the world. E- commerce security is the protection of e-commerce assets from unauthorized access, use, alteration or destruction. Dimensions of e-commerce security; Integrity: prevention against unauthorized data modification, No repudiation: prevention against any one party from reneging on an agreement after the fact. Authenticity: authentication of data source. Confidentiality: protection against unauthorized data disclosure. Privacy: provision of data control and disclosure. Availability: prevention against data delays or removal. They could easily be present in other types of web applications as well. However, in the case of e- commerce systems, the vulnerabilities acquire a graver dimension due to the financial nature of transactions. What is at stake is not only a direct loss of revenues, but companies may face a serious loss to their reputations as well. In some cases, they may be faced with legal penalties for violating customer privacy or trust. It is of paramount importance for designers and developers of web applications to consider security as a primary design goal and to follow secure coding guidelines in order to provide the highest possible degree of assurance to their customers.
17 | P a g e Recommendations and findings There is some recommendation how we can make our world a better changing world  Provide necessary scope of secure e-commerce websites.  Provide the knowledge attacks of e-commerce to who really need it.  Use security for protect e-commerce websites.  Need to maintain the e-commerce sites verified. Limitations Even though the data and the research were done at the best, few limitations were there while finalizing the report. Here are the few limitations: Lack of reliable sources: Data were insufficient and forged sources were available in online. Future Work Current technology allows for secure site design. It is up to the development team to be both proactive and reactive in handling security threats, and up to the shopper to be vigilant when shopping online. E-commerce have a great helping hand for every people for upcoming days so all the e-commerce sites must be secure from the attacks and people easy to use it without any barriers.
18 | P a g e References 1. Aflad gross , 2016. E-commerce attacks.com. [Online] Available at: http://thinkspace.csu.edu.au/etourism/2016/04/26/technical-and-non- technical-attacks-on-ecommerce/ [Accessed 15 october 2017]. 2. Alas Walker , 2015. Experian. [Online] Available at: http://www.experian.com/decision-analytics/identity-and- fraud/ecommerce-attack-rates.html [Accessed 11 october 2017]. 3. Dr. Harson , 2016. teasoftware. [Online] Available at: https://www.teasoftware.com/articles/security-attacks-and-defenses-in- e-commerce-system [Accessed 13 october 2017]. 4. Eamonn O’Raghallaigh, 2010. Webscience. [Online] Available at: http://webscience.ie/blog/2010/security-issues-in-e-commerce/ [Accessed 16 october 2017]. 5. Fidel Wiliam , 2014. Liquidweb.com. [Online] Available at: https://www.liquidweb.com/blog/how-to-protect-your-ecommerce-site- from-cyber-attacks/ [Accessed 18 ocotber 2017]. 6. K. K. Mookhey, 2014. symante.connect. [Online] Available at: https://www.symantec.com/connect/articles/common-security- vulnerabilities-e-commerce-systems [Accessed 12 october 2017]. 7. Nalini K. RathaJonathan H. ConnellRuud M. Bolle, 2010. Springer Link. [Online] Available at: https://link.springer.com/chapter/10.1007/3-540-45344-X_32 [Accessed 10 october 2017]. 8. R. Priya, J.Jayanth, 2016. International journel.com. [Online] Available at: https://www.ijircce.com/upload/2016/april/208_40_A%20Review.pdf [Accessed 14 october 2017]. 9. TRIPWIRE, 2014. Tripwire.com. [Online] Available at: https://www.tripwire.com/state-of-security/security-data- protection/collusion-attacks-ecommerce-services/ [Accessed 17 october 2017].

More Related Content

PDF
E-Commerce Security Workable Attacks Againest E-Commerce
abe8512000
 
PDF
e commerce security and fraud protection
tumetr1
 
PDF
E commerce
Kavita Sharma
 
PPTX
protection & security of e-commerce ...
Rishav Gupta
 
PPT
Web Application Hacking 2004
Mike Spaulding
 
PDF
IRJET - Data Privacy,Trust Issues and Solutions in Electronic Commerce
IRJET Journal
 
DOC
E-commerce Security and Threats
BPalmer13
 
PPT
Ecommerce Security
Rebecca Jones
 
E-Commerce Security Workable Attacks Againest E-Commerce
abe8512000
 
e commerce security and fraud protection
tumetr1
 
E commerce
Kavita Sharma
 
protection & security of e-commerce ...
Rishav Gupta
 
Web Application Hacking 2004
Mike Spaulding
 
IRJET - Data Privacy,Trust Issues and Solutions in Electronic Commerce
IRJET Journal
 
