emis 528_assignment(security in e commerce)

Upload: -

Post on 25-Feb-2018

218 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    1/24

    Submitted By

    MD. ABDULLAH AL AHAD | ID: 61323-16-029MAHMUD PARVEJ | ID: 61325-18-052SHUVAJYOTI ROY | ID: 61426-19-020

    SECURITY IN E-COMMERCE

    EMIS-528 (Information Security Management System)

    Submitted To

    Md. Rakibul Hoque

    Assistant Professor

    Department of Management Information Systems

    University of Dhaka

    MBA (Evening) Program,Department of Management Information SystemsUniversity of Dhaka

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    2/24

    1 | P a g e Security in E-Commerce

    Executive Summary

    Electronic Commerce may include any computer mediated business process, but a

    common usage is to use it to describe commerce (buying and selling of a product orservice) taking place using the World Wide Web (WWW) as an enabling transport [1].

    Since the invention of WWW in 1989, Internet-based electronic commerce has been

    transformed from a mere idea into reality. Consumers browse through catalogues,

    searching for best offers, order goods, and pay them electronically. Most financial

    institutions have some sort of online presence, allowing their customers to access and

    manage their accounts, make financial transactions, trade stocks, and so forth.

    Electronic mails are exchanged within and between enterprises, and often alreadyreplace fax copies. Soon there is arguably no enterprise left that has no Internet

    presence, if only for advertisement reasons [2].

    Thus, doing some electronic business on the Internet is already an easy task. As is

    cheating and snooping. Several reasons contribute to this insecurity: The Internet does

    not offer much security per-se. Eavesdropping and acting under false identity is

    simple. Stealing data is undetectable in most cases. Popular PC operating systems

    offer little or no security against virus or other malicious software, which means thatusers cannot even trust the information displayed on their own screens. At the same

    time, user awareness for security risks is threateningly low. In this paper, various

    probable crime through e-commerce along with their potential reasons and plausible

    security measures are outlined.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    3/24

    2 | P a g e Security in E-Commerce

    Table of ontents

    Introduction ................................................................................................................ 3

    Security Issues in E-commerce .................................................................................. 5

    Dimensions of E-commerce Security .................................................................................................. 5

    The Tension between Security and Other Values ............................................................................... 6

    Security Threats in the E-commerce Environment ............................................................................. 6

    A Typical e-commerce transaction ................................................................................................. 6

    Vulnerable Points ............................................................................................................................ 7

    Detailing of Security vulnerabilities in electronic commerce ............................................................. 7

    Viable causes behind Security Threats ............................................................................................... 9

    Probable Crimes in E-commerce Environment ........................................................ 10Most Common Security Threats in the E-commerce Environment .................................................. 10

    Unwanted Programs ......................................................................................................................... 10

    Phishing and Identity Theft ............................................................................................................... 11

    Hacking and Cyber vandalism ........................................................................................................... 11

    Credit Card Fraud .............................................................................................................................. 11

    Spoofing (Pharming) and Spam (Junk) Web Sites ............................................................................. 12

    DoS and DDoS Attacks ...................................................................................................................... 12

    Denial of Service ............................................................................................................................... 13

    SMURF Attack ................................................................................................................................... 13

    Other Security Threats ...................................................................................................................... 13

    Security Steps to Protect E-Commerce .................................................................... 14

    Technology Solutions ........................................................................................................................ 15

    Protecting Internet Communications: Encryption ........................................................................ 15

    Network Transport Security .......................................................................................................... 17

    Conclusion ............................................................................................................... 21References ............................................................................................................... 22

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    4/24

    3 | P a g e Security in E-Commerce

    Introduction

    The utilization of the internet is increasing rapidly every year; availability of low cost

    peripheral devices. and wider internet accessibility options are key contributingfactors [3]. The progression of technology over the recent years have enabled the

    consumer a broader and much more enriched interactive experience [4]. The

    availability of a wide variety of applications and simple point and click interfaces has

    further contributed to this experience by its ease of usability.

