Security Threats in E-Commerce

UNIT - 2
Security threats to
e- business
Prepared by : II MBA Students, Class 2017-19, CBIT College - Proddatur

SECURITY IN E-COMMERCE
INTRODUCTION :-
eCommerce security refers to the principles which guide
safe electronic transactions, allowing the buying and selling of goods and
services through the Internet, but with protocols in place to provide safety for
those involved.
Definition :-
Ecommerce security is a set of protocols that safely guide ecommerce
transactions. Stringent security requirements must be in place to protect
companies from threats like credit card fraud, or they risk jeopardizing revenue
and customer trust, due to the inability to guarantee safe credit card
processing.

THREATS:-
 A threat is an object, person , or other entity that represents a constant danger to an
asset
 Management must be informed of the various kinds of threats facing the
organization.
 By examing each threat category managemenand t effectively protects information
through policy, education, training and technology.
THREATS TO INFORMATION SECURITY:-
1. Acts of human error or failure accidents, employee mistakes
2. Compromises to intellectual property piracy, copy right infringement
3. Deliberate acts of espionage or trespass unauthorized accesses and/or data
collection
4. Deliberate acts of information extortion block mail of information
disclosure
5. Deliberate acts of sabotage or vandalism destruction of systems or
information
6. Deliberate acts of theft illegal confiseation of equipment
or information

ACTS OF HUMAN ERROR OR FAILURE
• Includes acts done with no malicious intent
 Caused by ;
 In experience
 Improper training
 In correct assumption
 other circumstances
• Employees are greatest threats to information security- they are closest
to organization data
• Employee mistakes can easily lade to the following:
 Revealing classified data
 Entry to erroneous data
 Accidental delition or modification of data
 Storage of data in unprotected areas
 Failure to protect information
• Many of threats can be prevented with controls

ESPIONAGE/TRESPASS:
 Broad category of activities that breach confidentially
unauthorized accessing of information
shoulder surfing can occur any place a person is accessing confidential
information
competitive intelligence vs. espionage
 Controls implemented to mark the boundaries of an organization virtual
territory giving notice to tresassers that they are encroaching on the
organizations cyberspace
.
 Hackers uses skill, guile, or fraud to steal the property of someone else

NETWORK SECURITY GOALS:-
• Confidentiality:- only sender, intended receiver should understand message
contents
-sender encrypts the message
-receiver decrypts the message
-privacy
.
• Integrity:- sender and receiver want to make sure that the message are not
altered without detection.
• Availability:- service must be available to user (instead of non repudiation
in security service)
• Authentication:- sender and receiver want to confirm the identity of each
other
• Access control:- service must be accessible to users.

Some key factors for success in E-commerce
 providing value to customers
 Providing service and performance
 Look
 Advertising
 Personal attention
 Providing sense of community
 Providing reliability and security
 Providing a 360-degree view of the customer relationship

Security threats in the E-commerce environment
 Three key points of vulnerability:
-client
-server
-communications channel
 Most common threats:-
- malicious code
- hacking and cyber vandalism
- credit card fraud/theft
- spoiling
- denial of service attacks
- sniffing
- insider jobs

E-COMMERCE THREATS
What is an e-commerce
it means using the internet for unfair things . It may be intention of stealing, fraud and
security breach.
there are various types of e-commerce threats . Some are accident, some are purposeful and
some of then are due to human error . The most common threats are phishing attacks money thefts
, data miss use , hacking , credit card frauds and un protected service.
1. In accurate management:-
one of the main reason to e-commerce threats is poor management . When security is
not up to the mark it faces a very dangerous threat to the network and systems . Also security
threats occur when there are no proper budget are allocated for purchase of anti-virus software
licenses.
2 Price manipulation:-
modern e-commerce systems often face price manipulation problems . These systems
are fully automated right from the first visit to the find payment gate way stealing is the most
common intention of price manipulation . It allows an intruder to side or install a lower price into
the URL and get away with all the data.

3. Snoeshoe spam:-
Now spam is something which is very command . Almost each one of the us deals with spam
mails in our mail box . The spam messages problems has been actually solved but now it is turning out
to be a not so general issue. The reason for this is the very nature of a spam message.
4. malicious threats:-
these code threats typically involve viruses , worms , Trojan horses.
- viruses are normally external threats and can couupt the files on the website if they find their way
in the internal network . They can be very dangerous as they destroy the computer systems completely
and can damage the normal working of the computer . A virus always needs a host as they cannot
spread by themselves.
- worms are very much different and are more serious than viruses . It places itself directly through
the internet . It can infect millions of computers in a matter of just few hours.
- A Trojan horse is a programming code which can perform destructive functions . They normally
attacks your computer when you download something . So always check the source of the downloaded
file.
5. Hactivism:-
the full form of hactivism is hacking activism . At first it may seem like you should hardly be
aware of these cyber threat . After all it is a problem not directly related to you . Why you should be
bothered at all ?. How ever that’s not the case. Firstly hactivists do not target directly to those
associated only it politics. It can also be a socially motivated purpose. It is typically using social media
platforms to bring to light social issues . It can also include flooding an email address with so much
trafic that it temporarily shutrs down.

6. Wi-Fi eaves dropping:
It is also one of the easiest ways in e-commerce to steal personal data. It is like
a virtual listening of information which is shares over a Wi-Fi network which is not
encrypted . It can happen on public as well as on personal computers.
7. Other threats:-
Some other threats which include are data packet sniffing . If spoofing, and port
scanning. Data packet sniffing is also normally called as sniffers . An intruder can use
sniffer to attack a data packs. With if spoofing it is very difficult to track the attacker .
The purpose here is to change the source address and give it such a look that it should
look as through it originated from another computer.

