Abstract image of a woman sitting on books and studying on a laptop

Unit 3B.pdf

T
TuhinUtsabPaul

This document discusses e-commerce security. It begins by defining cyber security and its goals of reducing risk from cyber attacks and protecting systems from unauthorized access. It then discusses dimensions of e-commerce security including integrity, non-repudiation, authenticity, confidentiality, privacy, and availability. The document outlines the most common security threats such as malicious code, phishing, hacking, data breaches, and denial of service attacks. It provides details on specific threats and how they compromise systems. In closing, it briefly mentions additional threats like sniffing, insider attacks, and social media/mobile platform security issues.

Data & Analytics
1 of 46
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
E-commerce Security
Cyber Security • Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. • It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies. • Security is an essential part of any transaction that takes place over the internet.
What Is Good E-commerce Security? • New technologies • Organizational policies and procedures • Industry standards and government laws To achieve highest degree of security • Time value of information • Cost of security vs. potential loss • Security often breaks at weakest link Other factors
What Is Good E-commerce Security? Good ecommerce security requires a set of laws, procedures, policies and technologies that to the extent feasible, protect individuals and organizations from the unexpected behaviour in the ecommerce marketplace.
Dimensions of e-commerce security ● Integrity ● Non-Repudiability ● Authenticity ● Confidentiality ● Privacy ● Availability
Integrity ● Integrity refers to the ability to ensure that information being displayed on a Web site, or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. ● Example: If an unauthorized person intercepts and changes the contents of an online communication, such as by redirecting a bank wire transfer into a different account, the integrity of the message has been compromised because the communication no longer represents what the original sender intended.
Nonrepudiation ● Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. ● It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. ● For instance, the availability of free e-mail accounts with alias names makes it easy for a person to post comments or send a message and perhaps later deny doing so. ● Even when a customer uses a real name and e-mail address, it is easy for that customer to order merchandise online and then later deny doing so. ● In most cases, because merchants typically do not obtain a physical copy of a signature, the credit card issuer will side with the customer because the merchant has no legally valid proof that the customer ordered the merchandise.
Authenticity ● Authenticity refers to the ability to identify the identity of a person or entity with whom you are dealing on the Internet. ● There should be a mechanism to authenticate a user before giving him/her an access to the required information.
Confidentiality ● Confidentiality refers to the ability to ensure that messages and data are available only to those who are authorized to view them. Privacy ● privacy, which refers to the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant. ● E-commerce merchants have two concerns related to privacy. They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use. For example, if hackers break into an e-commerce site and gain access to credit card or other information, this violates not only the confidentiality of the data, but also the privacy of the individuals who supplied the information.
Availability ● Availability refers to the ability to ensure that an e-commerce site continues to function as intended. ● Data should be recorded in such a way that it can be audited for integrity requirements.
Security Threats in the E-commerce Environment • Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels)
A Typical E-commerce Transaction Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13 There are three major vulnerable points in e-commerce transactions: Internet communications, servers, and clients.
Most Common Security Threats in the E-commerce Environment Types of Malicious Code • Malicious code (malware, exploits) – Drive-by downloads – Viruses – Worms – Ransomware – Trojan horses – Backdoors – Bots, botnets – Threats at both client and server levels
Malicious code • A drive-by download is malware that comes with a downloaded file that a user intentionally or unintentionally requests. • A virus is a computer program that has the ability to replicate or make copies of itself and spread to other files. • Viruses are often combined with a worm. Instead of just spreading from file to file, a worm is designed to spread from computer to computer. A worm does not necessarily need to be activated by a user or program in order for it to replicate itself. • Ransomware (scareware) is a type of malware (often a worm) that locks your computer or files to stop you from accessing them.
Malicious code (Trojan Horses) • The term Trojan horse refers to the huge wooden horse in Homer’s Iliad that the Greeks gave their opponents, the Trojans—a gift that actually contained hundreds of Greek soldiers. Once the people of Troy let the massive horse within their gates, the soldiers revealed themselves and captured the city. • In today’s world, a Trojan horse may masquerade as a game, but actually hide a program to steal your passwords and e-mail them to another person. • A Trojan horse appears to be benign, but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate but is often a way for viruses or other malicious code such as bots or rootkits (a program whose aim is to subvert control of the computer’s operating system) to be introduced into a computer system.
Malicious code cont… • A backdoor is a feature of viruses, worms, and Trojans that allows an attacker to remotely access a compromised computer. • Bots (short for robots) are a type of malicious code that can be secretly installed on your computer when attached to the Internet. • Botnets are collections of captured computers used for malicious activities such as sending spam, participating in a DDoS attack, stealing information from computers, and storing network traffic for later analysis.
Most Common Security Threats (cont.) • Potentially Unwanted Programs (PUPs) (program that installs itself in a computer, typically without the user’s informed consent) – Browser parasites – Adware – Spyware • Phishing – Social engineering – E-mail scams – Spear-phishing – Identity fraud/theft
Potentially Unwanted Programs (PUPs) • PUPs install themselves on a computer, such as rogue security software, typically without the user’s informed consent. Ex. Adware, Browser parasites, Spyware etc. • Adware is typically used to call for pop-up ads to display when the user visits certain sites. • Browser parasite is a program that can monitor and change the settings of a user’s browser, for instance, changing the browser’s home page, or sending information about the sites visited to a remote computer. • Spyware can be used to obtain information such as a user’s keystrokes, copies of e-mail and instant messages, and even take screenshots (and thereby capture passwords or other confidential data).