    A wide variety of commerce is conducted via e-Commerce, including electronic funds

    transfer, supply chain management, Internet marketing, online transactionprocessing, electronic data interchange (EDI), inventory management systems, and

    automated data collection systems. US online retail sales reached $175 billion in 2007

    and are projected to grow to $335 billion by 2012 [5].

    Due to this, IT usage in present times has become a common practice.

    Business to customer (B2C) transactions and business (B2B) transactions are

    commonly used in the market. The fusion and integration of these two types of

    transactions has produced e-commerce [6] [7]. Chen and Dhillon have defined

    e- commerce as the transaction of goods and services over the internet [4]. It is also

    described as the sharing, transferring and exchanging of information [8]. Over the

    past few years E-commerce has maintained a rapid yet steady pace. It has been

    a dynamic force, a catalyst in changing the nature of business transactions and

    operations all around the world [9]. It should also be noted that unlike traditional

    commerce; EC does not allow physical interaction between the consumers and

    retailers or suppliers for that matter [4]. This fact raises a number of risks and issues

    including technological, security, privacy, trust, legal and other related issues [9]. The

    following research focuses on two of these issues, security and privacy. The

    factoring of Security and privacy in e-commerce models is of considerable

    importance to consumers, businesses, and regulators [10]. The majority of

    customers feel insecure towards the existing policies and guidelines with respect

    to privacy and security online. Such insecurities have a negative impact upon any

    economic model. That said, online security breaches can be considered as a fast

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    5/24

    4 | P a g e Security in E-Commerce

    spreading menace in current day economical settings around the world. E-Commerce

    providers must also protect against a number of different external security

    threats, most notably Denial of Service (DoS). The financial services sector still bears

    the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced

    the greatest increase in the number of attacks was e-Commerce. Attacks in this sector

    have risen by 15% from 2006 to 2007 [11].

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    6/24

    5 | P a g e Security in E-Commerce

    Security Issues in E-commerce

    In e-commerce development security is a critical factor to consider [12]. It is one of the

    pivotal success factors of e-commerce. Security is defined as the protection ofdata against accidental or intentional disclosure to unauthorized persons, or

    unauthorized modifications or destruction [13]. It usually refers to the provision of

    access control, privacy, confidentiality, integrity, authentication, non-repudiation,

    availability and effectiveness [9][14][15]. Surveys conducted and compiled recently

    shows increasing concerns on security risks and have become a global issue [6].

    When customers lose confidence in a systems ability to protect sensitive and

    confidential data such as credit card information its feasibility will becompromised. The system t thus will be rendered helpless [16].

    Electronic commerce has been weakened by the deterioration of confidence

    held towards it by the consumer public. This in turn poses an immense threat to the

    overall expansion and success of it. [13]. In fact, Hoffman et al. stated that 63%

    of online end-users intentionally delay when providing personal information due

    to diminished confidence and trust in sites [4]. If credibility is to be achieved,

    improvised security and privacy protocols should be incorporated . At presentsecurity is pivotal and concerns surrounding its efficiency is perhaps the key cause

    for web users not making online purchases [13]. The US- based Better Business

    Bureau confirmed that online security was a great concern in 2001[4]. Types

    of security threats include identity theft i.e. the illegal use of personal information and

    is in fact the USAs leading occurrence of fraud [17]. List of other threats include

    gaining physical access to premises, accessing wiretaps, unauthorized acquiring

    of information, viruses, lack of integrity, financial fraud, vandalism, etc [16][9].Dimensions of E-commerce Security

    Integrity: ability to ensure that information being displayed on a Web site or

    transmitted/received over the Internet has not been altered in any way by an

    unauthorized party

    Nonrepudiation: ability to ensure that e-commerce participants do not deny

    (repudiate) online actions

    Authenticity: ability to identify the identity of a person or entity with whom youare dealing on the Internet

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    7/24

    6 | P a g e Security in E-Commerce

    Confidentiality: ability to ensure that messages and data are available only to

    those authorized to view them

    Privacy: ability to control use of information a customer provides about

    himself or herself to merchant Availability: ability to ensure that an e-commerce site continues to function as

    intended Copyright

    The Tension between Security and Other Values

    Security vs. ease of use: the more security measures added, the more

    difficult a site is to use, and the slower it becomes

    Too much security can harm profitability, while not enough security can put

    you out of business

    Tension between the desire of individuals to act anonymously (to hide their

    identity) and the needs to maintain public safety that can be threatened by

    criminals or terrorists.

