SlideShare ist ein Scribd-Unternehmen logo

E-commerce Security Dimensions and Threats

T
TuhinUtsabPaul

This document discusses e-commerce security. It begins by defining cyber security and its goals of reducing risk from cyber attacks and protecting systems from unauthorized access. It then discusses dimensions of e-commerce security including integrity, non-repudiation, authenticity, confidentiality, privacy, and availability. The document outlines the most common security threats such as malicious code, phishing, hacking, data breaches, and denial of service attacks. It provides details on specific threats and how they compromise systems. In closing, it briefly mentions additional threats like sniffing, insider attacks, and social media/mobile platform security issues.

Daten & Analysen
1 von 46
Downloaden Sie, um offline zu lesen
E-commerce Security
Cyber Security • Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. • It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies. • Security is an essential part of any transaction that takes place over the internet.
What Is Good E-commerce Security? • New technologies • Organizational policies and procedures • Industry standards and government laws To achieve highest degree of security • Time value of information • Cost of security vs. potential loss • Security often breaks at weakest link Other factors
What Is Good E-commerce Security? Good ecommerce security requires a set of laws, procedures, policies and technologies that to the extent feasible, protect individuals and organizations from the unexpected behaviour in the ecommerce marketplace.
Dimensions of e-commerce security ● Integrity ● Non-Repudiability ● Authenticity ● Confidentiality ● Privacy ● Availability
Integrity ● Integrity refers to the ability to ensure that information being displayed on a Web site, or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. ● Example: If an unauthorized person intercepts and changes the contents of an online communication, such as by redirecting a bank wire transfer into a different account, the integrity of the message has been compromised because the communication no longer represents what the original sender intended.
Nonrepudiation ● Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. ● It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. ● For instance, the availability of free e-mail accounts with alias names makes it easy for a person to post comments or send a message and perhaps later deny doing so. ● Even when a customer uses a real name and e-mail address, it is easy for that customer to order merchandise online and then later deny doing so. ● In most cases, because merchants typically do not obtain a physical copy of a signature, the credit card issuer will side with the customer because the merchant has no legally valid proof that the customer ordered the merchandise.
Authenticity ● Authenticity refers to the ability to identify the identity of a person or entity with whom you are dealing on the Internet. ● There should be a mechanism to authenticate a user before giving him/her an access to the required information.
Confidentiality ● Confidentiality refers to the ability to ensure that messages and data are available only to those who are authorized to view them. Privacy ● privacy, which refers to the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant. ● E-commerce merchants have two concerns related to privacy. They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use. For example, if hackers break into an e-commerce site and gain access to credit card or other information, this violates not only the confidentiality of the data, but also the privacy of the individuals who supplied the information.
Availability ● Availability refers to the ability to ensure that an e-commerce site continues to function as intended. ● Data should be recorded in such a way that it can be audited for integrity requirements.
Security Threats in the E-commerce Environment • Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels)
A Typical E-commerce Transaction Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13 There are three major vulnerable points in e-commerce transactions: Internet communications, servers, and clients.
Most Common Security Threats in the E-commerce Environment Types of Malicious Code • Malicious code (malware, exploits) – Drive-by downloads – Viruses – Worms – Ransomware – Trojan horses – Backdoors – Bots, botnets – Threats at both client and server levels
Malicious code • A drive-by download is malware that comes with a downloaded file that a user intentionally or unintentionally requests. • A virus is a computer program that has the ability to replicate or make copies of itself and spread to other files. • Viruses are often combined with a worm. Instead of just spreading from file to file, a worm is designed to spread from computer to computer. A worm does not necessarily need to be activated by a user or program in order for it to replicate itself. • Ransomware (scareware) is a type of malware (often a worm) that locks your computer or files to stop you from accessing them.
Malicious code (Trojan Horses) • The term Trojan horse refers to the huge wooden horse in Homer’s Iliad that the Greeks gave their opponents, the Trojans—a gift that actually contained hundreds of Greek soldiers. Once the people of Troy let the massive horse within their gates, the soldiers revealed themselves and captured the city. • In today’s world, a Trojan horse may masquerade as a game, but actually hide a program to steal your passwords and e-mail them to another person. • A Trojan horse appears to be benign, but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate but is often a way for viruses or other malicious code such as bots or rootkits (a program whose aim is to subvert control of the computer’s operating system) to be introduced into a computer system.
Malicious code cont… • A backdoor is a feature of viruses, worms, and Trojans that allows an attacker to remotely access a compromised computer. • Bots (short for robots) are a type of malicious code that can be secretly installed on your computer when attached to the Internet. • Botnets are collections of captured computers used for malicious activities such as sending spam, participating in a DDoS attack, stealing information from computers, and storing network traffic for later analysis.
Most Common Security Threats (cont.) • Potentially Unwanted Programs (PUPs) (program that installs itself in a computer, typically without the user’s informed consent) – Browser parasites – Adware – Spyware • Phishing – Social engineering – E-mail scams – Spear-phishing – Identity fraud/theft
Potentially Unwanted Programs (PUPs) • PUPs install themselves on a computer, such as rogue security software, typically without the user’s informed consent. Ex. Adware, Browser parasites, Spyware etc. • Adware is typically used to call for pop-up ads to display when the user visits certain sites. • Browser parasite is a program that can monitor and change the settings of a user’s browser, for instance, changing the browser’s home page, or sending information about the sites visited to a remote computer. • Spyware can be used to obtain information such as a user’s keystrokes, copies of e-mail and instant messages, and even take screenshots (and thereby capture passwords or other confidential data).