E-commerce Security and Threats
BPalmer13
 
Ecommerce Security
Rebecca Jones
 

What's hot (20)

PDF
e-Commerce: Chapter 6
annwhyjay
 
PDF
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
Syeful Islam
 
PPTX
Security issues in e commerce
sadaf tst
 
PDF
Security consideration with e commerce
StudsPlanet.com
 
PPTX
E commerce
Humayun Khalid Qureshi
 
DOC
Fitsum ristu lakew transaction security on e-commerce
FITSUM RISTU LAKEW
 
PDF
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
PDF
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
PPT
6. Security Threats with E-Commerce
Jitendra Tomar
 
PDF
04-1 E-commerce Security slides
monchai sopitka
 
PDF
50120130406020
IAEME Publication
 
PDF
TWO-LAYER SECURE PREVENTION MECHANISM FOR REDUCING E-COMMERCE SECURITY RISKS
ijcsit
 
PPTX
Risks of E-commerce
anshutomar6
 
PDF
Secure E-Commerce Protocol
CSCJournals
 
PPTX
Internet threats and its effect on E-commerce
Vipin Subhash
 
PPT
Threats of E-Commerce in Database
Mentalist Akram
 
PPT
E commerce Security for end Users
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
Dealing with Data Breaches Amidst Changes In Technology
CSCJournals
 
PDF
Ccs16
Andrey Apuhtin
 
PPTX
E commerce - Data Integrity and Security
Jamie Hutt
 
e-Commerce: Chapter 6
annwhyjay
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
Syeful Islam
 
Security issues in e commerce
sadaf tst
 
Security consideration with e commerce
StudsPlanet.com
 
E commerce
Humayun Khalid Qureshi
 
Fitsum ristu lakew transaction security on e-commerce
FITSUM RISTU LAKEW
 
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
6. Security Threats with E-Commerce
Jitendra Tomar
 
04-1 E-commerce Security slides
monchai sopitka
 
50120130406020
IAEME Publication
 
TWO-LAYER SECURE PREVENTION MECHANISM FOR REDUCING E-COMMERCE SECURITY RISKS
ijcsit
 
Risks of E-commerce
anshutomar6
 
Secure E-Commerce Protocol
CSCJournals
 
Internet threats and its effect on E-commerce
Vipin Subhash
 
Threats of E-Commerce in Database
Mentalist Akram
 
E commerce Security for end Users
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Dealing with Data Breaches Amidst Changes In Technology
CSCJournals
 
Ccs16
Andrey Apuhtin
 
E commerce - Data Integrity and Security
Jamie Hutt
 
Ad

Similar to Analysis the attack and E-commerce security (19)

PDF
Ijnsa050215
IJNSA Journal
 
PDF
How to build a highly secure fin tech application
nimbleappgenie
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
PDF
E-Commerce Privacy and Security System
IJERA Editor
 
PDF
5 Reasons Why Your Business Should Consider Strong Authentication!
Caroline Johnson
 
PDF
IBM X-Force.PDF
Ban Selvakumar
 
DOCX
1. Original Post by Catherine JohnsonCryptographic MethodsC
AbbyWhyte974
 
DOCX
1. Original Post by Catherine JohnsonCryptographic MethodsC
SantosConleyha
 
PPTX
unit-1-is1.pptx
sorabhsingh17
 
PDF
Mobile Ad Hoc Networks ( Manets )
Heather Vargas
 
PDF
2
ttttttttttttt23
 
PDF
Internet Security Essay
Best Online Paper Writing Service
 
PDF
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
Lucy Zeniffer
 
DOCX
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
jeanettehully
 
PDF
InformationSecurity_11141
sraina2
 
PDF
Information security
Onkar Sule
 
PPT
Principles of Electronic Commerce_Unit_III.ppt
Sathishkumar Jaganathan
 
DOCX
ENMG 602 Homework Assignment 1 Problem 1 Observation.docx
khanpaulita
 
DOC
E-commerce Security
Lindsey Landolfi
 
Ijnsa050215
IJNSA Journal
 
How to build a highly secure fin tech application
nimbleappgenie
 
E-Commerce Privacy and Security System
IJERA Editor
 
E-Commerce Privacy and Security System
IJERA Editor
 
5 Reasons Why Your Business Should Consider Strong Authentication!
Caroline Johnson
 
IBM X-Force.PDF
Ban Selvakumar
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
AbbyWhyte974
 