    The Internet is both anonymous and pervasive, an ideal communication tool

    for criminal and terrorist groups (Coll and Glasser 2005)

    Security Threats in the E-commerce Environment

    Three key points of vulnerability:

    Client

    Server

    Communications channel

    A Typical e-commerce transaction

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    8/24

    7 | P a g e Security in E-Commerce

    Vulnerable Points

    Detailing of Security vulnerabilities in electronic commerce

    There are many points of failure, or vulnerabilities, in an e-commerce environment.

    Even in a simplified e-commerce scenarioa single user contacts a single web site,

    and then gives his credit card and address information for shipping a purchasemany

    potential security vulnerabilities exist. Indeed, even in this simple scenario, there are

    a number of systems and networks involved. Each has security issues:

    A user must use a web site and at some point identify, or authenticate, himself

    to the site. Typically, authentication begins on the users home computer and

    its browser. Unfortunately, security problems in home computers offer hackers

    other ways to steal e- commerce data and identification data from users. Some

    current examples include a popular home-banking system that stores a users

    account number in a Web cookie which hostile web-sites can crack [18];

    ineffective encryption or lack of encryption for home wireless networks [19];

    and, mail-borne viruses that can steal the user's financial data from the local

    disk [20] or even from the user's keystrokes [21]. While these specific security

    problems will be fixed by some software developers and web-site

    administrators, similar problems will continue to occur. Alternatives to the home

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    9/24

    8 | P a g e Security in E-Commerce

    computer include Point-of-Sale (POS) terminals in brick-and-mortar stores, as

    well as a variety of mobile and handheld devices.

    The users web browser connects to the merchant front-end. When a

    consumer makes an online purchase, the merchant's web-server usually

    caches the order's personal information in an archive of recent orders. This

    archive contains everything necessary for credit-card fraud. Further, such

    archives often hold 90 days' worth of customers' orders. Naturally, hackers

    break into insecure web servers to harvest these archives of credit card

    numbers. Several recent thefts netted 100,000, 300,000, and 3.7 million credit-

    card data, respectively. Accordingly, an e-commerce merchant's first security

    priority should be to keep the web servers' archives of recent orders behind the

    firewall, not on the front-end web servers [22]. Furthermore, sensitive servers

    should be kept highly specialized, by turning off and removing all inessential

    services and applications (e.g., ftp, email). Other practical suggestions to

    secure web servers can be found in [23] and [24], among many others.

    The merchant back-end and database. A sites servers can weaken the

    company's internal network. This not easily remedied, because the web

    servers need administrative connections to the internal network, but web server

    software tends to have buggy security. Here, the cost of failure is very high,

    with potential theft of customers identities or corporate data. Additionally, the

    back-end may connect with third party fulfillment centers and other processing

    agents. Arguably, the risk of stolen product is the merchant's least-important

    security concern, because most merchants' traditional operations already have

    careful controls to track payments and deliveries. However, these third parties

    can release valuable data through their own vulnerabilities.

    This is a simplified model of an e-commerce architecture; yet even in its simplicity,

    there are a number of security problems. Note that encrypted e-commerce

    connections do little to help solve any but network security problems. While other

    problems might be ameliorated by encryption, there are still vulnerabilities in the

    software clients and servers that must use the data. We will discuss the

    implications of these vulnerabilities below users who may themselves release

    data or act in ways that place sites at jeopardy, the constant pressure of new

    technologies and the resulting constant threat of new vulnerabilities, as well as the

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    10/24

    9 | P a g e Security in E-Commerce

    requirements for critical organizational processes. However, before discussing

    potential requirements for e-commerce sites and their consumers, it is important to

    survey potential security technologies.