ENCRYPTION
What is encryption?
The process of converting information or data into a code , especially to prevent
unauthorized access.
In computing encryption is the method by which
plaintext or any other type of data is converted from a readable from to an encoded
version that can only be decoded by another entity if they have access to a
decryption key.
Definition:-
Encryption is the process of using an algorithm to transform information to make
it unreadable for unauthorized users. This cryptographic method protects sensitive
data such as credit card numbers by encoding and transforming information into
unreadable cipher text.

How does encryption work:-
• The encryption/decryption key is comparable with a normal password - the one you
use for your email, for example. The key is an essential part of the process of
encoding and decoding data.
• Typically, a key is a random binary or an actual passphrase. The key “tells” the
algorithm what patterns it must follow in order to convert plaintext into ciphertext
(and the other way around).
• It almost goes without saying, but the key is a fundamental part of the protection of
the privacy of information, a message or a piece of data. The encryption and
decryption process can only be initiated by using the key.
• Due to the fact that algorithms are publicly available and can be accessed by
anyone, once a hacker gets a hold of the encryption key, the encrypted data can
easily be decrypted to plaintext.
Use of encryption:-
• Encryption is used to protect data in transit sent from all sorts of devices across all
sorts of networks, not just the internet; every time someone uses an ATM or buys
something online with a smartphone, makes a mobile phone call or presses a key
fob to unlock a car, encryption is used to protect the information being ...

Advantages
 Encrypted data can’t be easily read
 Strong encryption may require years of work to decrypt with
out the key
Disadvantages
 encrypted files draw attention to their value
 If you loose the key you loose the data
 For large files strong encryption may take significant time to
decrypt

CRYPTOGRAPHY
Definition:-
• It is an ancient art and science of writing in secret message
• Cryptography comes from Greek word crypto means hiding and GRAPHY
means writing
• It is the art of achieving security by encoding message to make them non
readable.
Technologies
 Encryption :-
It is the process of transforming so it unintelligible to anyone but the
intended recipient.
 Decryption:-
It is the process of transforming encrypted information so that it is
intelligible again
 Plaintext:-
The message to be transmitted or stored

 Cipher text:-
the disguised message or encrypted message
 Algorithm:-
the mathematical formula used for encryption and decryption
 Cipher:-
algorithm used for encryption and decryption
 Key:-
value used by algorithm to encrypt and decrypt
Types of cryptography:-
secret-key cryptography(systematic key cryptography):-
single key used for both encryption and decryption.
Public key cryptography(asymmetric key cryptography)
uses one key for encryption and another for decryption.
Hash function:-
it uses a mathematical transformation to irreversibly “encrypt”
information.

What are the three types of encryption
 Secret key symmetric encryption
- relatively simple first used by Julius Caesar
- both users have a password example:- DES
 Public key encryption
- two keys involved used on the internet
- example:- PGP – PRETTY GOOD PRIVACY
 One way function
- digital signature of certificate
- Unix login

Characteristics of cryptography:-
 The type of operations used for transforming plaintext to cipher text
 The number of keys used
 The way in which the plaintext is processed.
Applications of cryptography:-
 Key recovery:-
it is a technology that allows a key be revealed under certain circumstance
without the owner of the key revealing it.
 Remote access:-
passwords gives a level of security for secure access.
 Cell phone:-
prevent people from stealing cell phone nos, access code or eavesdropping.
 Access control:-
regulate access to satellite and cable TV.

Purpose of cryptography
 Authentication
 Privacy confidentiality
 Integrity
 Non-repudiation.
Advantages
 It is faster
 While transmission the chances of data being decrypted is null
 Uses password authentication to prove the receivers identity
Disadvantages
 Issue of key transportation
 It cannot provide digital signature that cannot be repudiated

Public key and private key
What is public and private key ?
a symmetric cryptography. Also known as public key
cryptography. uses public and private keys to encrypt and decrypt data . One
key is the pair can be shared with everyone ; it is called the public key the
other key in the pair is kept secret , it is called private key.
How does private key public key work ?
these distinguishing technique used in public key cryptography
is the uses of as symmetric key algorithms where a key used by one party to
performance encryption is not the same as the key used by another in
decryption , each user has a pair of cryptographic keys , a public encryption
key and a private decryption key .

Roles of private and public key
Private key
1. Private key faster compared to public key
2. Private key is symmetrical . Actually there
is only one key . The another is a copy of
it
3. Private key is a truly private should be
available with on only the communicating
parties
4. The two parties most have met before at
least share the key.
Public key
1. Relatively slow to encrypt /decrypt
2. Asymmetrical
3. Public key can be made public.
private key is truly secret.
4. That two parties need not have met.
The two may be strangers, half way
around the globe

Differences between public and private key
public key
• For symmetric encryption, the same key is used to
encrypt the message and to decrypt it. This key must be
random, or cryptographically generated in a way that
makes it look random.
For public-key encryption, instead the recipient
generates two keys together, a public encryption key and
a private decryption key. The message is encrypted with
the public key, and can only be decrypted with the
private key.
In practice, public-key encryption is almost always used
to exchange a secret key between the parties. That way
they only have to go through the complexity and
computation of the public-key system once, at least until
they forget the secret key (eg, until you close your
browser).
Public-key encryption is slower and more complicated
than symmetric encryption, but it's also much more
flexible. Consider connecting to your bank: you could
theoretically use symmetric cryptography if you shared a
key with your bank, for example by showing up to a
branch in person and exchanging secret random
numbers. Indeed, that's basically what a SecureID token
is: a shared secret between you and your bank. But it's
much easier exchange those secret random numbers over
the internet, encrypted with the bank's public key.
private key
• Private Key and Public Key is the unique pair,
which are normally indivisible. Both are
prerequisite to encrypt and decrypt the information
while transmitting to web browser to web server.
• There are two types of mechanism in Encryption
algorithm such as Symmetric Encryption and
Asymmetric Encryption.
• If you are using Symmetric encryption technology,
then you require only private key to encrypt and
decrpt functionality. If you are using Asymmetric
encryption technology then you need a unique pair
of private key and public key to encrypt and decrpt
the information.
• Private key used to store inside the server to decrpt
the information which comes from browser in the
mode of encryption. However, the information,
which is coming from browser require public key
to encrypt the data.
• Both of the key’s have different functionality,
which depends on the encryption technology. If
you are interested to learn more about Public and
Private Key, then here is our official blog post.