1. Original Post by Catherine JohnsonCryptographic MethodsC
SantosConleyha
 
unit-1-is1.pptx
sorabhsingh17
 
Mobile Ad Hoc Networks ( Manets )
Heather Vargas
 
2
ttttttttttttt23
 
Internet Security Essay
Best Online Paper Writing Service
 
What Strategies Are Crucial for Ensuring eCommerce Security in the Digital Era?
Lucy Zeniffer
 
Running head EFFECTS OF ARTIFICIAL INTELLIGENCE ON PRIVACY AND SE.docx
jeanettehully
 
InformationSecurity_11141
sraina2
 
Information security
Onkar Sule
 
Principles of Electronic Commerce_Unit_III.ppt
Sathishkumar Jaganathan
 
ENMG 602 Homework Assignment 1 Problem 1 Observation.docx
khanpaulita
 
E-commerce Security
Lindsey Landolfi
 
Ad

Recently uploaded (20)

PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Funds Management Learning Material for Beg
NKKumar16
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 

Analysis the attack and E-commerce security

  • 1. 1 | P a g e CHAPTER 1: INTRODUCTION E-commerce is buying and selling goods and services over the Internet. Ecommerce is part of e-business as specified in E-business is a structure that includes not only those transactions that center on buying and selling goods and services to generate revenue, but also those transactions that support revenue generation. These activities include generating demand for goods and services, offering sales support and customer service, or facilitating communications between business partners. One of the critical success factors of e-commerce is its security. Without the assurance of security, e-commerce may not work normally. And it is a complexity issue, because ecommerce security relates to the confidence between sellers and buyers, credit card and extremely sensitive personal information. Therefore, the security of e-commerce depends on a complex interrelationship among applications platforms, database management systems and software and network infrastructure and so on. Any single weakness can jeopardize the ecommerce security. 1.1 Objectives  To know the overview of E-commerce security.  To know the online shopping - steps to place an order.  To know the reasons of security in E-commerce. 1.2 Justificationof The Study In this research main justification is incentive of criminal activities. As well as finding the attacks and how to secure the E- Commerce sites from the attacks that destroyed e- commerce in this days. Also find out the points of attacker’s target in this term paper. 1.3 Scope of The Study This is a technology base era and e-commerce increasing. As a result, this study has very large scope to work. Some scopes are given below:  We can use different security issues in E-commerce.  We can follow the secure online shopping guidelines.  We can find out the points attacker can target.
  • 2. 2 | P a g e CHAPTER 2: LITERATURE REVIEW Previously there has been few reports done on the ‘ANALYSIS THE ATTACK AND E- COMMERCE SECURITY” But in some scattered articles/webpage’s/blogs a few short notes on different topics about the ANALYSIS THE ATTACK AND E-COMMERCE SECURITY” According to MA. Fedrick Hanson A secure system accomplishes its task with no unintended side effects. Using the analogy of a house to represent the system, you decide to carve out a piece of your front door to give your pets' easy access to the outdoors. However, the hole is too large, giving access to burglars. You have created an unintended implication and therefore, an insecure system. In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement. Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail.
  • 3. 3 | P a g e CHAPTER 3: METHODOLOGY Planning: To start working for this term paper at first, we make a plan about how we will work for it. Data collecting: After planning we start working for this term paper and start collecting data. There is no primary data. We only collect data from secondary sources. Here we used internet for gathering the information of the topic. As this is a research work on “ANALYSIS THE ATTACK AND E-COMMERCE SECURITY”, we took the references from various website. All the information provided on this term paper is from secondary sources, such as various links, web pages and some books. Data analyzing: After collecting data we start analyzing those data. We eliminate and process those data for analyzing. Make a conclusion: After analyzing data we try to make a proper conclusion of this term paper based on data analyzing. Providing recommendations and Show the future work: Then we provide some recommendations to use “E-COMMERCE SECURITY” and show the future of “ANALYSIS THE ATTACK AND E-COMMERCE SECURITY” in changing world based on my data analyzing. Planning Data collection from external various source Elimination And selection Analyze process Selected data and representing them Providing recommendation