Most Common Security Threats (cont.) • Social engineering relies on human curiosity, greed, and gullibility in order to trick people into taking an action that will result in the downloading of malware. • Phishing is any deceptive, online attempt by a third party to obtain confidential information for financial gain. Phishing attacks typically do not involve malicious code but instead rely on straightforward misrepresentation and fraud, so-called “social engineering” techniques. • One of the most popular phishing attacks is the e-mail scam letter. The scam begins with an e-mail: a rich former oil minister of Nigeria is seeking a bank account to stash millions of dollars for a short period of time, and requests your bank account number where the money can be deposited. In return, you will receive a million dollars. This type of e-mail scam is popularly known as a “Nigerian letter” scam. • Thousands of other phishing attacks use other scams, some pretending to be eBay, PayPal, or Citibank writing to you for “account verification” (known as “spear phishing,” or targeting a known customer of a specific bank or other type of business). Click on a link in the e-mail and you will be taken to a Web site controlled by the scammer, and prompted to enter confidential information about your accounts, such as your account number and PIN codes.
Most Common Security Threats (cont.) Hacking • Hackers and crackers • Types of hackers: White, black, grey hats • Hacktivism Cybervandalism: • Disrupting, defacing, destroying Web site Data breach • Losing control over corporate information to outsiders
Most Common Security Threats (cont.) • Hacker is an individual who intends to gain unauthorized access to a computer system. • Cracker is used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker tend to be used interchangeably. • In the past, hackers and crackers typically were computer experts excited by the challenge of breaking into corporate and government Web sites. Sometimes they were satisfied merely by breaking into the files of an e-commerce site. • Today, hackers have malicious intentions to disrupt, deface, or destroy sites (cybervandalism) or to steal personal or corporate information they can use for financial gain (data breach). • Hacktivism adds a political twist. Hacktivists typically attack governments, organizations, and even individuals for political purposes, employing the tactics of cyber vandalism, distributed denial of service attacks, data thefts, doxing (gathering and exposing personal information of public figures, originating from the term “documents” or “docx”), and more.
Most Common Security Threats (cont.) • Groups of hackers called tiger teams are sometimes used by corporate security departments to test their own security measures. By hiring hackers to break into the system from the outside, the company can identify weaknesses in the computer system’s armor. • These “good hackers” are known as white hats because of their role in helping organizations locate and fix security flaws. White hats do their work under contract, with agreement from clients. • Black hats are hackers who engage in the same kinds of activities but without pay or any buy-in from the targeted organization, and with the intention of causing harm. They break into Web sites and reveal the confidential or proprietary information. These hackers believe strongly that information should be free, so sharing secret information is part of their mission. • Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flaws. Grey hats discover weaknesses in a system’s security, and then publish the weakness without disrupting the site or attempting to profit from their finds. Their only reward is the prestige of discovering the weakness. • Grey hat actions are suspect, however, especially when the hackers reveal security flaws that make it easier for other criminals to gain access to a system.
Data Breach • Occurs whenever organizations lose control over corporate information to outsiders. • According to Symantec, data about more than 230 million people were exposed in 2011 as a result of data breaches. • Breaches caused by hacker attacks were responsible for exposing more than 187 million identities. • Significant breaches that did occur included a data breach at Zappos.com that affected 24 million customers, the compromise of a payment processor for Visa and Mastercard, and a breach at LinkedIn, exposing the data of 6.5 million members.
Most Common Security Threats (cont.) • Credit card fraud/theft • Spoofing and pharming • Spam (junk) Web sites (link farms) • Identity fraud/theft • Denial of service (DoS) attack – Hackers flood site with useless traffic to overwhelm network • Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
Credit card fraud/theft • Theft of credit card data is one of the most feared occurrences on the Internet. • Fear that credit card information will be stolen prevents users from making online purchases in many cases. • Incidences of stolen credit card information are much lower than users think, around 0.8% of all online card transactions (CyberSource, 2013) • Online credit card fraud is twice as common as offline card fraud. • In the past, the most common cause of credit card fraud was a lost or stolen card that was used by someone else, followed by employee theft of customer numbers and stolen identities (criminals applying for credit cards using false identities). • But today, the most frequent cause of stolen cards and card information is the systematic hacking and looting of a corporate server where the information on millions of credit card purchases is stored.
Spoofing and pharming • Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP address. For instance, a spoofed e-mail will have a forged sender e-mail address designed to mislead the receiver about who sent the e-mail. • IP spoofing involves the creation of TCP/IP packets that use someone else’s source IP address, indicating that the packets are coming from a trusted host. • Most current routers and firewalls can offer protection against IP spoofing. • Spoofing a Web site sometimes involves pharming, automatically redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. • Links that are designed to lead to one site can be reset to send users to a totally unrelated site—one that benefits the hacker. • Although spoofing and pharming do not directly damage files or network servers, they threaten the integrity of a site. • For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business from the true site. • In addition to threatening integrity, spoofing also threatens authenticity by making it difficult to discern the true sender of a message.
Spam (junk) Web sites (link farms) • Spam (junk) Web sites (also sometimes referred to as link farms) are sites that promise to offer some product or service, but in fact are just a collection of advertisements for other sites, some of which contain malicious code. • For instance, you may search for “[name of town] weather,” and then click on a link that promises your local weather, but then discover that all the site does is display ads for weather-related products or other Web sites. • Junk or spam Web sites typically appear on search results, and do not involve e-mail. • These sites hides their identities by using domain names similar to legitimate firm names, and redirect traffic to known spammer-redirection domains.
Identity fraud/theft • Identity fraud involves the unauthorized use of another person’s personal data, such as social security, driver’s license, and/or credit card numbers, as well as user names and passwords, for illegal financial benefit • Criminals can use such data to obtain loans, purchase merchandise, or obtain other services, such as mobile phone or other utility services • Cybercriminals employ many of the techniques described previously, such as spyware, phishing, data breaches, and credit card theft, for the purpose of identity fraud.