Digital signature
What is digital signature
A digital signature is an electronic signature that can be used to authenticate the identi of
the sender of a message
 It is a mathematical scheme for demonstrating the authenticity of a digital message or
document
 Each signatory has their own paired public and private key
 It consist three algorithms :-
1. A digital signature generation algorithm :-
 It consist of of a (mathematical) digital signature
 Randamly produces a key paire(public and private)
2. A signing algorithm:-
 Produces a signature
3. A digital signature verification algorithm:-
It consist of verification algorithm with a method for recovering data from the message.

ADVANTAGES OF DIGITAL SIGNATURE
• imposter prevention
• Message integrity
• Legal requirement
DISADVANTAGES OF DIGITAL SIGNATURE
• Digital signature involves the primary avenue for any business is month.
Requirements while you apply for a digital signature certificate
1. Submission of DSC Application form duly filled in by the applicant
Any individual applying for a Digital Signature Certificate is required to fill an Application Form
for online submission and verification of personal details by the certifying authority
2. Producing Photo ID proof
3. Producing Address proof
Steps to apply for a digital signature certificate
• STEP 1: Log on and select your type of entity. ...
• STEP 2: Fill the necessary details. ...
• STEP 3: Proof of identity and address. ...
• STEP 4: Payment for DSC. ...
• STEP 5: Post the documents required.

DIGITAL CERTIFICATES
WHAT IS DIGITAL CERTIFICATES:-
A digital certificate is an electronic” password “ that allows a person , organization to
exchange data securely over the internet using the public key infrastructure (PKI).digital
certificate is also know as a public key certificate or identity certificate
DEFINITION:-
A digital certificate authenticates the web credential of the sender and lets the recipients of an
encrypted message know that the data is from a trusted source or a sender who claims to be one
TYPES OF DIGITAL CERTIFICATES:-
they are three types
1.Secure socket layer certificate (SSL)
2.Software signing (CODE SIGNING CERTIFICATES)
3client certificates(DIGITAL ID)

• Secure Socket Layer
Secure Socket Layer [SSL] server Certificates are installed on a server. This can be a
server that hosts a website like www.digi-sign.com, a mail server, a directory or LDAP server, or any other type
of server that needs to be authenticated, or that wants to send and receive encrypted data. To automate the entire
life cycle of your SSL environment, see the Automated & Authenticated Certificate Delivery™ System.
• Code Signing Certificate
Code Signing Certificates are used to sign software or programmed code that is
downloaded over the Internet. It is the digital equivalent of the shrink-wrap or hologram seal used in the real
world to authenticate software and assure the user it is genuine and actually comes from the software publisher
that it claims.
• Client Certificate
Client Certificates or Digital IDs are used to identify one person to another, a person to a device
or gateway or one device to another device. Client Certificates are issued in their thousands and millions each
year and would be the principle reason for purchasing a CA.
Two people communicating by email will used a client certificate to authenticate or digitally
sign their respective communications. This Signature will assure each person that the email is genuine and
comes from the other person.
A person that is given access to a secure online service like a database, an extranet or
intranet will be authenticated to the gateway or entry point using a Client Certificate. This type of strong two
factor authentication replaces less secure usernames and passwords currently in use on many websites.
If two routers or a Virtual Private Network [VPN] connection needs to authenticate each
other, a Client Certificate can be used and exchanged to prove the connection is trusted. This type of client
authentication occurs deep within the application and is not usually visible to the end user. This type of device-
to-device authentication often uses a particular IPSec Client Certificate.
Also, bespoke applications and hardware seeking to utilize IP technology securely can use Digital Certificates
to authenticate the application and/or for device-to-device authentication.

Advantages of digital certificate:-
Online Banking Advantages
• Many businesses rely on digital certificates for banking procedures. For example, a human services
organization that distributes customer incentive checks uses a digital certificate to validate each instrument.
Each time a check is created, a designated user employs an identifiable computer to upload and manage
each check prior to distribution. This alerts the bank of the amount and number of each check. In addition,
the digital certificate protects against fraudulent activity by assuring the party receiving the information you
are not an impostor. Online banking would not be possible without the use of digital certificates. According
to Bank of America, transactions cannot take place until the digital certificate has been verified.
Legal Advantages
• Digital certificates and signatures provide protection in legally binding situations. When sending email to a
bank, for example, a digital signature will verify that the information came from you. When agreeing to
legally binding requirements, digital certificates prevent you from becoming a victim of an impostor. In
addition, digital certificates and signatures prevent the recipient from denying the receipt of information.
Disadvantages of digital certificate:-
Financial Disadvantages
• Businesses must purchase digital certificates from certification authorities. A certificate authority acts as a
third-party issuer that ensures the acceptance of the certificate. Certification authorities typically require a
subscription to their service, which requires monthly payments to continue the relationship. In addition,
multiple certificates for different sites or purposes can become a costly endeavor.
Technological Disadvantages
• When considering digital certificates, you need to factor in many areas of existing technology. According to
The Institute of Internal Auditors, “auditors should recommend that senior and IT managers consider the
tool’s ease of use, integration with the existing software platform, the company’s product architecture, the
security of the tool (e.g., the strength of the algorithm used), vendor support, cost, and future flexibility
before deciding which tool to implement.” In addition, creating a platform that accepts all digital
certificates is a difficult undertaking, and human carelessness may compromise the safety of login
credentials.

