emis 528_assignment(security in e commerce)
TRANSCRIPT
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
1/24
Submitted By
MD. ABDULLAH AL AHAD | ID: 61323-16-029MAHMUD PARVEJ | ID: 61325-18-052SHUVAJYOTI ROY | ID: 61426-19-020
SECURITY IN E-COMMERCE
EMIS-528 (Information Security Management System)
Submitted To
Md. Rakibul Hoque
Assistant Professor
Department of Management Information Systems
University of Dhaka
MBA (Evening) Program,Department of Management Information SystemsUniversity of Dhaka
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
2/24
1 | P a g e Security in E-Commerce
Executive Summary
Electronic Commerce may include any computer mediated business process, but a
common usage is to use it to describe commerce (buying and selling of a product orservice) taking place using the World Wide Web (WWW) as an enabling transport [1].
Since the invention of WWW in 1989, Internet-based electronic commerce has been
transformed from a mere idea into reality. Consumers browse through catalogues,
searching for best offers, order goods, and pay them electronically. Most financial
institutions have some sort of online presence, allowing their customers to access and
manage their accounts, make financial transactions, trade stocks, and so forth.
Electronic mails are exchanged within and between enterprises, and often alreadyreplace fax copies. Soon there is arguably no enterprise left that has no Internet
presence, if only for advertisement reasons [2].
Thus, doing some electronic business on the Internet is already an easy task. As is
cheating and snooping. Several reasons contribute to this insecurity: The Internet does
not offer much security per-se. Eavesdropping and acting under false identity is
simple. Stealing data is undetectable in most cases. Popular PC operating systems
offer little or no security against virus or other malicious software, which means thatusers cannot even trust the information displayed on their own screens. At the same
time, user awareness for security risks is threateningly low. In this paper, various
probable crime through e-commerce along with their potential reasons and plausible
security measures are outlined.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
3/24
2 | P a g e Security in E-Commerce
Table of ontents
Introduction ................................................................................................................ 3
Security Issues in E-commerce .................................................................................. 5
Dimensions of E-commerce Security .................................................................................................. 5
The Tension between Security and Other Values ............................................................................... 6
Security Threats in the E-commerce Environment ............................................................................. 6
A Typical e-commerce transaction ................................................................................................. 6
Vulnerable Points ............................................................................................................................ 7
Detailing of Security vulnerabilities in electronic commerce ............................................................. 7
Viable causes behind Security Threats ............................................................................................... 9
Probable Crimes in E-commerce Environment ........................................................ 10Most Common Security Threats in the E-commerce Environment .................................................. 10
Unwanted Programs ......................................................................................................................... 10
Phishing and Identity Theft ............................................................................................................... 11
Hacking and Cyber vandalism ........................................................................................................... 11
Credit Card Fraud .............................................................................................................................. 11
Spoofing (Pharming) and Spam (Junk) Web Sites ............................................................................. 12
DoS and DDoS Attacks ...................................................................................................................... 12
Denial of Service ............................................................................................................................... 13
SMURF Attack ................................................................................................................................... 13
Other Security Threats ...................................................................................................................... 13
Security Steps to Protect E-Commerce .................................................................... 14
Technology Solutions ........................................................................................................................ 15
Protecting Internet Communications: Encryption ........................................................................ 15
Network Transport Security .......................................................................................................... 17
Conclusion ............................................................................................................... 21References ............................................................................................................... 22
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
4/24
3 | P a g e Security in E-Commerce
Introduction
The utilization of the internet is increasing rapidly every year; availability of low cost
peripheral devices. and wider internet accessibility options are key contributingfactors [3]. The progression of technology over the recent years have enabled the
consumer a broader and much more enriched interactive experience [4]. The
availability of a wide variety of applications and simple point and click interfaces has
further contributed to this experience by its ease of usability.
A wide variety of commerce is conducted via e-Commerce, including electronic funds
transfer, supply chain management, Internet marketing, online transactionprocessing, electronic data interchange (EDI), inventory management systems, and
automated data collection systems. US online retail sales reached $175 billion in 2007
and are projected to grow to $335 billion by 2012 [5].