Denial of service (DoS) attack • In a Denial of Service (DoS) attack, hackers flood a Web site with useless pings or page requests that inundate and overwhelm the site’s Web servers. • DoS attacks involve the use of bot networks and so-called “distributed attacks” built from thousands of compromised client computers. • DoS attacks typically cause a Web site to shut down, making it impossible for users to access the site. • For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases.
Distributed denial of service (DDoS) attack • Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of computers to attack the target network from numerous launch points. • DoS and DDoS attacks are threats to a system’s operation because they can shut it down indefinitely.
Most Common Security Threats (cont.) • Sniffing – Eavesdropping program that monitors information traveling over a network • Insider attacks • Poorly designed server and client software • Social network security issues • Mobile platform security issues – Vishing, smishing, madware • Cloud security issues
Sniffing • A sniffer is a type of eavesdropping program that monitors information traveling over a network. • When used legitimately, sniffers can help identify potential network trouble-spots, but when used for criminal purposes, they can be damaging and very difficult to detect. • Sniffers enable hackers to steal proprietary information from anywhere on a network, including passwords, e-mail messages, company files, and confidential reports. • E-mail wiretaps are a variation on the sniffing threat.
Insider attacks • The largest financial threats to business institutions come not from robberies but from embezzlement by insiders. • Bank employees steal far more money than bank robbers. • In e-commerce sites, some of the largest disruptions to service, destruction to sites, and diversion of customer credit data and personal information have come from insiders—once trusted employees. • Employees have access to privileged information, and, in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace.
Poorly designed server and client software • Many security threats prey on poorly designed server and client software, sometimes in the operating system and sometimes in the application software, including browsers. • The increase in complexity and size of software programs, coupled with demands for timely delivery to markets, has contributed to an increase in software flaws or vulnerabilities that hackers can exploit. • For instance, SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software that fails to properly validate or filter data entered by a user on a Web page to introduce malicious program code into a company’s systems and networks.
Technology Solutions • Protecting Internet communications – Encryption • Securing channels of communication – SSL, VPNs • Protecting networks – Firewalls • Protecting servers and clients
Tools Available to Achieve Site Security
Encryption • Encryption – Transforms Plain text or data into cipher text readable only by sender and receiver – Secures stored information and information transmission – Provides 4 of 6 key dimensions of e-commerce security: • Message integrity • Nonrepudiation • Authentication • Confidentiality ● The transformation of plain text to cipher text is accomplished by using a key or cipher. ● A key (or cipher) is any method for transforming plain text to cipher text.
Different Cipher • In a substitution cipher, every occurrence of a given letter is replaced systematically by another letter. • Example : Cipher : letter plus two (replace every letter in a word with a new letter two places forward) Plain Text : Hello Cipher text: JGNNQ • In a transposition cipher, the ordering of the letters in each word is changed in some systematic way. • Example, Leonardo Da Vinci recorded his shop notes in reverse order, making them readable only with a mirror. Plain Text: Hello Cipher Text : OLLEH
Symmetric Key Encryption Or secret key encryption ● In order to decipher the encrypted messages, the receiver would have to know the secret cipher that was used to encrypt the plain text. ● Both the sender and the receiver use the same key to encrypt and decrypt the message. They have to send it over some communication media or exchange the key in person. ● Symmetric key encryption was used extensively throughout World War II and is still a part of Internet encryption. ● Flaws of simple Substitution and Transposition ciphers : 1. In the digital age, computers are so powerful and fast that these ancient means of encryption can be broken quickly. 2. In order to share the same key, they must send the key over a presumably insecure medium where it could be stolen and used to decipher messages. 3. in commercial use, where we are not all part of the same team, a secret key is needed for each of the parties in transaction.
Symmetric Key Encryption Or secret key encryption • The strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data. • Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits. • Algorithms for Symetric Key encryption: DES, AES Data Encryption Standard (DES) Advanced Encryption Standard (AES) ● Developed by the National Security Agency (NSA) and IBM in the 1950s. ● DES uses a 56-bit encryption key. ● To cope with much faster computers, it has been improved by Triple DES—essentially encrypting the message three times, each with a separate key. ● The most widely used symmetric key encryption algorithm nowadays. ● Offers key sizes of 128, 192, and 256 bits. ● There are also many other symmetric key systems that are currently less widely used, with keys up to 2,048 bits.
Public Key Encryption ● Public key cryptography solves the problem of exchanging keys. ● The mathematical algorithms used to produce the keys are one-way functions (Ex. one-way irreversible mathematical function). ● The keys are sufficiently long (128, 256, and 512 bits) Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Once key used to encrypt message, same key cannot be used to decrypt message Both keys used to encrypt and decrypt message Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)
Insight on Business: Class Discussion Public Key Cryptography: A Simple Case
Public Key Encryption using Digital Signatures and Hash Digests • In public key encryption, although we can be quite sure the message was not understood or read by a third party, there is no guarantee the sender really is the sender; that is, there is no authentication of the sender. • The sender could deny ever sending the message(repudiation) • No assurance the message was not altered somehow in transit. • To check the integrity of a message and ensure it has not been altered in transit,a hash function is used first to create a digest of the message.
Public Key Encryption using Digital Signatures and Hash Digests • Hash function: – Mathematical algorithm that produces fixed-length number called message or hash digest • Hash digest of message sent to recipient along with message to verify integrity • Hash digest and message encrypted with recipient’s public key • Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation • Digital Signature: — It is a close parallel to a handwritten signature. • Like a handwritten signature, a digital signature is unique—only one person presumably possesses the private key. • When used with a hash function, the digital signature is even more unique than a handwritten signature. • When used to sign a hashed document, the digital signature is also unique to the document, and changes for every document.
Public Key Cryptography with Digital Signatures