SECURITY PROTOCOL OVER PUBLIC NETWORK
INTRODUCTION:-
Network security protocols are a type network protocol that ensures
thesecurity and integrity of data in transit over a network connection. Network
security protocols define the processes and methodology to secure network data from
any illegitimate attempt to review or extract the contents of data.
DEFINITION:-
A VPN is a private data network that makes use of
the public telecommunication infrastructure, such as the Internet, by
adding security procedures over the unsecure communication channels.
The security procedures that involve encryption are achieved through the use of a
tunneling protocol.

Types
• Application Security: It is important to have an application security since no app is created
perfectly. It is possible for any application to comprise of vulnerabilities, or holes, that are
used by attackers to enter your network. Application security thus encompasses the software,
hardware, and processes you select for closing those holes.
• Behavioral Analytics: In order to detect abnormal network behaviour, you will have to know
what normal behavior looks like. Behavioral analytics tools are capable of automatically
discerning activities that deviate from the norm. Your security team will thus be able to
efficiently detect indicators of compromise that pose a potential problem and rapidly
remediate threats.
• Data Loss Prevention (DLP): Organizations should guarantee that their staff does not send
sensitive information outside the network. They should thus use DLP technologies, network
security measures, that prevent people from uploading, forwarding, or even printing vital
information in an unsafe manner.
• Email Security: Email gateways are considered to be the number one threat vector for a
security breach. Attackers use social engineering tactics and personal information in order to
build refined phishing campaigns to deceive recipients and then send them to sites serving up
malware. An email security application is capable of blocking incoming attacks and
controlling outbound messages in order to prevent the loss of sensitive data.
• Firewalls: Firewalls place a barrier between your trusted internal network and untrusted
outside networks, like the Internet. A set of defined rules are employed to block or allow
traffic. A firewall can be software, hardware, or both. The free firewall efficiently manages
traffic on your PC, monitors in/out connections, and secures all connections when you are
online.

• Mobile Device Security: Mobile devices and apps are increasingly being targeted by
cybercriminals. 90% of IT control which devices can access your network. It is also necessary to
configure their connections in order to keep networorganizations could very soon support
corporate applications on personal mobile devices. There is indeed the necessity for you to k
traffic private.
• Network Segmentation: Software-defined segmentation places network traffic into varied
classifications and makes enforcing security policies a lot easier. The classifications are ideally
based on endpoint identity, not just IP addresses. Rights can be accessed based on location, role,
and more so that the right people get the correct level of access and suspicious devices are thus
contained and remediated.
• Security Information and Event Management (SIEM): SIEM products bring together all the
information needed by your security staff in order to identify and respond to threats. These
products are available in different forms, including virtual and physical appliances and server
software.
• Virtual Private Network (VPN): A VPN is another type of network security capable of
encrypting the connection from an endpoint to a network, mostly over the Internet. A remote-
access VPN typically uses IPsec or Secure Sockets Layer in order to authenticate the
communication between network and device.
• Web Security: A perfect web security solution will help in controlling your staff’s web use,
denying access to malicious websites, and blocking
• Wireless Security: The mobile office movement is presently gaining momentum along with
wireless networks and access points. However, wireless networks are not as secure as wired ones
and this makes way for hackers to enter. It is thus essential for the wireless security to be strong.
It should be noted that without stringent security measures installing a wireless LAN could be
like placing Ethernet ports everywhere. Products specifically designed for protecting a wireless
network will have to be used in order to prevent an exploit from taking place.

Advantages of Network Security
• Protect data
As discussed, network security keeps a check on unauthorized access. A network contains a lot
of confidential data like the personal client data. Anybody who breaks into the network may hamper these
sensitive data. So, network security should be there in place to protect them.
• Prevents cyber attack
Most of the attack on the network comes from internet. There are hackers who are experts in
this and then there are virus attacks. If careless, they can play with a lot of information available in the
network. The network security can prevent these attacks from harming the computers.
• Levels of access
The security software gives different levels of access to different users. The authentication of
the user is followed by the authorization technique where it is checked whether the user is authorized to access
certain resource. You may have seen certain shared documents password protected for security. The software
clearly knows which resources are accessible by whom.
• Centrally controlled
Unlike the desktop security software, the network security software is controlled by a
central user called network administrator. While the former is prone to worms and virus attacks, the latter can
prevent the hackers before they damage anything. This is because the software is installed in a machine having
no internet.
• Centralized updates
It is very important that the anti-virus software is timely updated. An old version may not
offer you enough security against attackers. But it is not guaranteed that every user of the network follows it
religiously. A network security system which is centralized offers this advantage of timely updates without
even the knowledge of the individuals.