Due to this, IT usage in present times has become a common practice.
Business to customer (B2C) transactions and business (B2B) transactions are
commonly used in the market. The fusion and integration of these two types of
transactions has produced e-commerce [6] [7]. Chen and Dhillon have defined
e- commerce as the transaction of goods and services over the internet [4]. It is also
described as the sharing, transferring and exchanging of information [8]. Over the
past few years E-commerce has maintained a rapid yet steady pace. It has been
a dynamic force, a catalyst in changing the nature of business transactions and
operations all around the world [9]. It should also be noted that unlike traditional
commerce; EC does not allow physical interaction between the consumers and
retailers or suppliers for that matter [4]. This fact raises a number of risks and issues
including technological, security, privacy, trust, legal and other related issues [9]. The
following research focuses on two of these issues, security and privacy. The
factoring of Security and privacy in e-commerce models is of considerable
importance to consumers, businesses, and regulators [10]. The majority of
customers feel insecure towards the existing policies and guidelines with respect
to privacy and security online. Such insecurities have a negative impact upon any
economic model. That said, online security breaches can be considered as a fast
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
5/24
4 | P a g e Security in E-Commerce
spreading menace in current day economical settings around the world. E-Commerce
providers must also protect against a number of different external security
threats, most notably Denial of Service (DoS). The financial services sector still bears
the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced
the greatest increase in the number of attacks was e-Commerce. Attacks in this sector
have risen by 15% from 2006 to 2007 [11].
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
6/24
5 | P a g e Security in E-Commerce
Security Issues in E-commerce
In e-commerce development security is a critical factor to consider [12]. It is one of the
pivotal success factors of e-commerce. Security is defined as the protection ofdata against accidental or intentional disclosure to unauthorized persons, or
unauthorized modifications or destruction [13]. It usually refers to the provision of
access control, privacy, confidentiality, integrity, authentication, non-repudiation,
availability and effectiveness [9][14][15]. Surveys conducted and compiled recently
shows increasing concerns on security risks and have become a global issue [6].
When customers lose confidence in a systems ability to protect sensitive and
confidential data such as credit card information its feasibility will becompromised. The system t thus will be rendered helpless [16].
Electronic commerce has been weakened by the deterioration of confidence
held towards it by the consumer public. This in turn poses an immense threat to the
overall expansion and success of it. [13]. In fact, Hoffman et al. stated that 63%
of online end-users intentionally delay when providing personal information due
to diminished confidence and trust in sites [4]. If credibility is to be achieved,
improvised security and privacy protocols should be incorporated . At presentsecurity is pivotal and concerns surrounding its efficiency is perhaps the key cause
for web users not making online purchases [13]. The US- based Better Business
Bureau confirmed that online security was a great concern in 2001[4]. Types
of security threats include identity theft i.e. the illegal use of personal information and
is in fact the USAs leading occurrence of fraud [17]. List of other threats include
gaining physical access to premises, accessing wiretaps, unauthorized acquiring
of information, viruses, lack of integrity, financial fraud, vandalism, etc [16][9].Dimensions of E-commerce Security
Integrity: ability to ensure that information being displayed on a Web site or
transmitted/received over the Internet has not been altered in any way by an
unauthorized party
Nonrepudiation: ability to ensure that e-commerce participants do not deny
(repudiate) online actions
Authenticity: ability to identify the identity of a person or entity with whom youare dealing on the Internet
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
7/24
6 | P a g e Security in E-Commerce
Confidentiality: ability to ensure that messages and data are available only to
those authorized to view them
Privacy: ability to control use of information a customer provides about
himself or herself to merchant Availability: ability to ensure that an e-commerce site continues to function as
intended Copyright
The Tension between Security and Other Values
Security vs. ease of use: the more security measures added, the more
difficult a site is to use, and the slower it becomes
Too much security can harm profitability, while not enough security can put
you out of business
Tension between the desire of individuals to act anonymously (to hide their
identity) and the needs to maintain public safety that can be threatened by
criminals or terrorists.