Empfohlen

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDumindu Pahalawatta
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdf
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdfonlinesecurityandpaymentsystem-140116021418-phpapp01.pdf
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdfjainutkarsh078
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity TrainingWindstoneHealth
 

Empfohlen

Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDumindu Pahalawatta
 
Computer Security Presentation
Computer Security PresentationComputer Security Presentation
Computer Security PresentationPraphullaShrestha1
 
BCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxBCE L-3omputer security Basics.pptx
BCE L-3omputer security Basics.pptxKirti Verma
 
Online security and payment system
Online security and payment systemOnline security and payment system
Online security and payment systemGc university faisalabad
 
Cyber crime & security
Cyber crime & securityCyber crime & security
Cyber crime & securityAvani Patel
 
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdf
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdfonlinesecurityandpaymentsystem-140116021418-phpapp01.pdf
onlinesecurityandpaymentsystem-140116021418-phpapp01.pdfjainutkarsh078
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity TrainingWindstoneHealth
 
Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerceBosco Technical Training Society, Don Bosco Technical School (Aff. GGSIP University, New Delhi)
 
security threats.pptx
security threats.pptxsecurity threats.pptx
security threats.pptxSurajsingh809614
 
Cyber security By rajeev.pptx
Cyber security By rajeev.pptxCyber security By rajeev.pptx
Cyber security By rajeev.pptxAmeyBarbade1
 
Introduction to E commerce
Introduction to E commerceIntroduction to E commerce
Introduction to E commerceHimanshu Pathak
 
Types of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsTypes of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsAmity University | FMS - DU | IMT | Stratford University | KKMI International Institute | AIMA | DTU
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Cyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxCyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxRavinderSingh172970
 
Security and Privacy.PDF
Security and Privacy.PDFSecurity and Privacy.PDF
Security and Privacy.PDFChetanmalviya8
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptxMuhammadRehan856177
 
Internet and personal privacy
Internet and personal privacyInternet and personal privacy
Internet and personal privacyRoshan Kumar Bhattarai
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptxMuhammadRehan856177
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Online Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptxOnline Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptxBobby Dait
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityYellowSlice1
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
COMPUTER ETHICS.pptx
COMPUTER ETHICS.pptxCOMPUTER ETHICS.pptx
COMPUTER ETHICS.pptxsantosh26kumar2003
 
Ethics,security and privacy control
Ethics,security and privacy controlEthics,security and privacy control
Ethics,security and privacy controlSifat Hossain
 
Cybercrime
CybercrimeCybercrime
CybercrimeVansh Verma
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-CommerceDattatreya Reddy Peram
 
CYBER.pptx
CYBER.pptxCYBER.pptx
CYBER.pptxssuser8b4eb21
 
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degreeyuu sss
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 

Weitere ähnliche Inhalte

Ähnlich wie E-commerce Security Dimensions and Threats

Cyber security By rajeev.pptx
Cyber security By rajeev.pptxCyber security By rajeev.pptx
Cyber security By rajeev.pptxAmeyBarbade1
 
Introduction to E commerce
Introduction to E commerceIntroduction to E commerce
Introduction to E commerceHimanshu Pathak
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...Rishav Gupta
 
Cyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxCyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxRavinderSingh172970
 
Security and Privacy.PDF
Security and Privacy.PDFSecurity and Privacy.PDF
Security and Privacy.PDFChetanmalviya8
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Online Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptxOnline Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptxBobby Dait
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
Ethics,security and privacy control
Ethics,security and privacy controlEthics,security and privacy control
Ethics,security and privacy controlSifat Hossain
 

Ähnlich wie E-commerce Security Dimensions and Threats (20)

Security issue in e commerce
Security issue in e commerceSecurity issue in e commerce
Security issue in e commerce
 
security threats.pptx
security threats.pptxsecurity threats.pptx
security threats.pptx
 
Cyber security By rajeev.pptx
Cyber security By rajeev.pptxCyber security By rajeev.pptx
Cyber security By rajeev.pptx
 
Introduction to E commerce
Introduction to E commerceIntroduction to E commerce
Introduction to E commerce
 
Types of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security ThreatsTypes of Cyber Crimes and Security Threats
Types of Cyber Crimes and Security Threats
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
 
Cyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptxCyber Crime And Cyber Safety Project.pptx
Cyber Crime And Cyber Safety Project.pptx
 
Security and Privacy.PDF
Security and Privacy.PDFSecurity and Privacy.PDF
Security and Privacy.PDF
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptx
 