• Disadvantages of Network Security
Network security is a real boon to the users to ensure the security of their data.
While it has many advantages, it has lesser disadvantages. Let us discuss some of them.
• Costly set up
The set up of a network security system can be a bit expensive. Purchasing the
software, installing it etc can become costly especially for smaller networks. Here we are not
talking about a single computer, but a network of computers storing massive data. So, the security
being of prime importance will definitely cost more. It cannot be ignored at any cost!
• Time consuming
The software installed on some networks is difficult to work with. It needs
authentication using two passwords to ensure double security which has to be entered every time
you edit a document. It also requires the passwords to be unique with numbers, special characters
and alphabets. The user may have to type a number of sample passwords before one is finalized
which takes a lot of time.
• Requires skilled staff
To manage large networks is not an easy task. It requires highly skilled
technicians who can handle any security issue that arises. A network administrator needs to be
employed to ensure smooth working of the network. He must be trained adequately to meet the
requirement.
• Careless admin
When the best software is installed and everything required is done, it is natural
for the admin to be careless at times. It is his job to check the logs regularly to keep a check on the
malicious users. But sometimes, he just trusts the system and that is when the attack happens. So,
it is very important that the admin remains vigilant always.

HTPP
Protocol and HTPP:-
A Protocol is a standard procedure for defining and regulating communication. For example TCP, UDP,
HTTP etc.
Hypertext Transfer Protocol, better known to millions of Web surfers as
HTTP, was invented in 1990 by Tim Berners-Lee at the CERN Laboratories in Geneva, Switzerland.
Today, it is the foundation of the World Wide Web and the Hypertext Markup Language or HTML.
Three versions of HTTP were developed: 0.9, 1.0 and 1.1. Both 1.0 and 1.1 are in common usage toda
HYPER TEXT TRANSFOR PROTOCOL:-
• The HTTP provides a standard for web browsers & servers to communicate.
• HTTP is the foundation of data communication for the WWW.
• HTTP is an application layer network protocol built on top of TCP.
• HTTP clients & servers communicate via HTTP request & response message.
• Hypertext is structured text that uses logical links(hyper links) between nodes containing text.
• HTTP is the protocol to exchange or transfer hypertext.
• HTTP is called a “stateless protocol” because each command is executed independently, without
any knowledge of the commands that came before it.
• E.g.- when you enter a URL in your browser, this actually sends an HTTP command to the web
server directing it to fetch & transmit the requested web page.
• There are 2 major versions of HTTP:-
HTTP/1.0
HTTP/1.1

HTTP CHARACTERISTICS:-
• Request response mechanism
-transaction is initiated by a client sending a request to server.
-server generates a response.
• Resource identification
-each HTTP request includes a URI(Uniform Resource Identifier).
• Statelessness
- the server does not maintain any information about the transaction.
• Meta data support
-metadata about the information can be exchanged in the business
HOW HTTP WORKS:-
 HTTP is implemented in two programs: a client program and a server program, executing on
different end systems, talk to each other by exchanging HTTP messages.
 The HTTP client first initiates a TCP connection with the server. Once the connection is
established, the browser and the server processes access TCP through their socket interfaces

Security Threats in E-Commerce

HTTP REQUEST METODS
• The first line of an HTTP request message is called the request line; the subsequent
lines are called the header lines. The request line has three fields: the method field,
the URL field, and the HTTP version field. The method field can take on several
different values, including GET, POST, HEAD, PUT, and DELETE etc. The great
majority of HTTP request messages use the GET method. The GET method is used
when the browser requests an object, with the requested object identified in the
URL field.
• GET: Retrieve Document identified in URL.
• HEAD: Retrieve meta information about document identified in URL.
• DELETE: Delete specified URL.
• OPTIONS: Request information about available options.
• PUT: Store document under specified URL.
• POST: Give information to server.
• TRACE: Loopback request message.
• CONNECT: For use by Proxies

ADVANTAGES:-
• Platform independent - Allows straight cross platform porting.
• No Runtime support required to run properly.
• Usable over firewalls! Global applications possible.
• Not Connection Oriented – No network overhead to create and maintain session state and
information.
• Ease of programming. HTTP is coded in plain text and therefore is easier to follow and
implement than protocols that make use of codes that require lookups.
• Flexibility.
LIMITATIONS:-
• Privacy
Anyone can see content
• Integrity
someone might alter content. HTTP is insecure since no encryption methods are used.
Hence is subject to main in the middle and eavesdropping of sensitive information.
• Authentication
Not clear who you are talking with. Authentication is sent in the clear – Anyone who
intercepts the request can determine the username and password being used.
• Information sent via HTTP is not encrypted and can pose a threat to your privacy.
• Packet headers are larger than other protocols as they are needed for security and quality
assurance of the information being transferred.

SECURE SOCKETS LAYER
INTRODUCTION:-
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a
web server and a browser in an online communication. The usage of SSL technology ensures that all
data transmitted between the web server and browser remains encrypted.
DEFINITION:-
An SSL certificate is necessary to create SSL connection. You would need to give all details about
the identity of your website and your company as and when you choose to activate SSL on your web
server. Following this, two cryptographic keys are created - a Private Key and a Public Key.
What is SSL used for?
• The SSL protocol is used by millions of online business to protect their customers, ensuring their
online transactions remain confidential. A web page should use encryption when it expects users
to submit confidential data, including personal information, passwords, or credit card details. All
web browsers have the ability to interact with secured sites so long as the site's certificate is
issued by a trusted CA.

• Who issues SSL Certificates?
A certificate authority or certification authority (CA) issues SSL certificates.
On receiving an application, the CA verifies two factors: It confirms the legal
identity of the enterprise/company seeking the certificate and whether the
applicant controls the domain mentioned in the certificate. The issued SSL
certificates are chained to a 'trusted root' certificate owned by the CA. Most
popular internet browsers such as Firefox, Chrome, Internet Explorer,
Microsoft Edge, and others have these root certificates embedded in their
'certificate store'. Only if a website certificate chains to a root in its certificate
store will the browser allow a trusted and secure https connection. If a website
certificate does not chain to a root then the browser will display a warning that
the connection is not trusted.