  • 4. 4 | P a g e CHAPTER 4: PROJECT DESCRIPTION 4.1 E-commerce Security E-commerce Security is a part of the Information Security framework and is specifically applied to the components that affect e-commerce that include Computer Security, Data security and other wider realms of the information Security framework. E-commerce security has its own particular nuances and is one of the highest visible security components that affect the end user through their daily payment interaction with business. Today, privacy and security are a major concern for electronic technologies. M-commerce shares security concerns with other technologies in the field. Privacy concerns have been found, revealing a lack of trust in a variety of contexts, including commerce, electronic health records, e-recruitment technology and social networking, and this has directly influenced users. Security is one of the principal and continuing concerns that restrict customers and organizations engaging with ecommerce. Web e-commerce applications that handle payments (online banking, electronic transactions or using debit cards, credit cards, PayPal or other tokens) have more compliance issues, are at increased risk from being targeted than other websites and there are greater consequences if there is data loss or alteration. Online shopping through shopping websites having certain steps to buy a product with safe and secure. The e- commerce industry is slowly addressing security issues on their internal networks. There are guidelines for securing systems and networks available for the ecommerce systems personnel to read and implement. Educating the consumer on security issues is still in the infancy stage but will prove to be the most critical element of the e-commerce security architecture. Trojan horse programs launched against client systems pose the greatest threat to e-commerce because they can bypass or subvert most of the authentication and authorization mechanisms used in an ecommerce transaction. These programs can be installed on a remote computer by the simplest of means: email attachments. Privacy has become a major concern for consumers with the rise of identity theft and impersonation, and any concern for consumers must be treated as a major concern for e-commerce providers.
  • 5. 5 | P a g e 4.2 E-commerce SecurityTools  Public Key infrastructure  Encryption software  Digital certificates  Digital Signatures  Passwords  Locks and bars – network operations center 4.3 RelatedWorks Security is one of the principal and continuing concerns that restrict customers and organizations engaging with commerce. The aim of this paper is to explore the perception of security in e-commerce B2C and C2C websites from both customer and organizational perspectives. 1. With the rapid development of E-commerce, security issues are arising from people's attention. The security of the transaction is the core and key issues of the development of E-commerce. This paper about the security issues of e-commerce activities put forward solution strategy from two aspects that are technology and system, so as to improve the environment for the development of E-commerce and promote the further development of E-commerce. 2. Ecommerce web site owners on one side are thinking of how to attract more customers and how to make the visitors feel secured when working on the site, on the other side how the end users should rate an ecommerce website and what they should do to protect themselves as one among the online community. Our objective of writing this research analysis journal is to make the readers to have clarity of thoughts on the technology which helps all of us to do secure transactions along with safety tips. And how ecommerce site owners, have to make their online visitors to be of much comfort or Trust an ecommerce site via Trust marks, and by their security strategies. 3. Due to the increase in warnings by the media from security and privacy breaches like identity theft and financial fraud, and the elevated awareness of online customers about the threats of performing transactions online, e-commerce has not been able to achieve its full potential. Many customers refuse to perform online transactions and relate that to the lack of trust or fear for their personal information.
  • 6. 6 | P a g e 4. The traditional authentication mechanism is based on identity to provide security or access control methods; in addition, traditional encryption and authentication algorithm require high computing power of computer equipment. Therefore, how to improve the authentication mechanism and optimize the traditional encryption and authentication algorithm may be the focus of P2P e-commerce. 5. Information security, therefore, is an essential management and technical requirement for any efficient and effective payment transaction activities over the internet. Still, its definition is a complex endeavor due to the constant technological and business change and requires a coordinated match of algorithm and technical-solutions. 4.4 Digital E-commerce Cycle Security is very important in online shopping sites. Now days, a huge amount is being purchased on the internet, because it’s easier and more convenient. Almost anything can be bought such as music, toys clothing, cars, food and even porn. Even though some of these purchases are illegal we will be focusing on all the items you can buy legally on the internet. Some of the popular websites are eBay, iTunes, Amazon, HMV, Mercantila, dell, Best Buy and much more. 4.4.1 Securityissues of E-commerce The rapid development of Internet has promoted electronic commerce explosion. However, at the same time, the internet businesses have brought large security issues such as International Journal of Security and Its Applications and with the development of electronic commerce, these issues have obtained more and more attentions. 4.4.2 Mutual Trust in Business In the traditional commerce, participant can face to face, so there may be little distrust. However, there is difference in electronic commerce. For example, in electronic commerce, the location of the business and the goods are unknown. More important, there is not personal contact between the seller and the buyer. In addition, there is lack of a clear legal framework in electronic commerce. Therefore, how to enhance mutual trust is an important issue.