    Viable causes behind Security Threats

    Reasons for high security risks include the imperfection of e-commerce laws,

    regulations, systems, technology and the internet . Security is a key integral

    issue for users, regardless of what the application maybe, ranging from locking a

    computer to conducting business via the internet [17]. The rapid development of e-

    business and e-commerce applications have resulted in increased the amount

    of illegal infiltration into information systems which were deemed initially safe [6].Since E-commerce is completely reliant on IT, it could be stated that future

    developments in e-commerce will solely depend on IT security and risk management.

    Garg et al. states that "a percentage between 36 and 90 percent of organizations

    confirmed security breaches in the past year alone [6]. These statistics help increase

    or maintain customers negative perception of the e-market and explains why a lot of

    people are fearful or insecure about buying or performing sensitive transactions online.

    It seems like the only solution to extract the problem and increase e-sales is to providefully secured networks that guarantee confidentiality and safety. It is however not that

    simple. Technologies that provide flawless security measures and guarantees

    are very expensive and in most cases not easily acquired. Web based e-commerce

    is comprised of hyperlinked web pages alongside applications and incompatible

    technologies to bring about business transactions amongst different companies

    spanning the globe [7]. Therefore, even if a business tries to deploy error free security

    software, success is not guaranteed as there are many factors influencing the

    flow and security of information in cyberspace. Moreover, in order for e-commerce

    to develop customer trust, the change has to be done in a collective manner,

    not just a few companies. In the case of small to medium businesses it is

    difficult and costly to incorporate complete IT security [6]. Leaving aside the

    multifaceted technologies required, e-commerce systems are founded and based on

    the World Wide Web which coincidently has a history of exposure to a variety of

    security threats [7]

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    11/24

    10 | P a g e Security in E-Commerce

    Probable Crimes in E-commerce Environment

    Most Common Security Threats in the E-commerce Environment

    Malicious code (viruses, worms, Trojans)

    Unwanted programs (spyware, browser parasites)

    Phishing/identity theft

    Hacking and cyber vandalism

    Credit card fraud/theft

    Spoofing (pharming)/spam (junk) Web sites

    DoS and dDoS attacks Sniffing

    Insider attacks

    Poorly designed server and client software

    Try to impair computers, steal email addresses, logon credentials, personal

    data, and financial info.

    Viruses: computer programs that have ability to replicate and spread to other

    files; most also deliver a payload of some sort (destructive or benign);include macro viruses, file-infecting viruses, and script viruses

    Worms: Designed to spread from computer to computer; can replicate without

    being executed by a user or program like virus

    Trojan horse: Appears to be benign, but then does something other than

    expected

    Bots: Can be covertly installed on computer; responds to external commands

    sent by the attacker to create a network of compromised computers forsending spam, generating a DDoS attack, and stealing info from computers

    Unwanted Programs

    Installed without the users informed consent

    Browser parasites: Can monitor and change settings of a users browser

    Adware: Calls for unwanted pop-up ads

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    12/24

    11 | P a g e Security in E-Commerce

    Spyware: Can be used to obtain information, such as a users keystrokes, e-

    mail, IMs, etc

    Phishing and Identity Theft

    Any deceptive, online attempt by a third party to obtain confidential

    information for financial gain

    Most popular type: e-mail scam letter, e.g., Nigerians rich former oil minister

    seeking a bank account to deposit millions of dollars, fake account

    verification emails from eBay or CitiBankasking to give up personal account

    info, bank account no., and credit card no. One of fastest growing forms of e-commerce crime

    197,000 unique new phishing emails sent within the first 6 months of 2007,

    18% increased

    Hacking and Cyber vandalism

    Hacker: Individual who intends to gain unauthorized access to computersystems

    Cracker: Hacker with criminal intent (two terms often used interchangeably)

    Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site

    Types of hackers include:

    White hatshired by corporate to find weaknesses in the firms computer

    system

    Black hatshackers with intention of causing harm Grey hatshackers breaking in and revealing system flaws without

    disrupting site or attempting to profit from their finds

    Credit Card Fraud

    Fear that credit card information will be stolen deters online purchases

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    13/24

    12 | P a g e Security in E-Commerce

    Overall rate of credit card fraud is lower than users think, 1.6-1.8% of all

    online card transactions.