Certificate Type
• Single Domain Certificates
• A single domain certificate allows a customer to secure one Fully Qualified Domain Name on a
single certificate. For example, a certificate purchased for www.domain.com will allow
customers to secure any and all pages on www.domain.com/. Single domain certificates are
available in DV, OV and EV variants at a variety of price points and warranty levels. The
straightforward nature of the single domain certificate makes it ideal for small to medium sized
businesses managing a limited number of websites. However, businesses that operate or
anticipate operating multiple websites may benefit from the added flexibility, convenience and
savings offered by wildcard or multi-domain certificates.
• Examples: Instant SSL, Instant SSL Pro, Instant SSL Premium
• Wildcard SSL Certificate
• A Wildcard certificates allows businesses to secure a single domain and unlimited sub-domains
of that domain. For example, a wildcard certificate for '*.domain.com' could also be used to
secure 'payments.domain.com', 'login.domain.com, 'anything-else.domain.com' etc. A wildcard
certificate will automatically secure any sub-domains that a business adds in the future. They
also help simplify management processes by reducing the number of certificates that need to be
tracked. For growing online businesses, Wildcard certificates provide a flexible, cost effective
alternative to multiple single certificate purchases
• Example: Comodo Premium SSL Wildcard

Multi Domain SSL Certificate
As the name suggests, a Multi-Domain certificate allows website owners to secure multiple, distinct
domains on a one certificate. For example, a single MDC can be used to secure domain-1.com,
domain-2.com, domain-3.co.uk, domain-4.net and so on. Indeed, an MDC will allow you to secure
up to 100 different domains (or wildcard domains) on a single certificate. Customers can easily add
or remove domains at any time. This simplifies SSL management because administrators need only
keep track of a single certificate with a unified expiry date for all domains instead of keeping tabs on
multiple certificates. In addition, MDCs usually represent a cost saving over the price of individual
certificates.
Example: Comodo Multi-Domain Certificate, Comodo EV Multi-Domain Certificate
Unified Communications Certificate (UCC):
Unified Communications Certificates are specifically designed to secure Microsoft® Exchange and
Office Communications environments. UC certificates use the Subject Alternative Name (SAN) field
to allow customers to include up to 100 domains on a single certificate - eliminating the need for
different IP addresses per website that would be required otherwise. UC Certificates also support the
Microsoft Exchange Autodiscover service, a powerful feature which greatly eases client
administration. As with MDCs, a single UCC can greatly reduce SSL management duties while
allowing customers to realize cost savings over individual purchases.
Examples: Comodo Unified Communications Certificates

The Benefits of SSL Certificates
SSL is a simple yet secure channel to transmit the data securely. It is valuable to both customers and businesses
considering the level of security it brings to their cloud-based transactions.
• Kick out the Hackers
You have to be extremely cautious about phishing sites. These are an almost perfect replica of an original,
authentic site and have many techniques to lure you into providing your sensitive information.
But SSL identifies what we humans will not be able to and ensures that these fake sites will never see the light
of day.
It is difficult and impossible for fake sites to acquire SSL certificates and when customers are warned of the
absence of SSLcertificate, they will avoid falling prey to these fake sites.
As well SSL certificate will help you to protect your website from eavesdropping, man-in-middle-attack and
sniffing attacks.
• Boost Ranking & Increase Brand Value
• A few months ago, Google updated its algorithm and added HTTPS as a ranking signal. If your website is
secured with SSL certificate and web URL starts with a secure HTTPS protocol, then you will get the
ranking advantage in search engines.
• Using SSL dramatically improves the perception that users have of your brand. When your site has signed
by a trusted third party certificate, your customers are ensured that they are indeed on a valid and trusted
site. They will be less worried about security issues and will engage with you more effectively.
• Secure Payments to Experience Safe Shopping
• No one will dare to send their credit card information over a simple HTTP website. It is also mandatory for
a business site to have an SSL certificate to meet the PCI security standards set forth by the payment card
industries.
• Without the use of SSL, business sites cannot even dream of having a single successful credit card
transaction. By implementing SSL, visitors will find your website more trustworthy and experience secure
shopping over the HTTPS site.

• Build Trust with Extended Authentication
• Customers are becoming more and more security aware. As a lot of sensitive information,
such as bank passwords and personal details, are exchanged in a cloud platform, a secure
authentication mechanism must be provided to ensure data protection.
• SSL achieves this feat by issuing a server certificate along with the SSL certificate. This
server certificate increases the trust factor of the service provided and helps the customer
verify whether you are really who you claim to be.
• CAs follows a different validation process to authenticate your business reliability. The
process depends on which certificate you choose – domain validation, organization validation,
and extended validation. Domain Validation certificate verifies only domain authentication
and organization validation certificate validates your business reliability when extended
validation (EV) SSL certificate confirms your business existence and trustworthiness by
affirming legal documents. It ensures that the site is highly authenticated and secured to carry
online transactions by displaying must security trust mark “Green Bar”.
• Strongest Encryption to Secure Information
• All the information transferred over an SSL connection is encrypted and there is no way an
interceptor could decipher your information.
• Encryption algorithms like RSA, DSA, and ECC are currently used by most certificate
authorities. When the credit card data and other private information will travel between the
web server and users’ browser, the site will be secured with robust encryption (for example,
SHA256-bit encryption) that left no place for hackers to sniff transmitting information. So
you can rest assured that the information will always only reach the intended parties.