  • 7. 7 | P a g e 4.4.3. Intellectual Property Intellectual Property threats are a larger problem than they were prior to the wide spread use of the internet. It is relatively easy to use existing, material found on the internet without the owner’s Permission. Actual monetary damage resulting from a copyright violation is more difficult to measures than damage from secrecy, integrity, or necessity computer security violations. 4.5 A Model for Threat Classification& Control Measures of E-commerce This part will provide a model to analyze the threat classification and control measures of e- commerce. Firstly, we consider threats from two points of view: threat agents and threat techniques. Then we analyze the security control measures. There are some threat agents. Threat agents include 3 parts: environmental factors, authorized users and unauthorized users. 4.5.1 Environmental Factors Environmental factors are common sense. It is more prone to certain environmental influences and natural disasters than others in some areas. For example, fire is not geographically dependent. However, tornadoes and floods can be predicted in specific areas. In addition to the natural disasters, the danger of mechanical and electrical equipment failure should be paid to more attention. 4.5.2 Authorized Users There are some potential threats when authorized users and personnel are engaged in supporting operations. Especially they exceed their privileges and authorities. It may affect the ability of the system to perform its mission. Personnel should be considered as potential threats, when they have the access to a system or occupy positions of special trust. Because they have the capability or opportunity to abuse their access authorities, privileges or trusts. And it may bring danger to the system. 4.5.3 Unauthorized Users An unauthorized user can be anyone who is not engaged in the system. It can attempt to interrupt the operation of the system overtly or covertly. It may sabotage hardware and associated equipment. And it also could be accomplished through the manipulation of software.
  • 8. 8 | P a g e 4.5.4 SecurityControl Measures There are some detailed security control measures in the ISO 7498-2 Standard lists. For example, there are involving authentication, access Control, data confidentiality data integrity and non-repudiation. Computer security experts widely accept this classification. And they are also recommended by the authors good control measures. The threat agent, threat technique and security measures are shown in Fig.1. We can use Fig.1 to classify threats and security measures to confront these threats in ecommerce. For example, access control is one of the security measures. It can face the threats that may be caused by an unauthorized user through hardware. Totally, there are combinations with agents, threat techniques, and security measures. However, not all of these combinations are available. We just utilize this three- dimensional view for a better security risk management. 4.6 Security Threats Three types of security threats 1. Denial of service, 2. Unauthorized access, and 3. Theft and fraud 4.6.1 Security(DOS): Denialof Service (DOS)  Two primary types of DOS attacks: spamming and viruses  Spamming –Sending unsolicited commercial emails to individuals  E-mail bombing caused by a hacker targeting one computer or network, and sending thousands of email messages to it.  Surfing involves hackers placing software agents onto a third-party system and setting it off to send requests to an intended target. –DDOS (distributed denial of service attacks) involves hackers placing software agents into a number of third-party systems and setting them off to simultaneously send requests to an intended target  Viruses: self-replicating computer programs designed to perform unwanted events.
  • 9. 9 | P a g e 4.6.2 A Conceptual Risk Management Framework for E-Commerce To contain the complexity and maintain focus and relevance, this paper will restrict to issues related to the security of database and information system of e-commerce. And we put forward a conceptual risk management framework for e-commerce. According to the following five stages, we can firstly identify the vulnerabilities of a company, second evaluate the existing security measures, and then select the most appropriate and cost-effective countermeasures.  Analyze Value  Analyze Vulnerability and Risk  Calculate Losses caused by Threats and Benefits of Countermeasures  Select Countermeasures  Implement Countermeasures 4.6.3 Analyze Value The resource and application value analysis can be done in two phases. Firstly, determine the sensitivity of information. It can find the sensitivity level of each application and it is useful to find the most sensitive type of data, such as privacy, asset/resource and proprietary therefore, it is important for its detail and accuracy. Secondly, estimate the asset value. The asset involves the resources such as physical facility, equipment and supplies, software and so on 4.6.4 Analyze Vulnerability and Risk This analysis can be divided three parts. Firstly, identify vulnerabilities. Companies must identify the weakness or flaws in the design, implementation or operation of the security controls of a facility or system. It can be done through the analysis of the security measures or the related factors. Secondly, weight vulnerabilities. It should consider the seriousness and potential degree of exploitability to identify the vulnerabilities. Thirdly, assess threat probabilities. The probabilities should be documented. 