Most Common Security Threats (cont.) • Social engineering relies on human curiosity, greed, and gullibility in order to trick people into taking an action that will result in the downloading of malware. • Phishing is any deceptive, online attempt by a third party to obtain confidential information for financial gain. Phishing attacks typically do not involve malicious code but instead rely on straightforward misrepresentation and fraud, so-called “social engineering” techniques. • One of the most popular phishing attacks is the e-mail scam letter. The scam begins with an e-mail: a rich former oil minister of Nigeria is seeking a bank account to stash millions of dollars for a short period of time, and requests your bank account number where the money can be deposited. In return, you will receive a million dollars. This type of e-mail scam is popularly known as a “Nigerian letter” scam. • Thousands of other phishing attacks use other scams, some pretending to be eBay, PayPal, or Citibank writing to you for “account verification” (known as “spear phishing,” or targeting a known customer of a specific bank or other type of business). Click on a link in the e-mail and you will be taken to a Web site controlled by the scammer, and prompted to enter confidential information about your accounts, such as your account number and PIN codes.
Most Common Security Threats (cont.) Hacking • Hackers and crackers • Types of hackers: White, black, grey hats • Hacktivism Cybervandalism: • Disrupting, defacing, destroying Web site Data breach • Losing control over corporate information to outsiders
Most Common Security Threats (cont.) • Hacker is an individual who intends to gain unauthorized access to a computer system. • Cracker is used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker tend to be used interchangeably. • In the past, hackers and crackers typically were computer experts excited by the challenge of breaking into corporate and government Web sites. Sometimes they were satisfied merely by breaking into the files of an e-commerce site. • Today, hackers have malicious intentions to disrupt, deface, or destroy sites (cybervandalism) or to steal personal or corporate information they can use for financial gain (data breach). • Hacktivism adds a political twist. Hacktivists typically attack governments, organizations, and even individuals for political purposes, employing the tactics of cyber vandalism, distributed denial of service attacks, data thefts, doxing (gathering and exposing personal information of public figures, originating from the term “documents” or “docx”), and more.
Most Common Security Threats (cont.) • Groups of hackers called tiger teams are sometimes used by corporate security departments to test their own security measures. By hiring hackers to break into the system from the outside, the company can identify weaknesses in the computer system’s armor. • These “good hackers” are known as white hats because of their role in helping organizations locate and fix security flaws. White hats do their work under contract, with agreement from clients. • Black hats are hackers who engage in the same kinds of activities but without pay or any buy-in from the targeted organization, and with the intention of causing harm. They break into Web sites and reveal the confidential or proprietary information. These hackers believe strongly that information should be free, so sharing secret information is part of their mission. • Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flaws. Grey hats discover weaknesses in a system’s security, and then publish the weakness without disrupting the site or attempting to profit from their finds. Their only reward is the prestige of discovering the weakness. • Grey hat actions are suspect, however, especially when the hackers reveal security flaws that make it easier for other criminals to gain access to a system.
Data Breach • Occurs whenever organizations lose control over corporate information to outsiders. • According to Symantec, data about more than 230 million people were exposed in 2011 as a result of data breaches. • Breaches caused by hacker attacks were responsible for exposing more than 187 million identities. • Significant breaches that did occur included a data breach at Zappos.com that affected 24 million customers, the compromise of a payment processor for Visa and Mastercard, and a breach at LinkedIn, exposing the data of 6.5 million members.
Most Common Security Threats (cont.) • Credit card fraud/theft • Spoofing and pharming • Spam (junk) Web sites (link farms) • Identity fraud/theft • Denial of service (DoS) attack – Hackers flood site with useless traffic to overwhelm network • Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
Credit card fraud/theft • Theft of credit card data is one of the most feared occurrences on the Internet. • Fear that credit card information will be stolen prevents users from making online purchases in many cases. • Incidences of stolen credit card information are much lower than users think, around 0.8% of all online card transactions (CyberSource, 2013) • Online credit card fraud is twice as common as offline card fraud. • In the past, the most common cause of credit card fraud was a lost or stolen card that was used by someone else, followed by employee theft of customer numbers and stolen identities (criminals applying for credit cards using false identities). • But today, the most frequent cause of stolen cards and card information is the systematic hacking and looting of a corporate server where the information on millions of credit card purchases is stored.
Spoofing and pharming • Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP address. For instance, a spoofed e-mail will have a forged sender e-mail address designed to mislead the receiver about who sent the e-mail. • IP spoofing involves the creation of TCP/IP packets that use someone else’s source IP address, indicating that the packets are coming from a trusted host. • Most current routers and firewalls can offer protection against IP spoofing. • Spoofing a Web site sometimes involves pharming, automatically redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. • Links that are designed to lead to one site can be reset to send users to a totally unrelated site—one that benefits the hacker. • Although spoofing and pharming do not directly damage files or network servers, they threaten the integrity of a site. • For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business from the true site. • In addition to threatening integrity, spoofing also threatens authenticity by making it difficult to discern the true sender of a message.
Spam (junk) Web sites (link farms) • Spam (junk) Web sites (also sometimes referred to as link farms) are sites that promise to offer some product or service, but in fact are just a collection of advertisements for other sites, some of which contain malicious code. • For instance, you may search for “[name of town] weather,” and then click on a link that promises your local weather, but then discover that all the site does is display ads for weather-related products or other Web sites. • Junk or spam Web sites typically appear on search results, and do not involve e-mail. • These sites hides their identities by using domain names similar to legitimate firm names, and redirect traffic to known spammer-redirection domains.
Identity fraud/theft • Identity fraud involves the unauthorized use of another person’s personal data, such as social security, driver’s license, and/or credit card numbers, as well as user names and passwords, for illegal financial benefit • Criminals can use such data to obtain loans, purchase merchandise, or obtain other services, such as mobile phone or other utility services • Cybercriminals employ many of the techniques described previously, such as spyware, phishing, data breaches, and credit card theft, for the purpose of identity fraud.