The Pros - Assuring Reasons Why Your Website must have SSL
• The obvious benefit of SSL encryption is that your website data will be safe from third-party hacking or
interception. The connections to and fro from the web browser to the server will remain intact.
• There are also a number of other benefits that make it compelling to invest in SSL certificates.
Improves trust
• A study by Bizrate found that a majority of US customer distrust to conduct online transactions due to credit
card and privacy concerns.
• With HTTPS such hesitation from customers to shop and pay online can be removed. Studies have proved that
displaying trust seals in online shops helps improve conversion rates significantly.
• Customers find it easier to divulge their payment instructions and private details like name, location, address,
etc. when the website is encrypted and immune to security threats.
Ensures Data Integrity
• Ebay, Home Depot, Target and a host of other retailers have been victims of hacking in the past. They lost
valuable customer information and even payment records because their websites lacked HTTPS protection. SSL
certificates can facilitate data integrity for online retailers. It ensures that the data stored in online servers are
always intact and protected from external threats.
Boosts SEO ranking
• Like we said at the beginning of the article, Google is all set to introduce HTTPS as a search engine ranking
signal. The search engine believes that this is necessary to cultivate a web culture where the data security of
users is protected by all means. In the coming months, Google will flag websites without HTTPS as ‘not safe’.
• In other words, if your website is HTTPS enabled, then you will be given preference over websites which are
not secure.
Establishes identity
• Extended Validation (EV) SSL certificates establish the legal ownership of a website. They give visitors the
assurance that the website they are visiting is indeed owned by the said organization

The Cons - Reasons why you may not want SSL certificate
They cost money
• Let’s face the hard truth. Nothing good ever comes free of cost. SSL encryption
which can guard your website from data security threats obviously costs a bit of
money. However, considering the benefits like SEO ranking, security, and customer
trust it delivers, this cost should not be a cause for concern.
Technical complications
• Although the SSL configuration is fairly simple for a techie it can sometimes be
complex for others. Especially in the case of multi-domain SSL certificates, there is
a high chance of error which will potentially scare away visitors. Applying the
HTTPS tag across all web pages is not easy and requires expertise.
Mobile configuration is not easy
• SSL certificates were primarily intended for website security, mobile devices may
not have been considered. This has meant that in recent years as the widespread
usage of mobile devices has developed, so too have many complications. Website
owners have to use third-party applications or build in-house applications to keep
websites functioning the same way as mobile devices.

FIREWALLAS SECURITY CONTROL
INTRODUCTION
A firewall is a system designed to prevent unauthorized access to or from a
private network. You can implement a firewall in either hardware or software form, or a
combination of both. Firewalls prevent unauthorized internet users from accessing private
networks connected to the internet, especially intranets
A firewall is software used to maintain the security of a private
network. Firewalls block unauthorized access to or from private networks and are often
employed ..
How Firewalls Work. :-
A firewall is simply a program or hardware device that filters the information coming
through the Internet connection into your private network or computer system. If an incoming
packet of information is flagged by the filters, it is not allowed through.

TYPES
Packet filtering firewalls
• This, the original type of firewall, operates inline at junction points where devices such as routers and
switches do their work.
• However, this firewall doesn't route packets, but instead compares each packet received to a set of established
criteria -- such as the allowed IP addresses, packet type, port number, etc. Packets that are flagged as
troublesome are, generally speaking, unceremoniously dropped -- that is, they are not forwarded and, thus,
cease to exist.
Circuit-level gateways
• Using another relatively quick way to identify malicious content, these devices monitor the TCP
handshakes across the network as they are established between the local and remote hosts to determine
whether the session being initiated is legitimate -- whether the remote system is considered trusted. They don't
inspect the packets themselves, however.
Stateful inspection firewalls
• State-aware devices, on the other hand, not only examine each packet, but also keep track of whether or not
that packet is part of an established TCP session. This offers more security than either packet filtering or
circuit monitoring alone, but exacts a greater toll on network performance.
• A further variant of stateful inspection is the multilayer inspection firewall, which considers the flow of
transactions in process across multiple layers of the ISO Open Systems Interconnection seven-layer model.
Application-level gateways
• This kind of device, technically a proxy, and sometimes referred to as a proxy firewall, combines some of the
attributes of packet filtering firewalls with those of circuit-level gateways. They filter packets not only
according to the service for which they are intended -- as specified by the destination port -- but also by
certain other characteristics, such as the HTTP request string.
• While gateways that filter at the application layer provide considerable data security, they can dramatically
affect network performance.

Next-gen firewalls
• This looser category is the most recent -- and least-well delineated -- of the types of firewalls.
A typical next-gen product combines packet inspection with stateful inspection, but also
includes some variety of deep packet inspection.
Firewall rule actions
Firewall rules can take the following actions:
• Allow: Explicitly allows traffic that matches the rule to pass, and then implicitly denies
everything else.
• Bypass: Allows traffic to bypass both firewall and intrusion prevention analysis. Use this
setting for media-intensive protocols or for traffic originating from trusted sources. A bypass
rule can be based on IP, port, traffic direction, and protocol.
• Deny: Explicitly blocks traffic that matches the rule.
• Force Allow: Forcibly allows traffic that would otherwise be denied by other rules.Traffic
permitted by a Force Allow rule will still be subject to analysis by the intrusion prevention
module.
• Log only: Traffic will only be logged. No other action will be taken.
More about Allow rules
Allow rules have two functions:
• Permit traffic that is explicitly allowed.
• Implicitly deny all other traffic.

Advantages :-
• Makes Security Transparent to End-Users.
• Easy to install.
• Packet filters make use of current network routers. Therefore implementing a
packet filter security system is typically less complicated than other network
security solutions.
• High speed
Disadvantages :-
• Packet filtering routers are not very secure.
• Difficulty of setting up packet filtering rules to the router
• There isn’t any sort of user based Authentication.
• Packet filter cannot authenticate information coming from a specific user.