The Internet is both anonymous and pervasive, an ideal communication tool
for criminal and terrorist groups (Coll and Glasser 2005)
Security Threats in the E-commerce Environment
Three key points of vulnerability:
Client
Server
Communications channel
A Typical e-commerce transaction
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
8/24
7 | P a g e Security in E-Commerce
Vulnerable Points
Detailing of Security vulnerabilities in electronic commerce
There are many points of failure, or vulnerabilities, in an e-commerce environment.
Even in a simplified e-commerce scenarioa single user contacts a single web site,
and then gives his credit card and address information for shipping a purchasemany
potential security vulnerabilities exist. Indeed, even in this simple scenario, there are
a number of systems and networks involved. Each has security issues:
A user must use a web site and at some point identify, or authenticate, himself
to the site. Typically, authentication begins on the users home computer and
its browser. Unfortunately, security problems in home computers offer hackers
other ways to steal e- commerce data and identification data from users. Some
current examples include a popular home-banking system that stores a users
account number in a Web cookie which hostile web-sites can crack [18];
ineffective encryption or lack of encryption for home wireless networks [19];
and, mail-borne viruses that can steal the user's financial data from the local
disk [20] or even from the user's keystrokes [21]. While these specific security
problems will be fixed by some software developers and web-site
administrators, similar problems will continue to occur. Alternatives to the home
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
9/24
8 | P a g e Security in E-Commerce
computer include Point-of-Sale (POS) terminals in brick-and-mortar stores, as
well as a variety of mobile and handheld devices.
The users web browser connects to the merchant front-end. When a
consumer makes an online purchase, the merchant's web-server usually
caches the order's personal information in an archive of recent orders. This
archive contains everything necessary for credit-card fraud. Further, such
archives often hold 90 days' worth of customers' orders. Naturally, hackers
break into insecure web servers to harvest these archives of credit card
numbers. Several recent thefts netted 100,000, 300,000, and 3.7 million credit-
card data, respectively. Accordingly, an e-commerce merchant's first security
priority should be to keep the web servers' archives of recent orders behind the
firewall, not on the front-end web servers [22]. Furthermore, sensitive servers
should be kept highly specialized, by turning off and removing all inessential
services and applications (e.g., ftp, email). Other practical suggestions to
secure web servers can be found in [23] and [24], among many others.
The merchant back-end and database. A sites servers can weaken the
company's internal network. This not easily remedied, because the web
servers need administrative connections to the internal network, but web server
software tends to have buggy security. Here, the cost of failure is very high,
with potential theft of customers identities or corporate data. Additionally, the
back-end may connect with third party fulfillment centers and other processing
agents. Arguably, the risk of stolen product is the merchant's least-important
security concern, because most merchants' traditional operations already have
careful controls to track payments and deliveries. However, these third parties
can release valuable data through their own vulnerabilities.
This is a simplified model of an e-commerce architecture; yet even in its simplicity,
there are a number of security problems. Note that encrypted e-commerce
connections do little to help solve any but network security problems. While other
problems might be ameliorated by encryption, there are still vulnerabilities in the
software clients and servers that must use the data. We will discuss the
implications of these vulnerabilities below users who may themselves release
data or act in ways that place sites at jeopardy, the constant pressure of new
technologies and the resulting constant threat of new vulnerabilities, as well as the
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
10/24
9 | P a g e Security in E-Commerce
requirements for critical organizational processes. However, before discussing
potential requirements for e-commerce sites and their consumers, it is important to
survey potential security technologies.
Viable causes behind Security Threats
Reasons for high security risks include the imperfection of e-commerce laws,
regulations, systems, technology and the internet . Security is a key integral
issue for users, regardless of what the application maybe, ranging from locking a
computer to conducting business via the internet [17]. The rapid development of e-
business and e-commerce applications have resulted in increased the amount
of illegal infiltration into information systems which were deemed initially safe [6].Since E-commerce is completely reliant on IT, it could be stated that future
developments in e-commerce will solely depend on IT security and risk management.