Denial of service (DoS) attack • In a Denial of Service (DoS) attack, hackers flood a Web site with useless pings or page requests that inundate and overwhelm the site’s Web servers. • DoS attacks involve the use of bot networks and so-called “distributed attacks” built from thousands of compromised client computers. • DoS attacks typically cause a Web site to shut down, making it impossible for users to access the site. • For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases.
Distributed denial of service (DDoS) attack • Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of computers to attack the target network from numerous launch points. • DoS and DDoS attacks are threats to a system’s operation because they can shut it down indefinitely.
Most Common Security Threats (cont.) • Sniffing – Eavesdropping program that monitors information traveling over a network • Insider attacks • Poorly designed server and client software • Social network security issues • Mobile platform security issues – Vishing, smishing, madware • Cloud security issues
Sniffing • A sniffer is a type of eavesdropping program that monitors information traveling over a network. • When used legitimately, sniffers can help identify potential network trouble-spots, but when used for criminal purposes, they can be damaging and very difficult to detect. • Sniffers enable hackers to steal proprietary information from anywhere on a network, including passwords, e-mail messages, company files, and confidential reports. • E-mail wiretaps are a variation on the sniffing threat.
Insider attacks • The largest financial threats to business institutions come not from robberies but from embezzlement by insiders. • Bank employees steal far more money than bank robbers. • In e-commerce sites, some of the largest disruptions to service, destruction to sites, and diversion of customer credit data and personal information have come from insiders—once trusted employees. • Employees have access to privileged information, and, in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace.
Poorly designed server and client software • Many security threats prey on poorly designed server and client software, sometimes in the operating system and sometimes in the application software, including browsers. • The increase in complexity and size of software programs, coupled with demands for timely delivery to markets, has contributed to an increase in software flaws or vulnerabilities that hackers can exploit. • For instance, SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software that fails to properly validate or filter data entered by a user on a Web page to introduce malicious program code into a company’s systems and networks.
Technology Solutions • Protecting Internet communications – Encryption • Securing channels of communication – SSL, VPNs • Protecting networks – Firewalls • Protecting servers and clients
Tools Available to Achieve Site Security
Encryption • Encryption – Transforms Plain text or data into cipher text readable only by sender and receiver – Secures stored information and information transmission – Provides 4 of 6 key dimensions of e-commerce security: • Message integrity • Nonrepudiation • Authentication • Confidentiality ● The transformation of plain text to cipher text is accomplished by using a key or cipher. ● A key (or cipher) is any method for transforming plain text to cipher text.
Different Cipher • In a substitution cipher, every occurrence of a given letter is replaced systematically by another letter. • Example : Cipher : letter plus two (replace every letter in a word with a new letter two places forward) Plain Text : Hello Cipher text: JGNNQ • In a transposition cipher, the ordering of the letters in each word is changed in some systematic way. • Example, Leonardo Da Vinci recorded his shop notes in reverse order, making them readable only with a mirror. Plain Text: Hello Cipher Text : OLLEH
Symmetric Key Encryption Or secret key encryption ● In order to decipher the encrypted messages, the receiver would have to know the secret cipher that was used to encrypt the plain text. ● Both the sender and the receiver use the same key to encrypt and decrypt the message. They have to send it over some communication media or exchange the key in person. ● Symmetric key encryption was used extensively throughout World War II and is still a part of Internet encryption. ● Flaws of simple Substitution and Transposition ciphers : 1. In the digital age, computers are so powerful and fast that these ancient means of encryption can be broken quickly. 2. In order to share the same key, they must send the key over a presumably insecure medium where it could be stolen and used to decipher messages. 3. in commercial use, where we are not all part of the same team, a secret key is needed for each of the parties in transaction.
Symmetric Key Encryption Or secret key encryption • The strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data. • Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits. • Algorithms for Symetric Key encryption: DES, AES Data Encryption Standard (DES) Advanced Encryption Standard (AES) ● Developed by the National Security Agency (NSA) and IBM in the 1950s. ● DES uses a 56-bit encryption key. ● To cope with much faster computers, it has been improved by Triple DES—essentially encrypting the message three times, each with a separate key. ● The most widely used symmetric key encryption algorithm nowadays. ● Offers key sizes of 128, 192, and 256 bits. ● There are also many other symmetric key systems that are currently less widely used, with keys up to 2,048 bits.
Public Key Encryption ● Public key cryptography solves the problem of exchanging keys. ● The mathematical algorithms used to produce the keys are one-way functions (Ex. one-way irreversible mathematical function). ● The keys are sufficiently long (128, 256, and 512 bits) Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Once key used to encrypt message, same key cannot be used to decrypt message Both keys used to encrypt and decrypt message Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)
Insight on Business: Class Discussion Public Key Cryptography: A Simple Case
Public Key Encryption using Digital Signatures and Hash Digests • In public key encryption, although we can be quite sure the message was not understood or read by a third party, there is no guarantee the sender really is the sender; that is, there is no authentication of the sender. • The sender could deny ever sending the message(repudiation) • No assurance the message was not altered somehow in transit. • To check the integrity of a message and ensure it has not been altered in transit,a hash function is used first to create a digest of the message.
Public Key Encryption using Digital Signatures and Hash Digests • Hash function: – Mathematical algorithm that produces fixed-length number called message or hash digest • Hash digest of message sent to recipient along with message to verify integrity • Hash digest and message encrypted with recipient’s public key • Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation • Digital Signature: — It is a close parallel to a handwritten signature. • Like a handwritten signature, a digital signature is unique—only one person presumably possesses the private key. • When used with a hash function, the digital signature is even more unique than a handwritten signature. • When used to sign a hashed document, the digital signature is also unique to the document, and changes for every document.
Public Key Cryptography with Digital Signatures