    USs federal law limits liability of individuals to$50 for a stolen credit card.

    Hackers target credit card files and other customer information files onmerchant servers; use stolen data to establish credit under false identity

    One solution: New identity verification Mechanisms

    Spoofing (Pharming) and Spam (Junk) Web Sites

    Spoofing (Pharming) Misrepresenting oneself by using fake e-mail addresses or masquerading as

    someone else

    Threatens integrity of site; authenticity

    Spoofing a Web site is called pharming, which involvesredirecting a Web

    link to another IP address different from the real one

    Pharming is carried out by hacking local DNS servers.

    Threatens integrity of site by stealing business from the true site, or alteringorders and sending them to the true site for processing and delivery.

    Threatens authenticity by making it hard to discern the true sender of a

    message.

    Spam (Junk) Web sites

    Use domain names similar to legitimate one, redirect traffic to spammer-

    redirection domains

    DoS and DDoS Attacks

    Denial of service (DoS) attack

    Hackers flood Web site with useless traffic to inundate and overwhelm

    network

    Use of bot networks built from hundreds of compromised workstations.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    14/24

    13 | P a g e Security in E-Commerce

    No. of DoS attacks per day grew from 119 during last 6 months of 2004 to

    927 during first 6 months of 2005, a 679% increase [11].

    Distributed denial of service (DDoS) attack

    Hackers use numerous computers to attack target network from numerouslaunch points

    Microsoft and Yahoo have experienced such attacks

    Denial of Service

    Ping Flooding

    Attacker sends a flood of pings to the intended victim The ping packets will saturate the victims bandwidth

    SMURF Attack

    Uses a ping packet with two extra twist

    Attacker chooses an unwitting victim

    Spoofs the source address Sends request to network in broadcast mode

    Other Security Threats

    Sniffing: Type of eavesdropping program that monitors information traveling

    over a network; enables hackers to steal proprietary information from

    anywhere on a network

    Insider jobs: Single largest financial threat

    64% of business firms experienced an insidesecurity breach in their

    systems in 2006.

    Poorly designed server and client software : Increase in complexity of

    software programs (e.g., MSs Win32 API) has contributed toMS s increase is

    vulnerabilities that hackers can exploit

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    15/24

    14 | P a g e Security in E-Commerce

    Security Steps to Protect E-Commerce

    There are many relevant technologies, including cryptographic technologies that can

    mitigate the previously mentioned vulnerabilities. However, none is comprehensive orairtight by itself. Accordingly, we next present a brief overview of the major

    technologies, also considering the advantages and disadvantages of each.

    There are four components involved in E-Commerce Security: client software, server

    software, the server operating system, and the network transport. Each component

    has its own set of issues and challenges associated with securing them:

    Client software is becoming increasingly more security-focused, however

    single-user desktop operating systems historically have had no security

    features implemented. E-Commerce software that relies on the security of the

    desktop operating system is easily compromised without the enforcement of

    strict physical controls.

    Server software is constantly under test and attack by the user community.Although there have been cases of insecurities, a system administrator keeping

    up with the latest patches and vendor information can provide a high degree of

    confidence in the security of the server itself.

    Operating systems used for hosting E-Commerce servers are securable, but

    rarely shipped from the vendor in a default configuration that are secure. E-

    Commerce servers must protect the database of customer information

    accumulating on the server as well as provide security while the server is

    handling a transaction. If it is easier for a thief to compromise the server to

    obtain credit card numbers, why bother sniffing the network for individual credit

    card numbers?

    Session transport between the client and server uses network protocols that

    may have little or no built-in security. In addition, networking protocols such as

    TCP/IP were not designed to have confidentiality or authentication capabilities

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    16/24

    15 | P a g e Security in E-Commerce

    Technology Solutions

    Protecting Internet communications (encryption)

    Securing channels of communication (SSL, S-HTTP, VPNs) Protecting networks (firewalls)

    Protecting servers and clients

    Protecting Internet Communications: Encryption

    In the mass media, the most visible security technologies are the encryption

    algorithms. For a general introduction to these technologies see [25]; a popularization

    can be found in [26]. Two classic textbooks are [27] and [28], and encyclopedic

    compendia include [29] and [30].