Garg et al. states that "a percentage between 36 and 90 percent of organizations
confirmed security breaches in the past year alone [6]. These statistics help increase
or maintain customers negative perception of the e-market and explains why a lot of
people are fearful or insecure about buying or performing sensitive transactions online.
It seems like the only solution to extract the problem and increase e-sales is to providefully secured networks that guarantee confidentiality and safety. It is however not that
simple. Technologies that provide flawless security measures and guarantees
are very expensive and in most cases not easily acquired. Web based e-commerce
is comprised of hyperlinked web pages alongside applications and incompatible
technologies to bring about business transactions amongst different companies
spanning the globe [7]. Therefore, even if a business tries to deploy error free security
software, success is not guaranteed as there are many factors influencing the
flow and security of information in cyberspace. Moreover, in order for e-commerce
to develop customer trust, the change has to be done in a collective manner,
not just a few companies. In the case of small to medium businesses it is
difficult and costly to incorporate complete IT security [6]. Leaving aside the
multifaceted technologies required, e-commerce systems are founded and based on
the World Wide Web which coincidently has a history of exposure to a variety of
security threats [7]
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
11/24
10 | P a g e Security in E-Commerce
Probable Crimes in E-commerce Environment
Most Common Security Threats in the E-commerce Environment
Malicious code (viruses, worms, Trojans)
Unwanted programs (spyware, browser parasites)
Phishing/identity theft
Hacking and cyber vandalism
Credit card fraud/theft
Spoofing (pharming)/spam (junk) Web sites
DoS and dDoS attacks Sniffing
Insider attacks
Poorly designed server and client software
Try to impair computers, steal email addresses, logon credentials, personal
data, and financial info.
Viruses: computer programs that have ability to replicate and spread to other
files; most also deliver a payload of some sort (destructive or benign);include macro viruses, file-infecting viruses, and script viruses
Worms: Designed to spread from computer to computer; can replicate without
being executed by a user or program like virus
Trojan horse: Appears to be benign, but then does something other than
expected
Bots: Can be covertly installed on computer; responds to external commands
sent by the attacker to create a network of compromised computers forsending spam, generating a DDoS attack, and stealing info from computers
Unwanted Programs
Installed without the users informed consent
Browser parasites: Can monitor and change settings of a users browser
Adware: Calls for unwanted pop-up ads
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
12/24
11 | P a g e Security in E-Commerce
Spyware: Can be used to obtain information, such as a users keystrokes, e-
mail, IMs, etc
Phishing and Identity Theft
Any deceptive, online attempt by a third party to obtain confidential
information for financial gain
Most popular type: e-mail scam letter, e.g., Nigerians rich former oil minister
seeking a bank account to deposit millions of dollars, fake account
verification emails from eBay or CitiBankasking to give up personal account
info, bank account no., and credit card no. One of fastest growing forms of e-commerce crime
197,000 unique new phishing emails sent within the first 6 months of 2007,
18% increased
Hacking and Cyber vandalism
Hacker: Individual who intends to gain unauthorized access to computersystems
Cracker: Hacker with criminal intent (two terms often used interchangeably)
Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site
Types of hackers include:
White hatshired by corporate to find weaknesses in the firms computer
system
Black hatshackers with intention of causing harm Grey hatshackers breaking in and revealing system flaws without
disrupting site or attempting to profit from their finds
Credit Card Fraud
Fear that credit card information will be stolen deters online purchases
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
13/24
12 | P a g e Security in E-Commerce
Overall rate of credit card fraud is lower than users think, 1.6-1.8% of all
online card transactions.
USs federal law limits liability of individuals to$50 for a stolen credit card.
Hackers target credit card files and other customer information files onmerchant servers; use stolen data to establish credit under false identity
One solution: New identity verification Mechanisms
Spoofing (Pharming) and Spam (Junk) Web Sites
Spoofing (Pharming) Misrepresenting oneself by using fake e-mail addresses or masquerading as
someone else
Threatens integrity of site; authenticity
Spoofing a Web site is called pharming, which involvesredirecting a Web
link to another IP address different from the real one
Pharming is carried out by hacking local DNS servers.