More Related Content

PPT
Chapter 4 universal design
Pado Pado
 
PDF
Mobile Information Architecture
Lifna C.S
 
PPTX
07. datacenters
Muhammad Ahad
 
PPTX
Unit5 Cloud Federation,
Integral university, India
 
PPT
Windows Security in Operating System
Meghaj Mallick
 
PPTX
Systems development cycle
Samuel Igbanogu
 
PPTX
Object Oriented Testing
AMITJain879
 
PDF
Human computer interaction
National Institute of Technology Durgapur
 
Chapter 4 universal design
Pado Pado
 
Mobile Information Architecture
Lifna C.S
 
07. datacenters
Muhammad Ahad
 
Unit5 Cloud Federation,
Integral university, India
 
Windows Security in Operating System
Meghaj Mallick
 
Systems development cycle
Samuel Igbanogu
 
Object Oriented Testing
AMITJain879
 
Human computer interaction
National Institute of Technology Durgapur
 

What's hot (20)

PPTX
09. storage-part-1
Muhammad Ahad
 
PPTX
08. networking-part-2
Muhammad Ahad
 
PDF
User Interface Design-Module 4 Windows
brindaN
 
PPT
Firewall
nayakslideshare
 
PPTX
Web Server - Internet Applications
sandra sukarieh
 
PPTX
The internet
Catherine Matias
 
PPTX
ppt of web designing and development
47ishu
 
PPTX
Dos attack
Suraj Swarnakar
 
PDF
Lecture 3: Human-Computer Interaction: HCI Design (2014)
Lora Aroyo
 
PPTX
05. performance-concepts-26-slides
Muhammad Ahad
 
PPTX
12. End user devices.pptx
Sibghatullah585075
 
PPT
Ajax Ppt 1
JayaPrakash.m
 
PPT
Data Mining and Intrusion Detection
amiable_indian
 
PPTX
Basic concepts in computer security
Arzath Areeff
 
PPT
Computer security
Univ of Salamanca
 
PPT
Authentication Authorization-Lesson-2-Slides.ppt
MuhammadAbdullah311866
 
PPTX
System security
sommerville-videos
 
PPTX
Human Computer Interaction - Interaction Design
Vrushali Dhanokar
 
PPT
Google chrome
Melissa Brisbin
 
PPTX
Tunneling vpn security and implementation
Mohibullah Saail
 
09. storage-part-1
Muhammad Ahad
 
08. networking-part-2
Muhammad Ahad
 
User Interface Design-Module 4 Windows
brindaN
 
Firewall
nayakslideshare
 
Web Server - Internet Applications
sandra sukarieh
 
The internet
Catherine Matias
 
ppt of web designing and development
47ishu
 
Dos attack
Suraj Swarnakar
 
Lecture 3: Human-Computer Interaction: HCI Design (2014)
Lora Aroyo
 
05. performance-concepts-26-slides
Muhammad Ahad
 
12. End user devices.pptx
Sibghatullah585075
 
Ajax Ppt 1
JayaPrakash.m
 
Data Mining and Intrusion Detection
amiable_indian
 
Basic concepts in computer security
Arzath Areeff
 
Computer security
Univ of Salamanca
 
Authentication Authorization-Lesson-2-Slides.ppt
MuhammadAbdullah311866
 
System security
sommerville-videos
 
Human Computer Interaction - Interaction Design
Vrushali Dhanokar
 
Google chrome
Melissa Brisbin
 
Tunneling vpn security and implementation
Mohibullah Saail
 
Ad

Similar to Unit 3B.pdf (20)

PPTX
Security Threats which security threat is any potential danger that can explo...
gargyashika2023
 
PPTX
Important Notes
Usman Abdullah
 
PDF
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
PPTX
Security Threats to Electronic Commerce
Darlene Enderez
 
PPTX
E commerce-securityy
JulianEvangelista1
 
PPTX
WK8.pptx
AlphaKoiSylvester
 
PPTX
Lesson 3 - Cybersecurity and its impact to e-commerce (32).pptx
Omar Fernandez
 
PPTX
Cyber security and its impact on E commerce
manigoyal112
 
PPTX
Ecommerce security
politegcuf
 
PDF
04-1 E-commerce Security slides
monchai sopitka
 
DOCX
E commerce security 4
Anne ndolo
 
PPS
Amazon & E Bay
Sabyasachi Dasgupta
 
PPTX
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
PPT
DNR-Security-Awareness-Training expert.ppt
pdffree25
 
DOCX
THESIS-2(2)
Elsayed Muhammad
 
PDF
e commerce security and fraud protection
tumetr1
 
PPTX
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
PDF
Information Security
Madushan Sandaruwan
 
