1.E-Commerce Security

2. The E-Commerce SecurityEnvironment For most law-abiding citizens, the Internet holdsthe promise of a huge and convenient globalmarketplace For criminals, the Internet has created entirelynew and profitable ways to steal from themore than one billion Internet consumersworldwide From products to services to cash to information,its all there for the taking on the Internet Its also less risky to steal online For example, rather than rob a bank in person,the Internet makes it possible to rob people 3. The Scope of the Problem Cybercrime is becoming a more significantproblem for both organizations and consumers Bot networks, DDoS attacks, Trojans, phishing,data theft, identify theft, credit card fraud, andspyware are just some of the threats that aremaking daily headlines Even social networking sites have had securitybreaches For example, an individual hacked into BritneySpears Twitter account and began sendingmessages saying the singer had died 4. The Scope of the Problem (cont.) One source of cybercrime information is theInternet Crime Complaint Center (IC3) In 2010, the IC3 processed more than 303,000Internet crime complaints and it was estimatedthat in 2009 the total dollar loss for all referredcrimes was $559 million In the past, auction fraud constituted over 70% ofcomplaints, but in 2010 it was only 10%,displaced by non payment/delivery (21%) andidentity theft (16%) The Computer Security Institutes annualComputer Crime and Security Survey is anothersource of information 5. Types ofAttacksAgainstComputerSystems(Figure) 6. The Underground Economy Marketplace:The Value of Stolen Information Criminals who steal information on the Internet donot always use this information themselves, butinstead derive value by selling the information toothers Some recently observed prices for stoleninformation, which typically vary depending on thequantity being purchased Not every cybercriminal is necessary after money In some cases, such criminals aim to deface,vandalize, and/or disrupt a Web site, rather thanactually steal goods or services 7. What is Good E-CommerceSecurity? What is a secure commercial transaction? Anytime you go into a marketplace you take risks,including the loss of privacy E-commerce merchants and consumers facemany of the same risks as participants intraditional commerce, although in a new digitalenvironment Reducing risks in e-commerce is a complexprocess that involves new technologies,organizational policies and procedures, and newlaws and industry standards that empower lawenforcement officials to investigate and prosecuteoffenders 8. The E-Commerce SecurityEnvironment 9. The Tension Between Securityand Other Values Can there be too much security? The answer isyes. Computer security adds overhead and expenseto business operations Expanding computer security also has otherdownsides: Makes systems more difficult to use Slows down processors Increases data storage demands May reduce individuals abilities to remain anonymous 10. Security Threats in the E-Commerce Environment From a technological perspective, there are threekey points of vulnerability when dealing with e-commerce: the client, the server, and thecommunications pipeline Figure 5.4 illustrates some of the things that cango wrong at each major vulnerability point in thetransaction 11. A Typical E-CommerceTransaction 12. Vulnerable Points in an E-Commerce Transaction 13. Common E-Commerce SecurityThreats Some of the most common and most damaging forms of security threats to e-commerce consumers and site operators include: Malicious code (malware) virus, worm, Trojan horse,bots, etc. Unwanted programs (spyware) Phishing and identify theft social engineering Hacking and cybervandalism Credit card fraud/theft Spoofing (pharming) and spam (junk) websites Denial of service (DoS) attacks Insider attacks Poorly designed server and client software Social networks and mobile devices greatly expand the security threats to organizations and individuals 14. Technology Solutions It might seem like there is not much that can bedone about the onslaught of security breaches onthe Internet But in fact a great deal of progress has beenmade by private security firms, corporate andhome users, network administrators, technologyfirms, and government agencies Two lines of defense include: Technology solutions Policy solutions 15. Encryption Encryption is the process of transforming plaintext or data into cipher text that cannot be read byanyone other than the sender and the receiver The purpose of encryption is to secure storedinformation and to secure informationtransmission One early encryption method was symmetric keyencryption where both the sender and thereceiver use the same key to encrypt and decryptthe message They had to send the key to each other oversome communications media or in person 16. Public Key Cryptography 17. Limitations to EncryptionSolutions All forms of encryption have limitations It is not effective against insiders Protecting private keys may also be difficultbecause they are stored on insecure desktop andlaptop computers Additional technology solutions exist for securingchannels of communications, networks, andservers/clients 18. Communication Channel, Network, and Server/Client Security Technologies Communication channel security technologies: Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) Network protection technologies: Firewalls Proxy servers Server/client protection technologies Operating system security enhancements Anti-virus software 19. Management Policies, BusinessProcedures, and Public Laws US businesses and government agencies spendabout 14% of their information technologybudgets on security hardware, software, andservices (about $35 billion in 2010) However, most CEOs and CIOs of existing e-commerce operations believe that technology isnot the sole answer to managing the risk of e-commerce An e-commerce security plan would include a riskassessment, development of a security policy,implementation plan, creation of a securityorganization, and a security audit Implementation may involve expanded forms of 20. The Roles of Laws and PublicPolicy The public policy environment today is verydifferent fro the early days of e-commerce The net result is that the Internet is no longer anungoverned, unsupervised, self-controlledtechnology juggernaut It is also apparent that legal and public policysolutions also need to be enacted globally 21. Government Policies and Controls onEncryption Software An interesting example of the difficulties involvedin enhancing security is the case of encryptionsoftware distribution Governments have required to restrict availabilityand export of encryption systems as a means ofdetecting and preventing crime and terrorism On one hand, restricting global distribution ofadvanced encryption systems may reduce thelikelihood that they may be cracked But it also reduces global Internet security ifdifferent countries have different levels ofprotection