4.6.5 Calculate LossesCausedby Threats & Benefits of Countermeasures Enterprises can calculate losses caused by threats and benefits of countermeasures through defining countermeasure at given levels the cost of the countermeasure at a given level involves its effectiveness, expected damage caused by threat and so on. It also includes the probability that the threat occurs, assessing changes in threat probabilities, expected benefit and loss of countermeasure.
  • 10. 10 | P a g e 4.6.6 SelectCountermeasures This stage can be done in two phases: enumerate search program and mathematical method. The aim is to choose a countermeasure to minimize the total cost. 4.6.7 Implement Countermeasures This stage includes three phases. Firstly, set up a plan. It is mainly done by the senior management. And they need give the staffs much more encouragement. Secondly, implement countermeasures. It is the key link of the framework. Specific action can be completed in this phase. Thirdly, test the countermeasures. The aim is to ascertain that the proposed countermeasures produce the desired effect. And it does not result bad effects. 4.7 Security Features  AUTHENTICATION: Verifies who you say you are. It enforces that you are the only one allowed to logon to your  Internet banking account.  AUTHORIZATION: Allows only you to manipulate your resources in specific ways. This prevents you from increasing the balance of your account or deleting a bill.  ENCRYPTION: Deals with information hiding. It ensures you cannot spy on others during Internet banking transactions.  AUDITING: Keeps a record of operations. Merchants use auditing to prove that you bought a specific merchandise.  INTEGRITY: Prevention against unauthorized data modification  ONREPUDIATION: prevention against any one party from reneging on an agreement after the fact  AVAILABILITY: prevention against data delays or removal  DDOS (DISTRIBUTED DENIAL OF SERVICE ATTACKS): involves hackers placing software agents onto a number of third-party systems and setting them off to simultaneously send requests to an intended target  SNIFFERS: software that illegally access data traversing across the network.
  • 11. 11 | P a g e 4.8 The criminal incentive Attacks against e-Commerce Web sites are so alarming, they follow right after violent crimes in the news. Practically every month, there is an announcement of an attack on a major Web site where sensitive information is obtained. Is e-Commerce software more insecure compared to other software? Did the number of criminals in the world increase? The developers producing e-Commerce software are pulled from the same pool of developers as those who work on other software. In fact, this relatively new field is an attraction for top talent. Therefore, the quality of software being produced is relatively the same compared to other products. The criminal population did not undergo a sudden explosion, but the incentives of an e-Commerce exploit are a bargain compared to other illegal opportunities. 4.9 Points the attackercantarget As mentioned, the vulnerability of a system exists at the entry and exit points within the system. The 3 shows an e-Commerce system with several points that the attacker can target:  Shopper  Shopper computer  Network connection between shopper and Web site's server  Web site's server  Software vendor 4.9.1 Attacks This section describes potential security attack methods from an attacker or hacker. Tricking the shopper. Some of the easiest and most profitable attacks are based on the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same ID and password
  • 12. 12 | P a g e on other sites. A common scenario is that the attacker calls the, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information. 4.9.2 Snooping the shopper's computer Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless. 4.9.3 Sniffing the network In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The
  • 13. 13 | P a g e packets of a request sent through different routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent. Take the example of a shopper in Khulna purchasing goods from a store in Dhaka. Some packets for a request are routed through Rajshahi, where others are routed through Chittagong. A more practical location for this attack is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user's computer. 4.9.4 Site development best practices This section describes best practices you can implement to help secure your site. Security policies and standards. There are many established policies and standards for avoiding security issues. However, they are not required by law. Some basic rules include:  Never store a user's password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction.  Employ external security consultants (ethical hackers) to analyze your system.  Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies.  Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system.  When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed.  Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CCseems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure e-Commerce sites.