PUBLIC KEY INFRASTRUCTURE FOR SECURITY
INTRODUCTION :-
A Public key infrastructure (PKI) is a set of roles, policies, and procedures
needed to create, manage, distribute, use, store & revoke digital certificates and manage public-
key encryption. ... An RA is responsible for accepting requests for digital certificates and
authenticating the entity making the request.
• How Does PKI Work?
PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects
communications between the server (your website) and the client (the users). It works by using two
different cryptographic keys, a public key and a private key. The public key is available to any user
that connects with the website. The private key is a unique key generated when a connection is made,
and kept secret. When communicating, the client uses the public key to encrypt and decrypt, and the
server uses the private key. This protects the user’s information from theft or tampering.
PKI security is used in many different ways. The following are a few ways that PKI security can be
used.
• Securing Emails
• Securing web communications (such as retail transactions)
• Digitally signing software
• Digitally signing applications
• Encrypting files
• Decrypting files
• Smart card authentication

Components of Public Key Infrastructure (PKI)
• It starts with trust. ...
• Certification Authorities. ...
• Private and public keys. ...
• Certificate enrollment. ...
• Digital certificates. ...
• Usage scenarios. ...
• Maintaining security in a PKI environment
Benefits :-
• Secure access control. With a unique verifiable identity you can determine what level of
access to grant to that device. In addition, you can now deny access to anyone who does not
have a proper certificate – no cert, no way. In addition, if you find out a certificate has been
somehow compromised, because it is unique and identifiable, you can revoke its access
privileges and that certificate will no longer be granted access.
• Mutual Authentication. In the days before IoT and autonomous networked devices, the
device didn’t need to be authenticated, just the servers. You wanted to make sure that the
website you were logging into was actually a bank and not some bogus phishing site. The
bank authenticated your identity through your login and password. With IoT, the device needs
to be authenticated and the device also needs to authenticate the server it is talking to. With
digital certificates and secure elements, this is now practical.

Secure Over-the-Air (OTA) Update. The problem with many devices today is that they will accept
software updates from anyone. Remember, you want a device to only accept software that is verified
and comes from a trusted server. The certificates allow the device to prove it should receive an update
and which one, and the cryptography in the secure element allows the device to verify the server as
well as the signed code.
Advantages :
• PKI is a standards-based technology.
• It allows the choice of trust provider.
• It is highly scalable. Users maintain their own certificates, and certificate authentication involves
exchange of data between client and server only. This means that no third party authentication
server needs to be online. There is thus no limit to the number of users who can be supported using
PKI.
• PKI allows delegated trust. That is, a user who has obtained a certificate from a recognized and
trusted certificate authority can authenticate himself to a server the very first time he connects to
that server, without having previously been registered with the system.
• Although PKI is not notably a single sign-on service, it can be implemented in such a way as to
enable single sign-on.

Problems with PKI :-
1. PKI has too many moving parts
• Complexity is the enemy of good computer security. The more moving parts you have, the
easier it is to find weaknesses, and the harder it is to implement And few computer security
defenses have more moving parts than a properly set-up PKI.
• You need to begin with an offline root CA (certificate authority). It must be truly offline, or it's
subject to compromise. Then you need two or more CAs that do the work of issuing certificates.
Your CAs need to be protected by an HSM (hardware security module), which is a piece of
hardware that guards the most important private cryptography keys of the PKI. Normally, you
need a few of these, and the total cost can easily reach $100,000.
• You also need two or more websites to store the CA's own certificate and CRLs (certificate
revocation lists). You usually need two of these internally, on the network, and perhaps two
more externally. These days, most PKI designers recommend two or more OCSP (online
certificate status protocol) servers, which are supposed to create less CRL traffic between
clients and CA servers.
2. Even when PKI works perfectly, it doesn't work
• Worse, even when you set up PKI perfectly and without error, and it works the way it’s intended
to work ... it doesn't work! Well, it works, but that's only because people and applications tend
to ignore PKI errors.
• Everyone knows that the little padlock on the browser bar means that a website connection is
supposedly secure thanks to PKI.
• But the complexity of PKI means that many websites and applications end up with PKI errors,
which cause the little padlock to disappear or to remain unlocked. Many times the browser will
warn you that a website's digital certificate is not valid and recommend not going to the
website.

3. PKI doesn't solve the biggest security problems
• Despite points No. 1 and 2, I love PKI. It's very good at what it does if people,
devices, and applications don't ignore its warnings. But the biggest problem with
PKI isn't PKI itself. It's that almost all of the problems that PKI solves aren't the
ones being exploited by today's attackers.
• Most exploits occur due to unpatched software, followed by socially engineered
Trojan horse programs. Together, these two vectors probably account for 99 percent
off all successful attacks in most environments, and PKI doesn't fix either problem.
4. Eventually, PKI will stop working forever
• Here’s this is the real kicker. One day, all secrets protected by PKI will be revealed.
Yep, that's not a misprint.
• One day, the incredibly hard math, involving large prime numbers, won't be so
difficult to solve anymore. Public key cryptography only works because of the math
involved. But computers are only going to get better over time at solving
cryptographic puzzles.
• For example, one of the biggest promises of Quantum computing, whenever it
finally gets perfected, is that it will be able to immediately break open PKI-
protected secrets. Sometime in the near- to mid-term future, useful Quantum
computers will become a reality. When they do, most public crypto will fall.

Security Threats in E-Commerce

More Related Content

What's hot (20)

Similar to Security Threats in E-Commerce (20)

More from Dattatreya Reddy Peram (19)

Recently uploaded (20)

Security Threats in E-Commerce