    Encryption: Process of transforming plain text or data into cipher text that cannot be

    read by anyone other than the sender and receiver

    Purpose: Secure stored information and information transmission

    Provides:

    Message integrity

    Nonrepudiation

    Authentication

    Confidentiality

    Symmetric Key Encryption:

    Symmetric key encryption is also known as secret key encryption. Secret-keycryptography is the more traditional form, and has been used for all kinds of

    communications throughout the ages. In this method, one "key" is used to both

    encrypt and decrypt the data. A key can be anything from a secret-decoder ring

    found in a cereal box to a highly complex mathematical algorithm; keys really

    only differ in the ease with which they can be broken by third parties. In secret-

    key cryptography, the sender and receiver must have the same key in order for

    the transmission to work correctly.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    17/24

    16 | P a g e Security in E-Commerce

    Both the sender and receiver use the same digital key to encrypt and decrypt

    message

    Requires a different set of keys for each transaction

    Advanced Encryption Standard (AES): Most widely used symmetric keyencryption today; offers 128-, 192-, and 256-bit encryption keys; other

    standards use keys with up to 2,048 bits

    Public Key Encryption:

    The key management problem inherent to secret-key cryptography needed to be

    addressed in order for large-scale, secure use of data encryption techniques. In 1976,Whitfield Diffie, a cryptographer and privacy advocate, and Martin Hellman, an

    electrical engineer, working together discovered the concept of public-key encryption.

    Instead of having one key shared among both users of an encrypted transmission,

    each user has his or her own public/private key pair. A user makes the public key open

    and available to anyone (by publishing it on-line or registering it with a public key

    server), and keeps the private key hidden away where (hopefully) no one can get at it.

    The private key is mathematically derived from the public key, and thus the two arelinked together. In order to send someone a message, the sender encrypts the

    transmission with the receiver's public key. This can then only be decrypted by the

    receiver's private key. Thus, anyone can encrypt a message with someone else's

    public key, but only that person would ever be able to read it.

    Solves symmetric key encryption problem of having to exchange secret key

    Uses two mathematically related digital keyspublic key (widely disseminated)and private key (kept secret by owner)

    Both keys used to encrypt and decrypt message

    Once key used to encrypt message, same key cannot be used to decrypt

    message

    For example, sender uses recipients public keyto encrypt message; recipient

    uses his/her private key to decrypt it

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    18/24

    17 | P a g e Security in E-Commerce

    Digital signatures

    Public-key also provides a mechanism for authenticating messages that secret-key

    techniques do not: digital signatures. The sender of a message completes acalculation (performed by a hash function) involving the actual file structure to be

    transmitted, and his or her private key, and the result of this (the digital signature itself)

    is appended to the end of the transmission. The receiver can then perform a

    calculation involving the received message and the sender's public key, and if

    everything is valid, the sender's identity will have been verified. A benefit of this

    signature method is that it not only verifies the sender's identity; it also verifies that the

    original contents of the transmission have not been altered in anyway. Because the

    signature is derived from both the key and the data itself, changing the data later on

    will cause the receiver's verification to fail. This provides authentication that is even

    better than a signature on a paper document: a signature can be forged, or the

    contents of the document could somehow be secretly altered, but with public-key

    authentication, this cannot be done.

    Network Transport Security

    Models such as SET, CAF, DigiCash, First Virtual, and Millicent provide a secure

    payment method. However, the transaction still depends on the privacy and

    authentication of the data stream. Basic TCP/IP networking protocols do not include

    encryption and strong authentication. Higher level protocols such as HTTP, FTP, and

    Telnet do little to provide advanced security measures beyond user id and password

    authentication. All information sent using these protocols is unencrypted, so the datastream lacks confidentiality.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    19/24

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    20/24

    19 | P a g e Security in E-Commerce

    IPSec (Ipv6)

    IPSec is a framework of open standards developed by the Internet Engineering Task

    Force (IETF). IPSec provides security for transmission of sensitive information over

    unprotected networks such as the Internet. IPSec acts at the network layer, protecting

    and authenticating IP packets between participating IPSec devices ("peers"), such as

    Cisco routers.