Internet and personal privacy
Internet and personal privacyInternet and personal privacy
Internet and personal privacy
 
Lecture 2.pptx
Lecture 2.pptxLecture 2.pptx
Lecture 2.pptx
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Online Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptxOnline Safety, Security, Ethics and Netiquette.pptx
Online Safety, Security, Ethics and Netiquette.pptx
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
COMPUTER ETHICS.pptx
COMPUTER ETHICS.pptxCOMPUTER ETHICS.pptx
COMPUTER ETHICS.pptx
 
Ethics,security and privacy control
Ethics,security and privacy controlEthics,security and privacy control
Ethics,security and privacy control
 
Cybercrime
CybercrimeCybercrime
Cybercrime
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
 
CYBER.pptx
CYBER.pptxCYBER.pptx
CYBER.pptx
 

Kürzlich hochgeladen

办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degreeyuu sss
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)jennyeacort
 
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In QueensTop 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queensdataanalyticsqueen03
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfBoston Institute of Analytics
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsVICTOR MAESTRE RAMIREZ
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改yuu sss
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdfHuman37
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesConf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesTimothy Spann
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Cantervoginip
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTBoston Institute of Analytics
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanMYRABACSAFRA2
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...Amil Baba Dawood bangali
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Cathrine Wilhelmsen
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一F sss
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Seán Kennedy
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryJeremy Anderson
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI
LLMs, LMMs, their Improvement Suggestions and the Path towards AGILLMs, LMMs, their Improvement Suggestions and the Path towards AGI
LLMs, LMMs, their Improvement Suggestions and the Path towards AGIThomas Poetter
 

Kürzlich hochgeladen (20)

办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
Call Us ➥97111√47426🤳Call Girls in Aerocity (Delhi NCR)
 
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In QueensTop 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queens
 
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdfPredicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
 
Advanced Machine Learning for Business Professionals
Advanced Machine Learning for Business ProfessionalsAdvanced Machine Learning for Business Professionals
Advanced Machine Learning for Business Professionals
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
 
20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf20240419 - Measurecamp Amsterdam - SAM.pdf
20240419 - Measurecamp Amsterdam - SAM.pdf
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming PipelinesConf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
Conf42-LLM_Adding Generative AI to Real-Time Streaming Pipelines
 
ASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel CanterASML's Taxonomy Adventure by Daniel Canter
ASML's Taxonomy Adventure by Daniel Canter
 
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPTPredictive Analysis for Loan Default Presentation : Data Analysis Project PPT
Predictive Analysis for Loan Default Presentation : Data Analysis Project PPT
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
 
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
NO1 Certified Black Magic Specialist Expert Amil baba in Lahore Islamabad Raw...
 
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
 
Defining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data StoryDefining Constituents, Data Vizzes and Telling a Data Story
Defining Constituents, Data Vizzes and Telling a Data Story
 
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI
LLMs, LMMs, their Improvement Suggestions and the Path towards AGILLMs, LMMs, their Improvement Suggestions and the Path towards AGI
LLMs, LMMs, their Improvement Suggestions and the Path towards AGI
 