PPT
Chapter three e-security
Marya Sholevar
 
PDF
E security and payment 2013-1
Abdelfatah hegazy
 
Security Threats which security threat is any potential danger that can explo...
gargyashika2023
 
Important Notes
Usman Abdullah
 
Security issue in e commerce
Bosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
Security Threats to Electronic Commerce
Darlene Enderez
 
E commerce-securityy
JulianEvangelista1
 
WK8.pptx
AlphaKoiSylvester
 
Lesson 3 - Cybersecurity and its impact to e-commerce (32).pptx
Omar Fernandez
 
Cyber security and its impact on E commerce
manigoyal112
 
Ecommerce security
politegcuf
 
04-1 E-commerce Security slides
monchai sopitka
 
E commerce security 4
Anne ndolo
 
Amazon & E Bay
Sabyasachi Dasgupta
 
TheCyberThreatAndYou2_deck.pptx
KevinRiley83
 
DNR-Security-Awareness-Training expert.ppt
pdffree25
 
THESIS-2(2)
Elsayed Muhammad
 
e commerce security and fraud protection
tumetr1
 
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
Information Security
Madushan Sandaruwan
 
Chapter three e-security
Marya Sholevar
 
E security and payment 2013-1
Abdelfatah hegazy
 
Ad

Recently uploaded (20)

PPTX
CYBER SECURITY the Next Warefare Tactics
AbdullahAaliyan
 
PPT
statistic analysis for study - data collection
NguynNgcBchTrm8
 
PDF
Jean-Georges Perrin - Spark in Action, Second Edition (2020, Manning Publicat...
Pablo Jose Prieto Entenza
 
PPTX
SET 1 Compulsory MNH machine learning intro
RahikAhmed
 
PPT
Image processing and pattern recognition 2.ppt
anwarfadel430
 
PPTX
Steganography Project Steganography Project .pptx
ajoy54
 
PDF
Global Data and Analytics Market Outlook Report
ssuser11803e
 
PPTX
STERILIZATION AND DISINFECTION-1.ppthhhbx
DivuuJain
 
PDF
Data Engineering Interview Questions & Answers Data Modeling (3NF, Star, Vaul...
Mindbox Trainings
 
PDF
Introduction to Data Science and Data Analysis
Suraj Patil
 
PDF
Data Engineering Interview Questions & Answers Batch Processing (Spark, Hadoo...
Mindbox Trainings
 
PDF
Systems Analysis and Design, 12th Edition by Scott Tilley Test Bank.pdf
solutionsmanual3
 
PPT
DU, AIS, Big Data and Data Analytics.ppt
SadihaAfrose
 
PPTX
chrmotography.pptx food anaylysis techni
nawahassan45
 
PPTX
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
PDF
Introduction to the R Programming Language
Suraj Patil
 
PPTX
Introduction to Inferential Statistics.pptx
CollegeofTeacherEduc3
 
PDF
Microsoft 365 products and services descrption
KamelAbouSaleh1
 
PPT
Predictive modeling basics in data cleaning process
Amarjeet Jayanthi
 
PDF
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 
CYBER SECURITY the Next Warefare Tactics
AbdullahAaliyan
 
statistic analysis for study - data collection
NguynNgcBchTrm8
 
Jean-Georges Perrin - Spark in Action, Second Edition (2020, Manning Publicat...
Pablo Jose Prieto Entenza
 
SET 1 Compulsory MNH machine learning intro
RahikAhmed
 
Image processing and pattern recognition 2.ppt
anwarfadel430
 
Steganography Project Steganography Project .pptx
ajoy54
 
Global Data and Analytics Market Outlook Report
ssuser11803e
 
STERILIZATION AND DISINFECTION-1.ppthhhbx
DivuuJain
 
Data Engineering Interview Questions & Answers Data Modeling (3NF, Star, Vaul...
Mindbox Trainings
 
Introduction to Data Science and Data Analysis
Suraj Patil
 
Data Engineering Interview Questions & Answers Batch Processing (Spark, Hadoo...
Mindbox Trainings
 
Systems Analysis and Design, 12th Edition by Scott Tilley Test Bank.pdf
solutionsmanual3
 
