This lecture is deliver by MAM Shafia the lecturer in GCUF on ecommerce security and modify by syed Mubashair Abid

1. E-Commerce Security

2. The E-Commerce Security
Environment
 For most law-abiding citizens, the Internet holds
the promise of a huge and convenient global
marketplace
 For criminals, the Internet has created entirely
new – and profitable – ways to steal from the
more than one billion Internet consumers
worldwide
 From products to services to cash to information,
it’s all there for the taking on the Internet
 It’s also less risky to steal online
 For example, rather than rob a bank in person,
the Internet makes it possible to rob people

3. The Scope of the Problem
 Cybercrime is becoming a more significant
problem for both organizations and consumers
 Bot networks, DDoS attacks, Trojans, phishing,
data theft, identify theft, credit card fraud, and
spyware are just some of the threats that are
making daily headlines
 Even social networking sites have had security
breaches
 For example, an individual hacked into Britney
Spears’ Twitter account and began sending
messages saying the singer had died

4. The Scope of the Problem (cont.)
 One source of cybercrime information is the
Internet Crime Complaint Center (IC3)
 In 2010, the IC3 processed more than 303,000
Internet crime complaints and it was estimated
that in 2009 the total dollar loss for all referred
crimes was $559 million
 In the past, auction fraud constituted over 70% of
complaints, but in 2010 it was only 10%,
displaced by non payment/delivery (21%) and
identity theft (16%)
 The Computer Security Institute’s annual
Computer Crime and Security Survey is another
source of information

5. Types of
Attacks
Against
Compute
r
Systems
(Figure)

6. The Underground Economy Marketplace:
The Value of Stolen Information
 Criminals who steal information on the Internet do
not always use this information themselves, but
instead derive value by selling the information to
others
 Some recently observed prices for stolen
information, which typically vary depending on the
quantity being purchased
 Not every cybercriminal is necessary after money
 In some cases, such criminals aim to deface,
vandalize, and/or disrupt a Web site, rather than
actually steal goods or services

7. What is Good E-Commerce
Security?
 What is a secure commercial transaction?
 Anytime you go into a marketplace you take risks,
including the loss of privacy
 E-commerce merchants and consumers face
many of the same risks as participants in
traditional commerce, although in a new digital
environment
 Reducing risks in e-commerce is a complex
process that involves new technologies,
organizational policies and procedures, and new
laws and industry standards that empower law
enforcement officials to investigate and prosecute
offenders

8. The E-Commerce Security
Environment

10. The Tension Between Security
and Other Values
 Can there be too much security? The answer is
yes.
 Computer security adds overhead and expense
to business operations
 Expanding computer security also has other
downsides:
 Makes systems more difficult to use
 Slows down processors
 Increases data storage demands
 May reduce individual’s abilities to remain
anonymous

11. Security Threats in the E-
Commerce Environment
 From a technological perspective, there are three
key points of vulnerability when dealing with e-
commerce: the client, the server, and the
communications pipeline
 Figure 5.4 illustrates some of the things that can
go wrong at each major vulnerability point in the
transaction

12. A Typical E-Commerce
Transaction

13. Vulnerable Points in an E-
Commerce Transaction

14. Common E-Commerce Security
Threats
 Some of the most common and most damaging forms
of security threats to e-commerce consumers and site
operators include:
 Malicious code (malware) – virus, worm, Trojan horse,
bots, etc.
 Unwanted programs (spyware)
 Phishing and identify theft – social engineering
 Hacking and cybervandalism
 Credit card fraud/theft
 Spoofing (pharming) and spam (junk) websites
 Denial of service (DoS) attacks
 Insider attacks
 Poorly designed server and client software
 Social networks and mobile devices greatly expand
the security threats to organizations and individuals

15. Technology Solutions
 It might seem like there is not much that can be
done about the onslaught of security breaches on
the Internet
 But in fact a great deal of progress has been
made by private security firms, corporate and
home users, network administrators, technology
firms, and government agencies
 Two lines of defense include:
 Technology solutions
 Policy solutions

16. Encryption
 Encryption is the process of transforming plain
text or data into cipher text that cannot be read by
anyone other than the sender and the receiver
 The purpose of encryption is to secure stored
information and to secure information
transmission
 One early encryption method was symmetric key
encryption where both the sender and the
receiver use the same key to encrypt and decrypt
the message
 They had to send the key to each other over
some communications media or in person

17. Public Key Cryptography

18. Limitations to Encryption
Solutions
 All forms of encryption have limitations
 It is not effective against insiders
 Protecting private keys may also be difficult
because they are stored on insecure desktop and
laptop computers
 Additional technology solutions exist for securing
channels of communications, networks, and
servers/clients

19. Communication Channel, Network,
and Server/Client Security
Technologies
 Communication channel security technologies:
 Secure Sockets Layer (SSL)
 Virtual Private Networks (VPNs)
 Network protection technologies:
 Firewalls
 Proxy servers
 Server/client protection technologies
 Operating system security enhancements
 Anti-virus software

20. Management Policies, Business
Procedures, and Public Laws
 US businesses and government agencies spend
about 14% of their information technology
budgets on security hardware, software, and
services (about $35 billion in 2010)
 However, most CEOs and CIOs of existing e-
commerce operations believe that technology is
not the sole answer to managing the risk of e-
commerce
 An e-commerce security plan would include a risk
assessment, development of a security policy,
implementation plan, creation of a security
organization, and a security audit
 Implementation may involve expanded forms of

21. The Roles of Laws and Public
Policy
 The public policy environment today is very
different fro the early days of e-commerce
 The net result is that the Internet is no longer an
ungoverned, unsupervised, self-controlled
technology juggernaut
 It is also apparent that legal and public policy
solutions also need to be enacted globally

22. Government Policies and Controls on
Encryption Software
 An interesting example of the difficulties involved
in enhancing security is the case of encryption
software distribution
 Governments have required to restrict availability
and export of encryption systems as a means of
detecting and preventing crime and terrorism
 On one hand, restricting global distribution of
advanced encryption systems may reduce the
likelihood that they may be cracked
 But it also reduces global Internet security if
different countries have different levels of
protection