E-commerce Security Dimensions and Threats

  • 2. Cyber Security • Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. • It aims to reduce the risk of cyber attacks and protect against the unauthorized exploitation of systems, networks, and technologies. • Security is an essential part of any transaction that takes place over the internet.
  • 3. What Is Good E-commerce Security? • New technologies • Organizational policies and procedures • Industry standards and government laws To achieve highest degree of security • Time value of information • Cost of security vs. potential loss • Security often breaks at weakest link Other factors
  • 4. What Is Good E-commerce Security? Good ecommerce security requires a set of laws, procedures, policies and technologies that to the extent feasible, protect individuals and organizations from the unexpected behaviour in the ecommerce marketplace.
  • 5. Dimensions of e-commerce security ● Integrity ● Non-Repudiability ● Authenticity ● Confidentiality ● Privacy ● Availability
  • 6. Integrity ● Integrity refers to the ability to ensure that information being displayed on a Web site, or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. ● Example: If an unauthorized person intercepts and changes the contents of an online communication, such as by redirecting a bank wire transfer into a different account, the integrity of the message has been compromised because the communication no longer represents what the original sender intended.
  • 7. Nonrepudiation ● Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e., repudiate) their online actions. ● It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt. ● For instance, the availability of free e-mail accounts with alias names makes it easy for a person to post comments or send a message and perhaps later deny doing so. ● Even when a customer uses a real name and e-mail address, it is easy for that customer to order merchandise online and then later deny doing so. ● In most cases, because merchants typically do not obtain a physical copy of a signature, the credit card issuer will side with the customer because the merchant has no legally valid proof that the customer ordered the merchandise.
  • 8. Authenticity ● Authenticity refers to the ability to identify the identity of a person or entity with whom you are dealing on the Internet. ● There should be a mechanism to authenticate a user before giving him/her an access to the required information.
  • 9. Confidentiality ● Confidentiality refers to the ability to ensure that messages and data are available only to those who are authorized to view them. Privacy ● privacy, which refers to the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant. ● E-commerce merchants have two concerns related to privacy. They must establish internal policies that govern their own use of customer information, and they must protect that information from illegitimate or unauthorized use. For example, if hackers break into an e-commerce site and gain access to credit card or other information, this violates not only the confidentiality of the data, but also the privacy of the individuals who supplied the information.
  • 10. Availability ● Availability refers to the ability to ensure that an e-commerce site continues to function as intended. ● Data should be recorded in such a way that it can be audited for integrity requirements.
  • 11. Security Threats in the E-commerce Environment • Three key points of vulnerability in e-commerce environment: 1. Client 2. Server 3. Communications pipeline (Internet communications channels)
  • 12. A Typical E-commerce Transaction Figure 5.2, Page 256 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-12
  • 13. Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257 Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-13 There are three major vulnerable points in e-commerce transactions: Internet communications, servers, and clients.
  • 14. Most Common Security Threats in the E-commerce Environment Types of Malicious Code • Malicious code (malware, exploits) – Drive-by downloads – Viruses – Worms – Ransomware – Trojan horses – Backdoors – Bots, botnets – Threats at both client and server levels
  • 15. Malicious code • A drive-by download is malware that comes with a downloaded file that a user intentionally or unintentionally requests. • A virus is a computer program that has the ability to replicate or make copies of itself and spread to other files. • Viruses are often combined with a worm. Instead of just spreading from file to file, a worm is designed to spread from computer to computer. A worm does not necessarily need to be activated by a user or program in order for it to replicate itself. • Ransomware (scareware) is a type of malware (often a worm) that locks your computer or files to stop you from accessing them.
  • 16. Malicious code (Trojan Horses) • The term Trojan horse refers to the huge wooden horse in Homer’s Iliad that the Greeks gave their opponents, the Trojans—a gift that actually contained hundreds of Greek soldiers. Once the people of Troy let the massive horse within their gates, the soldiers revealed themselves and captured the city. • In today’s world, a Trojan horse may masquerade as a game, but actually hide a program to steal your passwords and e-mail them to another person. • A Trojan horse appears to be benign, but then does something other than expected. The Trojan horse is not itself a virus because it does not replicate but is often a way for viruses or other malicious code such as bots or rootkits (a program whose aim is to subvert control of the computer’s operating system) to be introduced into a computer system.
  • 17. Malicious code cont… • A backdoor is a feature of viruses, worms, and Trojans that allows an attacker to remotely access a compromised computer. • Bots (short for robots) are a type of malicious code that can be secretly installed on your computer when attached to the Internet. • Botnets are collections of captured computers used for malicious activities such as sending spam, participating in a DDoS attack, stealing information from computers, and storing network traffic for later analysis.
  • 18. Most Common Security Threats (cont.) • Potentially Unwanted Programs (PUPs) (program that installs itself in a computer, typically without the user’s informed consent) – Browser parasites – Adware – Spyware • Phishing – Social engineering – E-mail scams – Spear-phishing – Identity fraud/theft
  • 19. Potentially Unwanted Programs (PUPs) • PUPs install themselves on a computer, such as rogue security software, typically without the user’s informed consent. Ex. Adware, Browser parasites, Spyware etc. • Adware is typically used to call for pop-up ads to display when the user visits certain sites. • Browser parasite is a program that can monitor and change the settings of a user’s browser, for instance, changing the browser’s home page, or sending information about the sites visited to a remote computer. • Spyware can be used to obtain information such as a user’s keystrokes, copies of e-mail and instant messages, and even take screenshots (and thereby capture passwords or other confidential data).
  • 20. Most Common Security Threats (cont.) • Social engineering relies on human curiosity, greed, and gullibility in order to trick people into taking an action that will result in the downloading of malware. • Phishing is any deceptive, online attempt by a third party to obtain confidential information for financial gain. Phishing attacks typically do not involve malicious code but instead rely on straightforward misrepresentation and fraud, so-called “social engineering” techniques. • One of the most popular phishing attacks is the e-mail scam letter. The scam begins with an e-mail: a rich former oil minister of Nigeria is seeking a bank account to stash millions of dollars for a short period of time, and requests your bank account number where the money can be deposited. In return, you will receive a million dollars. This type of e-mail scam is popularly known as a “Nigerian letter” scam. • Thousands of other phishing attacks use other scams, some pretending to be eBay, PayPal, or Citibank writing to you for “account verification” (known as “spear phishing,” or targeting a known customer of a specific bank or other type of business). Click on a link in the e-mail and you will be taken to a Web site controlled by the scammer, and prompted to enter confidential information about your accounts, such as your account number and PIN codes.