DU, AIS, Big Data and Data Analytics.ppt
SadihaAfrose
 
chrmotography.pptx food anaylysis techni
nawahassan45
 
(Ali Hamza) Roll No: (F24-BSCS-1103).pptx
fb7654821
 
Introduction to the R Programming Language
Suraj Patil
 
Introduction to Inferential Statistics.pptx
CollegeofTeacherEduc3
 
Microsoft 365 products and services descrption
KamelAbouSaleh1
 
Predictive modeling basics in data cleaning process
Amarjeet Jayanthi
 
[EN] Industrial Machine Downtime Prediction
Mônica N. de Resende
 

Unit 3B.pdf

  • 2. Cyber Security • Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. • It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies. • Security is an essential part of any transaction that takes place over the internet.
  • 3. What Is Good E-commerce Security? • New technologies • Organizational policies and procedures • Industry standards and government laws To achieve highest degree of security • Time value of information • Cost of security vs. potential loss • Security often breaks at weakest link Other factors
  • 4. What Is Good E-commerce Security? Good ecommerce security requires a set of laws, procedures, policies and technologies that to the extent feasible, protect individuals and organizations from the unexpected behaviour in the ecommerce marketplace.
  • 5. Dimensions of e-commerce security ● Integrity ● Non-Repudiability ● Authenticity ● Confidentiality ● Privacy ● Availability
  • 6. Integrity ● Integrity refers to the ability to ensure that information being displayed on a Web site, or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. ● Example: If an unauthorized person intercepts and changes the contents of an online communication, such as by redirecting a bank wire transfer into a different account, the integrity of the message has been compromised because the communication no longer represents what the original sender intended.
  • 7. Nonrepudiation ● Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. ● It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. ● For instance, the availability of free e-mail accounts with alias names makes it easy for a person to post comments or send a message and perhaps later deny doing so. ● Even when a customer uses a real name and e-mail address, it is easy for that customer to order merchandise online and then later deny doing so. ● In most cases, because merchants typically do not obtain a physical copy of a signature, the credit card issuer will side with the customer because the merchant has no legally valid proof that the customer ordered the merchandise.
  • 8. Authenticity ● Authenticity refers to the ability to identify the identity of a person or entity with whom you are dealing on the Internet. ● There should be a mechanism to authenticate a user before giving him/her an access to the required information.
  • 9. Confidentiality ● Confidentiality refers to the ability to ensure that messages and data are available only to those who are authorized to view them. Privacy ● privacy, which refers to the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant. ● E-commerce merchants have two concerns related to privacy. They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use. For example, if hackers break into an e-commerce site and gain access to credit card or other information, this violates not only the confidentiality of the data, but also the privacy of the individuals who supplied the information.
  • 10. Availability ● Availability refers to the ability to ensure that an e-commerce site continues to function as intended. ● Data should be recorded in such a way that it can be audited for integrity requirements.
  • 11. Security Threats in the E-commerce Environment • Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels)
  • 12. A Typical E-commerce Transaction Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
  • 13. Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13 There are three major vulnerable points in e-commerce transactions: Internet communications, servers, and clients.
  • 14. Most Common Security Threats in the E-commerce Environment Types of Malicious Code • Malicious code (malware, exploits) – Drive-by downloads – Viruses – Worms – Ransomware – Trojan horses – Backdoors – Bots, botnets – Threats at both client and server levels
  • 15. Malicious code • A drive-by download is malware that comes with a downloaded file that a user intentionally or unintentionally requests. • A virus is a computer program that has the ability to replicate or make copies of itself and spread to other files. • Viruses are often combined with a worm. Instead of just spreading from file to file, a worm is designed to spread from computer to computer. A worm does not necessarily need to be activated by a user or program in order for it to replicate itself. • Ransomware (scareware) is a type of malware (often a worm) that locks your computer or files to stop you from accessing them.
  • 16. Malicious code (Trojan Horses) • The term Trojan horse refers to the huge wooden horse in Homer’s Iliad that the Greeks gave their opponents, the Trojans—a gift that actually contained hundreds of Greek soldiers. Once the people of Troy let the massive horse within their gates, the soldiers revealed themselves and captured the city. • In today’s world, a Trojan horse may masquerade as a game, but actually hide a program to steal your passwords and e-mail them to another person. • A Trojan horse appears to be benign, but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate but is often a way for viruses or other malicious code such as bots or rootkits (a program whose aim is to subvert control of the computer’s operating system) to be introduced into a computer system.
  • 17. Malicious code cont… • A backdoor is a feature of viruses, worms, and Trojans that allows an attacker to remotely access a compromised computer. • Bots (short for robots) are a type of malicious code that can be secretly installed on your computer when attached to the Internet. • Botnets are collections of captured computers used for malicious activities such as sending spam, participating in a DDoS attack, stealing information from computers, and storing network traffic for later analysis.
  • 18. Most Common Security Threats (cont.) • Potentially Unwanted Programs (PUPs) (program that installs itself in a computer, typically without the user’s informed consent) – Browser parasites – Adware – Spyware • Phishing – Social engineering – E-mail scams – Spear-phishing – Identity fraud/theft
  • 19. Potentially Unwanted Programs (PUPs) • PUPs install themselves on a computer, such as rogue security software, typically without the user’s informed consent. Ex. Adware, Browser parasites, Spyware etc. • Adware is typically used to call for pop-up ads to display when the user visits certain sites. • Browser parasite is a program that can monitor and change the settings of a user’s browser, for instance, changing the browser’s home page, or sending information about the sites visited to a remote computer. • Spyware can be used to obtain information such as a user’s keystrokes, copies of e-mail and instant messages, and even take screenshots (and thereby capture passwords or other confidential data).