Threatens integrity of site by stealing business from the true site, or alteringorders and sending them to the true site for processing and delivery.
Threatens authenticity by making it hard to discern the true sender of a
message.
Spam (Junk) Web sites
Use domain names similar to legitimate one, redirect traffic to spammer-
redirection domains
DoS and DDoS Attacks
Denial of service (DoS) attack
Hackers flood Web site with useless traffic to inundate and overwhelm
network
Use of bot networks built from hundreds of compromised workstations.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
14/24
13 | P a g e Security in E-Commerce
No. of DoS attacks per day grew from 119 during last 6 months of 2004 to
927 during first 6 months of 2005, a 679% increase [11].
Distributed denial of service (DDoS) attack
Hackers use numerous computers to attack target network from numerouslaunch points
Microsoft and Yahoo have experienced such attacks
Denial of Service
Ping Flooding
Attacker sends a flood of pings to the intended victim The ping packets will saturate the victims bandwidth
SMURF Attack
Uses a ping packet with two extra twist
Attacker chooses an unwitting victim
Spoofs the source address Sends request to network in broadcast mode
Other Security Threats
Sniffing: Type of eavesdropping program that monitors information traveling
over a network; enables hackers to steal proprietary information from
anywhere on a network
Insider jobs: Single largest financial threat
64% of business firms experienced an insidesecurity breach in their
systems in 2006.
Poorly designed server and client software : Increase in complexity of
software programs (e.g., MSs Win32 API) has contributed toMS s increase is
vulnerabilities that hackers can exploit
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
15/24
14 | P a g e Security in E-Commerce
Security Steps to Protect E-Commerce
There are many relevant technologies, including cryptographic technologies that can
mitigate the previously mentioned vulnerabilities. However, none is comprehensive orairtight by itself. Accordingly, we next present a brief overview of the major
technologies, also considering the advantages and disadvantages of each.
There are four components involved in E-Commerce Security: client software, server
software, the server operating system, and the network transport. Each component
has its own set of issues and challenges associated with securing them:
Client software is becoming increasingly more security-focused, however
single-user desktop operating systems historically have had no security
features implemented. E-Commerce software that relies on the security of the
desktop operating system is easily compromised without the enforcement of
strict physical controls.
Server software is constantly under test and attack by the user community.Although there have been cases of insecurities, a system administrator keeping
up with the latest patches and vendor information can provide a high degree of
confidence in the security of the server itself.
Operating systems used for hosting E-Commerce servers are securable, but
rarely shipped from the vendor in a default configuration that are secure. E-
Commerce servers must protect the database of customer information
accumulating on the server as well as provide security while the server is
handling a transaction. If it is easier for a thief to compromise the server to
obtain credit card numbers, why bother sniffing the network for individual credit
card numbers?
Session transport between the client and server uses network protocols that
may have little or no built-in security. In addition, networking protocols such as
TCP/IP were not designed to have confidentiality or authentication capabilities
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
16/24
15 | P a g e Security in E-Commerce
Technology Solutions
Protecting Internet communications (encryption)
Securing channels of communication (SSL, S-HTTP, VPNs) Protecting networks (firewalls)
Protecting servers and clients
Protecting Internet Communications: Encryption
In the mass media, the most visible security technologies are the encryption
algorithms. For a general introduction to these technologies see [25]; a popularization
can be found in [26]. Two classic textbooks are [27] and [28], and encyclopedic
compendia include [29] and [30].