  • 21. Most Common Security Threats (cont.) Hacking • Hackers and crackers • Types of hackers: White, black, grey hats • Hacktivism Cybervandalism: • Disrupting, defacing, destroying Web site Data breach • Losing control over corporate information to outsiders
  • 22. Most Common Security Threats (cont.) • Hacker is an individual who intends to gain unauthorized access to a computer system. • Cracker is used to denote a hacker with criminal intent, although in the public press, the terms hacker and cracker tend to be used interchangeably. • In the past, hackers and crackers typically were computer experts excited by the challenge of breaking into corporate and government Web sites. Sometimes they were satisfied merely by breaking into the files of an e-commerce site. • Today, hackers have malicious intentions to disrupt, deface, or destroy sites (cybervandalism) or to steal personal or corporate information they can use for financial gain (data breach). • Hacktivism adds a political twist. Hacktivists typically attack governments, organizations, and even individuals for political purposes, employing the tactics of cyber vandalism, distributed denial of service attacks, data thefts, doxing (gathering and exposing personal information of public figures, originating from the term “documents” or “docx”), and more.
  • 23. Most Common Security Threats (cont.) • Groups of hackers called tiger teams are sometimes used by corporate security departments to test their own security measures. By hiring hackers to break into the system from the outside, the company can identify weaknesses in the computer system’s armor. • These “good hackers” are known as white hats because of their role in helping organizations locate and fix security flaws. White hats do their work under contract, with agreement from clients. • Black hats are hackers who engage in the same kinds of activities but without pay or any buy-in from the targeted organization, and with the intention of causing harm. They break into Web sites and reveal the confidential or proprietary information. These hackers believe strongly that information should be free, so sharing secret information is part of their mission. • Grey hats are hackers who believe they are pursuing some greater good by breaking in and revealing system flaws. Grey hats discover weaknesses in a system’s security, and then publish the weakness without disrupting the site or attempting to profit from their finds. Their only reward is the prestige of discovering the weakness. • Grey hat actions are suspect, however, especially when the hackers reveal security flaws that make it easier for other criminals to gain access to a system.
  • 24. Data Breach • Occurs whenever organizations lose control over corporate information to outsiders. • According to Symantec, data about more than 230 million people were exposed in 2011 as a result of data breaches. • Breaches caused by hacker attacks were responsible for exposing more than 187 million identities. • Significant breaches that did occur included a data breach at Zappos.com that affected 24 million customers, the compromise of a payment processor for Visa and Mastercard, and a breach at LinkedIn, exposing the data of 6.5 million members.
  • 25. Most Common Security Threats (cont.) • Credit card fraud/theft • Spoofing and pharming • Spam (junk) Web sites (link farms) • Identity fraud/theft • Denial of service (DoS) attack – Hackers flood site with useless traffic to overwhelm network • Distributed denial of service (DDoS) attack Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall Slide 5-25
  • 26. Credit card fraud/theft • Theft of credit card data is one of the most feared occurrences on the Internet. • Fear that credit card information will be stolen prevents users from making online purchases in many cases. • Incidences of stolen credit card information are much lower than users think, around 0.8% of all online card transactions (CyberSource, 2013) • Online credit card fraud is twice as common as offline card fraud. • In the past, the most common cause of credit card fraud was a lost or stolen card that was used by someone else, followed by employee theft of customer numbers and stolen identities (criminals applying for credit cards using false identities). • But today, the most frequent cause of stolen cards and card information is the systematic hacking and looting of a corporate server where the information on millions of credit card purchases is stored.
  • 27. Spoofing and pharming • Spoofing involves attempting to hide a true identity by using someone else’s e-mail or IP address. For instance, a spoofed e-mail will have a forged sender e-mail address designed to mislead the receiver about who sent the e-mail. • IP spoofing involves the creation of TCP/IP packets that use someone else’s source IP address, indicating that the packets are coming from a trusted host. • Most current routers and firewalls can offer protection against IP spoofing. • Spoofing a Web site sometimes involves pharming, automatically redirecting a Web link to an address different from the intended one, with the site masquerading as the intended destination. • Links that are designed to lead to one site can be reset to send users to a totally unrelated site—one that benefits the hacker. • Although spoofing and pharming do not directly damage files or network servers, they threaten the integrity of a site. • For example, if hackers redirect customers to a fake Web site that looks almost exactly like the true site, they can then collect and process orders, effectively stealing business from the true site. • In addition to threatening integrity, spoofing also threatens authenticity by making it difficult to discern the true sender of a message.
  • 28. Spam (junk) Web sites (link farms) • Spam (junk) Web sites (also sometimes referred to as link farms) are sites that promise to offer some product or service, but in fact are just a collection of advertisements for other sites, some of which contain malicious code. • For instance, you may search for “[name of town] weather,” and then click on a link that promises your local weather, but then discover that all the site does is display ads for weather-related products or other Web sites. • Junk or spam Web sites typically appear on search results, and do not involve e-mail. • These sites hides their identities by using domain names similar to legitimate firm names, and redirect traffic to known spammer-redirection domains.
  • 29. Identity fraud/theft • Identity fraud involves the unauthorized use of another person’s personal data, such as social security, driver’s license, and/or credit card numbers, as well as user names and passwords, for illegal financial benefit • Criminals can use such data to obtain loans, purchase merchandise, or obtain other services, such as mobile phone or other utility services • Cybercriminals employ many of the techniques described previously, such as spyware, phishing, data breaches, and credit card theft, for the purpose of identity fraud.