  • 20. Most Common Security Threats (cont.) • Social engineering relies on human curiosity, greed, and gullibility in order to trick people into taking an action that will result in the downloading of malware. • Phishing is any deceptive, online attempt by a third party to obtain confidential information for financial gain. Phishing attacks typically do not involve malicious code but instead rely on straightforward misrepresentation and fraud, so-called “social engineering” techniques. • One of the most popular phishing attacks is the e-mail scam letter. The scam begins with an e-mail: a rich former oil minister of Nigeria is seeking a bank account to stash millions of dollars for a short period of time, and requests your bank account number where the money can be deposited. In return, you will receive a million dollars. This type of e-mail scam is popularly known as a “Nigerian letter” scam. • Thousands of other phishing attacks use other scams, some pretending to be eBay, PayPal, or Citibank writing to you for “account verification” (known as “spear phishing,” or targeting a known customer of a specific bank or other type of business). Click on a link in the e-mail and you will be taken to a Web site controlled by the scammer, and prompted to enter confidential information about your accounts, such as your account number and PIN codes.
  • 21. Most Common Security Threats (cont.) Hacking • Hackers and crackers • Types of hackers: White, black, grey hats • Hacktivism Cybervandalism: • Disrupting, defacing, destroying Web site Data breach • Losing control over corporate information to outsiders
  • 22. Most Common Security Threats (cont.) • Hacker is an individual who intends to gain unauthorized access to a computer system. • Cracker is used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker tend to be used interchangeably. • In the past, hackers and crackers typically were computer experts excited by the challenge of breaking into corporate and government Web sites. Sometimes they were satisfied merely by breaking into the files of an e-commerce site. • Today, hackers have malicious intentions to disrupt, deface, or destroy sites (cybervandalism) or to steal personal or corporate information they can use for financial gain (data breach). • Hacktivism adds a political twist. Hacktivists typically attack governments, organizations, and even individuals for political purposes, employing the tactics of cyber vandalism, distributed denial of service attacks, data thefts, doxing (gathering and exposing personal information of public figures, originating from the term “documents” or “docx”), and more.
  • 23. Most Common Security Threats (cont.) • Groups of hackers called tiger teams are sometimes used by corporate security departments to test their own security measures. By hiring hackers to break into the system from the outside, the company can identify weaknesses in the computer system’s armor. • These “good hackers” are known as white hats because of their role in helping organizations locate and fix security flaws. White hats do their work under contract, with agreement from clients. • Black hats are hackers who engage in the same kinds of activities but without pay or any buy-in from the targeted organization, and with the intention of causing harm. They break into Web sites and reveal the confidential or proprietary information. These hackers believe strongly that information should be free, so sharing secret information is part of their mission. • Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flaws. Grey hats discover weaknesses in a system’s security, and then publish the weakness without disrupting the site or attempting to profit from their finds. Their only reward is the prestige of discovering the weakness. • Grey hat actions are suspect, however, especially when the hackers reveal security flaws that make it easier for other criminals to gain access to a system.
  • 24. Data Breach • Occurs whenever organizations lose control over corporate information to outsiders. • According to Symantec, data about more than 230 million people were exposed in 2011 as a result of data breaches. • Breaches caused by hacker attacks were responsible for exposing more than 187 million identities. • Significant breaches that did occur included a data breach at Zappos.com that affected 24 million customers, the compromise of a payment processor for Visa and Mastercard, and a breach at LinkedIn, exposing the data of 6.5 million members.
  • 25. Most Common Security Threats (cont.) • Credit card fraud/theft • Spoofing and pharming • Spam (junk) Web sites (link farms) • Identity fraud/theft • Denial of service (DoS) attack – Hackers flood site with useless traffic to overwhelm network • Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
  • 26. Credit card fraud/theft • Theft of credit card data is one of the most feared occurrences on the Internet. • Fear that credit card information will be stolen prevents users from making online purchases in many cases. • Incidences of stolen credit card information are much lower than users think, around 0.8% of all online card transactions (CyberSource, 2013) • Online credit card fraud is twice as common as offline card fraud. • In the past, the most common cause of credit card fraud was a lost or stolen card that was used by someone else, followed by employee theft of customer numbers and stolen identities (criminals applying for credit cards using false identities). • But today, the most frequent cause of stolen cards and card information is the systematic hacking and looting of a corporate server where the information on millions of credit card purchases is stored.
  • 27. Spoofing and pharming • Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP address. For instance, a spoofed e-mail will have a forged sender e-mail address designed to mislead the receiver about who sent the e-mail. • IP spoofing involves the creation of TCP/IP packets that use someone else’s source IP address, indicating that the packets are coming from a trusted host. • Most current routers and firewalls can offer protection against IP spoofing. • Spoofing a Web site sometimes involves pharming, automatically redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. • Links that are designed to lead to one site can be reset to send users to a totally unrelated site—one that benefits the hacker. • Although spoofing and pharming do not directly damage files or network servers, they threaten the integrity of a site. • For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business from the true site. • In addition to threatening integrity, spoofing also threatens authenticity by making it difficult to discern the true sender of a message.
  • 28. Spam (junk) Web sites (link farms) • Spam (junk) Web sites (also sometimes referred to as link farms) are sites that promise to offer some product or service, but in fact are just a collection of advertisements for other sites, some of which contain malicious code. • For instance, you may search for “[name of town] weather,” and then click on a link that promises your local weather, but then discover that all the site does is display ads for weather-related products or other Web sites. • Junk or spam Web sites typically appear on search results, and do not involve e-mail. • These sites hides their identities by using domain names similar to legitimate firm names, and redirect traffic to known spammer-redirection domains.
  • 29. Identity fraud/theft • Identity fraud involves the unauthorized use of another person’s personal data, such as social security, driver’s license, and/or credit card numbers, as well as user names and passwords, for illegal financial benefit • Criminals can use such data to obtain loans, purchase merchandise, or obtain other services, such as mobile phone or other utility services • Cybercriminals employ many of the techniques described previously, such as spyware, phishing, data breaches, and credit card theft, for the purpose of identity fraud.