  • 14. 14 | P a g e 4.9.5 Guessing passwords Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time. 4.9.6 Using denial of service attacks The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed DoS is a type of attack used on popular sites, such as Yahoo!. In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker controls them at a predetermined time to bombard the target server with useless, but intensive resource consuming requests. This attack not only causes the target site to experience but also the entire Internet as the number of packets is routed via many different paths to the target. 4.9.7 Using known server bugs The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch.
  • 15. 15 | P a g e 4.9.8 Using server root exploits Root exploits refer to techniques that gain access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server. In a buffer overflow attack, the hacker takes advantage of type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database.
  • 16. 16 | P a g e CHAPTER 5: CONCLUSION E-commerce is widely considered the buying and selling of products over the internet, but any transaction that is completed solely through electronic measures can be considered e- commerce. Day by day E-commerce and M-commerce playing very good role in online retail marketing and peoples using this technology day by day increasing all over the world. E- commerce security is the protection of e-commerce assets from unauthorized access, use, alteration or destruction. Dimensions of e-commerce security; Integrity: prevention against unauthorized data modification, No repudiation: prevention against any one party from reneging on an agreement after the fact. Authenticity: authentication of data source. Confidentiality: protection against unauthorized data disclosure. Privacy: provision of data control and disclosure. Availability: prevention against data delays or removal. They could easily be present in other types of web applications as well. However, in the case of e- commerce systems, the vulnerabilities acquire a graver dimension due to the financial nature of transactions. What is at stake is not only a direct loss of revenues, but companies may face a serious loss to their reputations as well. In some cases, they may be faced with legal penalties for violating customer privacy or trust. It is of paramount importance for designers and developers of web applications to consider security as a primary design goal and to follow secure coding guidelines in order to provide the highest possible degree of assurance to their customers.
  • 17. 17 | P a g e Recommendations and findings There is some recommendation how we can make our world a better changing world  Provide necessary scope of secure e-commerce websites.  Provide the knowledge attacks of e-commerce to who really need it.  Use security for protect e-commerce websites.  Need to maintain the e-commerce sites verified. Limitations Even though the data and the research were done at the best, few limitations were there while finalizing the report. Here are the few limitations: Lack of reliable sources: Data were insufficient and forged sources were available in online. Future Work Current technology allows for secure site design. It is up to the development team to be both proactive and reactive in handling security threats, and up to the shopper to be vigilant when shopping online. E-commerce have a great helping hand for every people for upcoming days so all the e-commerce sites must be secure from the attacks and people easy to use it without any barriers.
  • 18. 18 | P a g e References 1. Aflad gross , 2016. E-commerce attacks.com. [Online] Available at: http://thinkspace.csu.edu.au/etourism/2016/04/26/technical-and-non- technical-attacks-on-ecommerce/ [Accessed 15 october 2017]. 2. Alas Walker , 2015. Experian. [Online] Available at: http://www.experian.com/decision-analytics/identity-and- fraud/ecommerce-attack-rates.html [Accessed 11 october 2017]. 3. Dr. Harson , 2016. teasoftware. [Online] Available at: https://www.teasoftware.com/articles/security-attacks-and-defenses-in- e-commerce-system [Accessed 13 october 2017]. 4. Eamonn O’Raghallaigh, 2010. Webscience. [Online] Available at: http://webscience.ie/blog/2010/security-issues-in-e-commerce/ [Accessed 16 october 2017]. 5. Fidel Wiliam , 2014. Liquidweb.com. [Online] Available at: https://www.liquidweb.com/blog/how-to-protect-your-ecommerce-site- from-cyber-attacks/ [Accessed 18 ocotber 2017]. 6. K. K. Mookhey, 2014. symante.connect. [Online] Available at: https://www.symantec.com/connect/articles/common-security- vulnerabilities-e-commerce-systems [Accessed 12 october 2017]. 7. Nalini K. RathaJonathan H. ConnellRuud M. Bolle, 2010. Springer Link. [Online] Available at: https://link.springer.com/chapter/10.1007/3-540-45344-X_32 [Accessed 10 october 2017]. 8. R. Priya, J.Jayanth, 2016. International journel.com. [Online] Available at: https://www.ijircce.com/upload/2016/april/208_40_A%20Review.pdf [Accessed 14 october 2017]. 9. TRIPWIRE, 2014. Tripwire.com. [Online] Available at: https://www.tripwire.com/state-of-security/security-data- protection/collusion-attacks-ecommerce-services/ [Accessed 17 october 2017].