  • 30. Denial of service (DoS) attack • In a Denial of Service (DoS) attack, hackers flood a Web site with useless pings or page requests that inundate and overwhelm the site’s Web servers. • DoS attacks involve the use of bot networks and so-called “distributed attacks” built from thousands of compromised client computers. • DoS attacks typically cause a Web site to shut down, making it impossible for users to access the site. • For busy e-commerce sites, these attacks are costly; while the site is shut down, customers cannot make purchases.
  • 31. Distributed denial of service (DDoS) attack • Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of computers to attack the target network from numerous launch points. • DoS and DDoS attacks are threats to a system’s operation because they can shut it down indefinitely.
  • 32. Most Common Security Threats (cont.) • Sniffing – Eavesdropping program that monitors information traveling over a network • Insider attacks • Poorly designed server and client software • Social network security issues • Mobile platform security issues – Vishing, smishing, madware • Cloud security issues
  • 33. Sniffing • A sniffer is a type of eavesdropping program that monitors information traveling over a network. • When used legitimately, sniffers can help identify potential network trouble-spots, but when used for criminal purposes, they can be damaging and very difficult to detect. • Sniffers enable hackers to steal proprietary information from anywhere on a network, including passwords, e-mail messages, company files, and confidential reports. • E-mail wiretaps are a variation on the sniffing threat.
  • 34. Insider attacks • The largest financial threats to business institutions come not from robberies but from embezzlement by insiders. • Bank employees steal far more money than bank robbers. • In e-commerce sites, some of the largest disruptions to service, destruction to sites, and diversion of customer credit data and personal information have come from insiders—once trusted employees. • Employees have access to privileged information, and, in the presence of sloppy internal security procedures, they are often able to roam throughout an organization’s systems without leaving a trace.
  • 35. Poorly designed server and client software • Many security threats prey on poorly designed server and client software, sometimes in the operating system and sometimes in the application software, including browsers. • The increase in complexity and size of software programs, coupled with demands for timely delivery to markets, has contributed to an increase in software flaws or vulnerabilities that hackers can exploit. • For instance, SQL injection attacks take advantage of vulnerabilities in poorly coded Web application software that fails to properly validate or filter data entered by a user on a Web page to introduce malicious program code into a company’s systems and networks.
  • 36. Technology Solutions • Protecting Internet communications – Encryption • Securing channels of communication – SSL, VPNs • Protecting networks – Firewalls • Protecting servers and clients
  • 37. Tools Available to Achieve Site Security
  • 38. Encryption • Encryption – Transforms Plain text or data into cipher text readable only by sender and receiver – Secures stored information and information transmission – Provides 4 of 6 key dimensions of e-commerce security: • Message integrity • Nonrepudiation • Authentication • Confidentiality ● The transformation of plain text to cipher text is accomplished by using a key or cipher. ● A key (or cipher) is any method for transforming plain text to cipher text.
  • 39. Different Cipher • In a substitution cipher, every occurrence of a given letter is replaced systematically by another letter. • Example : Cipher : letter plus two (replace every letter in a word with a new letter two places forward) Plain Text : Hello Cipher text: JGNNQ • In a transposition cipher, the ordering of the letters in each word is changed in some systematic way. • Example, Leonardo Da Vinci recorded his shop notes in reverse order, making them readable only with a mirror. Plain Text: Hello Cipher Text : OLLEH
  • 40. Symmetric Key Encryption Or secret key encryption ● In order to decipher the encrypted messages, the receiver would have to know the secret cipher that was used to encrypt the plain text. ● Both the sender and the receiver use the same key to encrypt and decrypt the message. They have to send it over some communication media or exchange the key in person. ● Symmetric key encryption was used extensively throughout World War II and is still a part of Internet encryption. ● Flaws of simple Substitution and Transposition ciphers : 1. In the digital age, computers are so powerful and fast that these ancient means of encryption can be broken quickly. 2. In order to share the same key, they must send the key over a presumably insecure medium where it could be stolen and used to decipher messages. 3. in commercial use, where we are not all part of the same team, a secret key is needed for each of the parties in transaction.
  • 41. Symmetric Key Encryption Or secret key encryption • The strength of modern security protection is measured in terms of the length of the binary key used to encrypt the data. • Modern digital encryption systems use keys with 56, 128, 256, or 512 binary digits. • Algorithms for Symetric Key encryption: DES, AES Data Encryption Standard (DES) Advanced Encryption Standard (AES) ● Developed by the National Security Agency (NSA) and IBM in the 1950s. ● DES uses a 56-bit encryption key. ● To cope with much faster computers, it has been improved by Triple DES—essentially encrypting the message three times, each with a separate key. ● The most widely used symmetric key encryption algorithm nowadays. ● Offers key sizes of 128, 192, and 256 bits. ● There are also many other symmetric key systems that are currently less widely used, with keys up to 2,048 bits.
  • 42. Public Key Encryption ● Public key cryptography solves the problem of exchanging keys. ● The mathematical algorithms used to produce the keys are one-way functions (Ex. one-way irreversible mathematical function). ● The keys are sufficiently long (128, 256, and 512 bits) Sender uses recipient’s public key to encrypt message; recipient uses private key to decrypt it Once key used to encrypt message, same key cannot be used to decrypt message Both keys used to encrypt and decrypt message Uses two mathematically related digital keys Public key (widely disseminated) Private key (kept secret by owner)
  • 43. Insight on Business: Class Discussion Public Key Cryptography: A Simple Case
  • 44. Public Key Encryption using Digital Signatures and Hash Digests • In public key encryption, although we can be quite sure the message was not understood or read by a third party, there is no guarantee the sender really is the sender; that is, there is no authentication of the sender. • The sender could deny ever sending the message(repudiation) • No assurance the message was not altered somehow in transit. • To check the integrity of a message and ensure it has not been altered in transit,a hash function is used first to create a digest of the message.
  • 45. Public Key Encryption using Digital Signatures and Hash Digests • Hash function: – Mathematical algorithm that produces fixed-length number called message or hash digest • Hash digest of message sent to recipient along with message to verify integrity • Hash digest and message encrypted with recipient’s public key • Entire cipher text then encrypted with recipient’s private key—creating digital signature—for authenticity, nonrepudiation • Digital Signature: — It is a close parallel to a handwritten signature. • Like a handwritten signature, a digital signature is unique—only one person presumably possesses the private key. • When used with a hash function, the digital signature is even more unique than a handwritten signature. • When used to sign a hashed document, the digital signature is also unique to the document, and changes for every document.
  • 46. Public Key Cryptography with Digital Signatures