  • 30. Denial of service (DoS) attack • In a Denial of Service (DoS) attack, hackers flood a Web site with useless pings or page requests that inundate and overwhelm the site’s Web servers. • DoS attacks involve the use of bot networks and so-called “distributed attacks” built from thousands of compromised client computers. • DoS attacks typically cause a Web site to shut down, making it impossible for users to access the site. • For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases.
  • 31. Distributed denial of service (DDoS) attack • Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of computers to attack the target network from numerous launch points. • DoS and DDoS attacks are threats to a system’s operation because they can shut it down indefinitely.
  • 32. Most Common Security Threats (cont.) • Sniffing – Eavesdropping program that monitors information traveling over a network • Insider attacks • Poorly designed server and client software • Social network security issues • Mobile platform security issues – Vishing, smishing, madware • Cloud security issues
  • 33. Sniffing • A sniffer is a type of eavesdropping program that monitors information traveling over a network. • When used legitimately, sniffers can help identify potential network trouble-spots, but when used for criminal purposes, they can be damaging and very difficult to detect. • Sniffers enable hackers to steal proprietary information from anywhere on a network, including passwords, e-mail messages, company files, and confidential reports. • E-mail wiretaps are a variation on the sniffing threat.
  • 34. Insider attacks • The largest financial threats to business institutions come not from robberies but from embezzlement by insiders. • Bank employees steal far more money than bank robbers. • In e-commerce sites, some of the largest disruptions to service, destruction to sites, and diversion of customer credit data and personal information have come from insiders—once trusted employees. • Employees have access to privileged information, and, in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace.
  • 35. Poorly designed server and client software • Many security threats prey on poorly designed server and client software, sometimes in the operating system and sometimes in the application software, including browsers. • The increase in complexity and size of software programs, coupled with demands for timely delivery to markets, has contributed to an increase in software flaws or vulnerabilities that hackers can exploit. • For instance, SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software that fails to properly validate or filter data entered by a user on a Web page to introduce malicious program code into a company’s systems and networks.
  • 36. Technology Solutions • Protecting Internet communications – Encryption • Securing channels of communication – SSL, VPNs • Protecting networks – Firewalls • Protecting servers and clients
  • 37. Tools Available to Achieve Site Security
  • 38. Encryption • Encryption – Transforms Plain text or data into cipher text readable only by sender and receiver – Secures stored information and information transmission – Provides 4 of 6 key dimensions of e-commerce security: • Message integrity • Nonrepudiation • Authentication • Confidentiality ● The transformation of plain text to cipher text is accomplished by using a key or cipher. ● A key (or cipher) is any method for transforming plain text to cipher text.
  • 39. Different Cipher • In a substitution cipher, every occurrence of a given letter is replaced systematically by another letter. • Example : Cipher : letter plus two (replace every letter in a word with a new letter two places forward) Plain Text : Hello Cipher text: JGNNQ • In a transposition cipher, the ordering of the letters in each word is changed in some systematic way. • Example, Leonardo Da Vinci recorded his shop notes in reverse order, making them readable only with a mirror. Plain Text: Hello Cipher Text : OLLEH
  • 40. Symmetric Key Encryption Or secret key encryption ● In order to decipher the encrypted messages, the receiver would have to know the secret cipher that was used to encrypt the plain text. ● Both the sender and the receiver use the same key to encrypt and decrypt the message. They have to send it over some communication media or exchange the key in person. ● Symmetric key encryption was used extensively throughout World War II and is still a part of Internet encryption. ● Flaws of simple Substitution and Transposition ciphers : 1. In the digital age, computers are so powerful and fast that these ancient means of encryption can be broken quickly. 2. In order to share the same key, they must send the key over a presumably insecure medium where it could be stolen and used to decipher messages. 3. in commercial use, where we are not all part of the same team, a secret key is needed for each of the parties in transaction.
  • 41. Symmetric Key Encryption Or secret key encryption • The strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data. • Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits. • Algorithms for Symetric Key encryption: DES, AES Data Encryption Standard (DES) Advanced Encryption Standard (AES) ● Developed by the National Security Agency (NSA) and IBM in the 1950s. ● DES uses a 56-bit encryption key. ● To cope with much faster computers, it has been improved by Triple DES—essentially encrypting the message three times, each with a separate key. ● The most widely used symmetric key encryption algorithm nowadays. ● Offers key sizes of 128, 192, and 256 bits. ● There are also many other symmetric key systems that are currently less widely used, with keys up to 2,048 bits.
  • 42. Public Key Encryption ● Public key cryptography solves the problem of exchanging keys. ● The mathematical algorithms used to produce the keys are one-way functions (Ex. one-way irreversible mathematical function). ● The keys are sufficiently long (128, 256, and 512 bits) Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Once key used to encrypt message, same key cannot be used to decrypt message Both keys used to encrypt and decrypt message Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)
  • 43. Insight on Business: Class Discussion Public Key Cryptography: A Simple Case
  • 44. Public Key Encryption using Digital Signatures and Hash Digests • In public key encryption, although we can be quite sure the message was not understood or read by a third party, there is no guarantee the sender really is the sender; that is, there is no authentication of the sender. • The sender could deny ever sending the message(repudiation) • No assurance the message was not altered somehow in transit. • To check the integrity of a message and ensure it has not been altered in transit,a hash function is used first to create a digest of the message.
  • 45. Public Key Encryption using Digital Signatures and Hash Digests • Hash function: – Mathematical algorithm that produces fixed-length number called message or hash digest • Hash digest of message sent to recipient along with message to verify integrity • Hash digest and message encrypted with recipient’s public key • Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation • Digital Signature: — It is a close parallel to a handwritten signature. • Like a handwritten signature, a digital signature is unique—only one person presumably possesses the private key. • When used with a hash function, the digital signature is even more unique than a handwritten signature. • When used to sign a hashed document, the digital signature is also unique to the document, and changes for every document.
  • 46. Public Key Cryptography with Digital Signatures