    Secure Socket Layer (SSL)

    SSL is the Secure Sockets Layer protocol. Version 2.0 originated by Netscape

    Development Corporation, and version 3.0 was designed with public review and inputfrom industry. SSL (Secure Sockets Layer) is a communication system that ensures

    privacy when communicating with other SSL-enabled products. Technically speaking,

    SSL is a protocol that runs above TCP/IP and below HTTP or other top-level protocols.

    It is symmetric encryption nested within public-key encryption, authenticated through

    the use of certificates. An SSL connection can only occur between an SSL-enabled

    client and an SSL-enabled server. In fact, when a server is running in SSL mode, it

    can only communicate through SSL.S-HTTP was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP

    connections. S-HTTP provides a wide variety of mechanisms to provide for

    confidentiality, authentication, and integrity. Separation of policy from mechanism was

    an explicit goal. The system is not tied to any particular cryptographic system, key

    infrastructure, or cryptographic format. The Internet draft is fairly clear in its

    presentation of the protocol, although implementation details are sketchy.

    S-HTTP is a superset of HTTP, which allows messages to be encapsulated in various

    ways. Encapsulations can include encryption, signing, or MAC based authentication.

    This encapsulation can be recursive, and a message can have several security

    transformations applied to it. S-HTTP also includes header definitions to provide key

    transfer, certificate transfer, and similar administrative functions. S-HTTP appears to

    be extremely flexible in what it will allow the programmer to do. S-HTTP also offers the

    potential for substantial user involvement in, and oversight of, the authentication &

    encryption activities.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    21/24

    20 | P a g e Security in E-Commerce

    How SSL relates to TCP/IP and application protocols.

    An SSL connection is initiated by a network browser when it asks a server to send a

    document through HTTPS, LDAPS, SNEWS, or other secure protocol.

    Transport Layer Security (TLS)

    TLS, more commonly known as SSL, is a popular mechanism for enhancing TCP

    communications with privacy and authentication. TLS is in wide use with the HTTP

    protocol, and is also being used for adding security to many other common protocols

    that run over TCP.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    22/24

    21 | P a g e Security in E-Commerce

    Conclusion

    In summary, the e-commerce industry faces a challenging future in terms of the

    security risks it must avert. With increasing technical knowledge, and its widespreadavailability on the internet, criminals are becoming more and more sophisticated

    in the deceptions and attacks they can perform. Novel attack strategies and

    vulnerabilities only really become known once a perpetrator has uncovered and

    exploited them.

    Both privacy and security are still ongoing research problems. Privacy is now

    understood, by many, to be a social construction with expectations the largest

    consideration. Yet, privacy is also considered a public issue by regulators, who havenonetheless largely allowed technology to unfold to date. Security is now understood

    to be largely imperfect, the continual cat-and-mouse game of security expert and

    hacker.

    In saying this, there are multiple security strategies which any e-commerce provider

    can instigate to reduce the risk of attack and compromise significantly. Awareness of

    the risks and the implementation of multi-layered security protocols, detailed and

    open privacy policies and strong authentication and encryption measures will go

    a long way to assure the consumer and insure the risk of compromise is kept minimal.

  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    23/24

    22 | P a g e Security in E-Commerce

    References

    [1] http://www.msen.com/~chad/ecomm_sec.html

    [2] Peixian LI, Issues of Security and Privacy in Electronic Commerce[3] Mayor.S.Desai, Thomas.C.Richards and Kiran.J.Desai, E-commerce

    policies and customer privacy. Information management and computersecurity, 2003(11/1).

    [4] Bruce Chien-Ta ho and Kok-Boon Oh, An empirical study of the use of e-security seals in e-commerce. E-security seals in e-commerce, 2008.

