2. The E-Commerce Security
Environment
For most law-abiding citizens, the Internet holds
the promise of a huge and convenient global
marketplace
For criminals, the Internet has created entirely
new – and profitable – ways to steal from the
more than one billion Internet consumers
worldwide
From products to services to cash to information,
it’s all there for the taking on the Internet
It’s also less risky to steal online
For example, rather than rob a bank in person,
the Internet makes it possible to rob people
3. The Scope of the Problem
Cybercrime is becoming a more significant
problem for both organizations and consumers
Bot networks, DDoS attacks, Trojans, phishing,
data theft, identify theft, credit card fraud, and
spyware are just some of the threats that are
making daily headlines
Even social networking sites have had security
breaches
For example, an individual hacked into Britney
Spears’ Twitter account and began sending
messages saying the singer had died
4. The Scope of the Problem (cont.)
One source of cybercrime information is the
Internet Crime Complaint Center (IC3)
In 2010, the IC3 processed more than 303,000
Internet crime complaints and it was estimated
that in 2009 the total dollar loss for all referred
crimes was $559 million
In the past, auction fraud constituted over 70% of
complaints, but in 2010 it was only 10%,
displaced by non payment/delivery (21%) and
identity theft (16%)
The Computer Security Institute’s annual
Computer Crime and Security Survey is another
source of information
6. The Underground Economy Marketplace:
The Value of Stolen Information
Criminals who steal information on the Internet do
not always use this information themselves, but
instead derive value by selling the information to
others
Some recently observed prices for stolen
information, which typically vary depending on the
quantity being purchased
Not every cybercriminal is necessary after money
In some cases, such criminals aim to deface,
vandalize, and/or disrupt a Web site, rather than
actually steal goods or services
7. What is Good E-Commerce
Security?
What is a secure commercial transaction?
Anytime you go into a marketplace you take risks,
including the loss of privacy
E-commerce merchants and consumers face
many of the same risks as participants in
traditional commerce, although in a new digital
environment
Reducing risks in e-commerce is a complex
process that involves new technologies,
organizational policies and procedures, and new
laws and industry standards that empower law
enforcement officials to investigate and prosecute
offenders
10. The Tension Between Security
and Other Values
Can there be too much security? The answer is
yes.
Computer security adds overhead and expense
to business operations
Expanding computer security also has other
downsides:
Makes systems more difficult to use
Slows down processors
Increases data storage demands
May reduce individual’s abilities to remain
anonymous
11. Security Threats in the E-
Commerce Environment
From a technological perspective, there are three
key points of vulnerability when dealing with e-
commerce: the client, the server, and the
communications pipeline
Figure 5.4 illustrates some of the things that can
go wrong at each major vulnerability point in the
transaction
14. Common E-Commerce Security
Threats
Some of the most common and most damaging forms
of security threats to e-commerce consumers and site
operators include:
Malicious code (malware) – virus, worm, Trojan horse,
bots, etc.
Unwanted programs (spyware)
Phishing and identify theft – social engineering
Hacking and cybervandalism
Credit card fraud/theft
Spoofing (pharming) and spam (junk) websites
Denial of service (DoS) attacks
Insider attacks
Poorly designed server and client software
Social networks and mobile devices greatly expand
the security threats to organizations and individuals
15. Technology Solutions
It might seem like there is not much that can be
done about the onslaught of security breaches on
the Internet
But in fact a great deal of progress has been
made by private security firms, corporate and
home users, network administrators, technology
firms, and government agencies
Two lines of defense include:
Technology solutions
Policy solutions
16. Encryption
Encryption is the process of transforming plain
text or data into cipher text that cannot be read by
anyone other than the sender and the receiver
The purpose of encryption is to secure stored
information and to secure information
transmission
One early encryption method was symmetric key
encryption where both the sender and the
receiver use the same key to encrypt and decrypt
the message
They had to send the key to each other over
some communications media or in person
18. Limitations to Encryption
Solutions
All forms of encryption have limitations
It is not effective against insiders
Protecting private keys may also be difficult
because they are stored on insecure desktop and
laptop computers
Additional technology solutions exist for securing
channels of communications, networks, and
servers/clients
20. Management Policies, Business
Procedures, and Public Laws
US businesses and government agencies spend
about 14% of their information technology
budgets on security hardware, software, and
services (about $35 billion in 2010)
However, most CEOs and CIOs of existing e-
commerce operations believe that technology is
not the sole answer to managing the risk of e-
commerce
An e-commerce security plan would include a risk
assessment, development of a security policy,
implementation plan, creation of a security
organization, and a security audit
Implementation may involve expanded forms of
21. The Roles of Laws and Public
Policy
The public policy environment today is very
different fro the early days of e-commerce
The net result is that the Internet is no longer an
ungoverned, unsupervised, self-controlled
technology juggernaut
It is also apparent that legal and public policy
solutions also need to be enacted globally
22. Government Policies and Controls on
Encryption Software
An interesting example of the difficulties involved
in enhancing security is the case of encryption
software distribution
Governments have required to restrict availability
and export of encryption systems as a means of
detecting and preventing crime and terrorism
On one hand, restricting global distribution of
advanced encryption systems may reduce the
likelihood that they may be cracked
But it also reduces global Internet security if
different countries have different levels of
protection