    [5] MULPURU, S. (2008) B2C eCommerce Expected To Top $300B In Five

    Years. Forrester, Research, 1

    7.[6] Atul Gupta and Rex Hammond, Information systems security issues and

    decisions for small businesses. IS security issues and decisions 2003.

    [7] M.T.Chan and L.F.Kwok, Integrating security design into the softwaredevelopment process for e-commerce systems. Informationmanagement and computer security, 2001(9/3).

    [8] Xiaoming Meng, Analyze and prevent the security risks of e-commerceprivacy.International conference on management of e-commerce and e-

    government, 2008(7/8).[9] George. S. Oreku, Jianzhong Li, Rethinking e-commerce security. CIMGA-

    IAWTIC, 2005(0/05).

    [10] Mauricio. S. Featherman, Anhtony. D. Miyazaki and David. E. Sprott,Reducing online privacy risk to facilitate e- service adoption: the influence ofperceived ease of use and corporate credibility. Journal of services marketing,2010(24/3).

    [11] SYMANTEC (2007) Attacks rise as e

    tailers lag finance sector on security. Computer, Weekly, 44.

    [12] Xin Tian, Wei Dai, Study on information management and security of e-commerce system. LEE, 2101. (9/10)

    [13] Godwin. J. Udo, Privacy and Security. Information management and computersecurity, 2001(9/4)

    [14] Licun Wang, Changing Zou, Shubin Zhang, A study on the commercesecurity characteristics for electronic business. International conferenceone-business and e-government, 2010. (3/10)

    http://www.msen.com/~chad/ecomm_sec.htmlhttp://www.msen.com/~chad/ecomm_sec.html
  • 7/25/2019 EMIS 528_Assignment(Security in E Commerce)

    24/24

    [15] Ralph Holbein, Thomas Gaugler, IT security in electronic commerce:from cost to value driver. International Workshop on Database and ExpertSystems Applications, 1999. (4/7)

    [16] Someswar Kashe, Sam Ramanujan, Sridhar Nerur, A framework for analyzing

    e-commerce security. Information management and computer security,2001(10/4).

    [17] Norman Desmarais, Body language. Library Hi Tech, 2000(18/1).

    [18] Graves, P., and M. Curtin. 2000. Bank One Online Puts Customer AccountInformation At Risk.http://www.interhack.net/pubs/bankone-online.

    [19] Borisov, N., I. Goldberg, and D. Wagner. 2001. Intercepting MobileCommunications: The Insecurity of 802.1. Proceedings of the Seventh AnnualInternational Conference on Mobile Computing and Networking : 180-189.

    [20] Roberts, P. 2002. Bugbear Virus Spreading Rapidly. PC World Online,Ocotober 2, 2002,

    [21] Neyses, J. 2002. Higher Education Security Alert From the U.S. SecretService: List of Keystroke Logging Programs.http://www.unh.edu/tcs/reports/sshesa.html.

    [22] Winner, D. 2002. Making Your Network Safe for Databases. SANSInformation Security Reading Room, July 21, 2002,

    [23] Tipton, Harold, and Micki Krause. 2002. Information Security ManagementHandbook. New York: CRC Press.

    [24] Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical UnixInternet Security. Cambridge, MA: O'Reilley.

    [25] Treese, G. Winfield, and Lawrence C. Stewart. 1998. Designing Systems ForInternet Commerce. New York: Addison-Wesley.

    [26] Levy, Steven. 2001. Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age. New York: Viking.

    [27] Denning, D. 1983. Cryptography and Data Security. New York: Addison-Wesley.

    [28] Koblitz, N. 1994. A course in number theory and cryptography. Berlin:Springer-Verlag.

    [29] Schneier, B. 1996. Applied Cryptography. New York: John Wiley & Sons.

    [30] Menezes, Alfred J., Van Oorschot, Paul C., and Scott A. Vanstone. 1996.Handbook of Applied Cryptography. New York: CRC Press.

    http://www.interhack.net/pubs/bankone-onlinehttp://www.unh.edu/tcs/reports/sshesa.htmlhttp://www.unh.edu/tcs/reports/sshesa.htmlhttp://www.interhack.net/pubs/bankone-online