Encryption: Process of transforming plain text or data into cipher text that cannot be
read by anyone other than the sender and receiver
Purpose: Secure stored information and information transmission
Provides:
Message integrity
Nonrepudiation
Authentication
Confidentiality
Symmetric Key Encryption:
Symmetric key encryption is also known as secret key encryption. Secret-keycryptography is the more traditional form, and has been used for all kinds of
communications throughout the ages. In this method, one "key" is used to both
encrypt and decrypt the data. A key can be anything from a secret-decoder ring
found in a cereal box to a highly complex mathematical algorithm; keys really
only differ in the ease with which they can be broken by third parties. In secret-
key cryptography, the sender and receiver must have the same key in order for
the transmission to work correctly.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
17/24
16 | P a g e Security in E-Commerce
Both the sender and receiver use the same digital key to encrypt and decrypt
message
Requires a different set of keys for each transaction
Advanced Encryption Standard (AES): Most widely used symmetric keyencryption today; offers 128-, 192-, and 256-bit encryption keys; other
standards use keys with up to 2,048 bits
Public Key Encryption:
The key management problem inherent to secret-key cryptography needed to be
addressed in order for large-scale, secure use of data encryption techniques. In 1976,Whitfield Diffie, a cryptographer and privacy advocate, and Martin Hellman, an
electrical engineer, working together discovered the concept of public-key encryption.
Instead of having one key shared among both users of an encrypted transmission,
each user has his or her own public/private key pair. A user makes the public key open
and available to anyone (by publishing it on-line or registering it with a public key
server), and keeps the private key hidden away where (hopefully) no one can get at it.
The private key is mathematically derived from the public key, and thus the two arelinked together. In order to send someone a message, the sender encrypts the
transmission with the receiver's public key. This can then only be decrypted by the
receiver's private key. Thus, anyone can encrypt a message with someone else's
public key, but only that person would ever be able to read it.
Solves symmetric key encryption problem of having to exchange secret key
Uses two mathematically related digital keyspublic key (widely disseminated)and private key (kept secret by owner)
Both keys used to encrypt and decrypt message
Once key used to encrypt message, same key cannot be used to decrypt
message
For example, sender uses recipients public keyto encrypt message; recipient
uses his/her private key to decrypt it
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
18/24
17 | P a g e Security in E-Commerce
Digital signatures
Public-key also provides a mechanism for authenticating messages that secret-key
techniques do not: digital signatures. The sender of a message completes acalculation (performed by a hash function) involving the actual file structure to be
transmitted, and his or her private key, and the result of this (the digital signature itself)
is appended to the end of the transmission. The receiver can then perform a
calculation involving the received message and the sender's public key, and if
everything is valid, the sender's identity will have been verified. A benefit of this
signature method is that it not only verifies the sender's identity; it also verifies that the
original contents of the transmission have not been altered in anyway. Because the
signature is derived from both the key and the data itself, changing the data later on
will cause the receiver's verification to fail. This provides authentication that is even
better than a signature on a paper document: a signature can be forged, or the
contents of the document could somehow be secretly altered, but with public-key
authentication, this cannot be done.
Network Transport Security
Models such as SET, CAF, DigiCash, First Virtual, and Millicent provide a secure
payment method. However, the transaction still depends on the privacy and
authentication of the data stream. Basic TCP/IP networking protocols do not include
encryption and strong authentication. Higher level protocols such as HTTP, FTP, and
Telnet do little to provide advanced security measures beyond user id and password
authentication. All information sent using these protocols is unencrypted, so the datastream lacks confidentiality.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
19/24
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
20/24
19 | P a g e Security in E-Commerce
IPSec (Ipv6)
IPSec is a framework of open standards developed by the Internet Engineering Task
Force (IETF). IPSec provides security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec acts at the network layer, protecting
and authenticating IP packets between participating IPSec devices ("peers"), such as
Cisco routers.
Secure Socket Layer (SSL)
SSL is the Secure Sockets Layer protocol. Version 2.0 originated by Netscape
Development Corporation, and version 3.0 was designed with public review and inputfrom industry. SSL (Secure Sockets Layer) is a communication system that ensures
privacy when communicating with other SSL-enabled products. Technically speaking,
SSL is a protocol that runs above TCP/IP and below HTTP or other top-level protocols.
It is symmetric encryption nested within public-key encryption, authenticated through
the use of certificates. An SSL connection can only occur between an SSL-enabled
client and an SSL-enabled server. In fact, when a server is running in SSL mode, it
can only communicate through SSL.S-HTTP was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP
connections. S-HTTP provides a wide variety of mechanisms to provide for
confidentiality, authentication, and integrity. Separation of policy from mechanism was
an explicit goal. The system is not tied to any particular cryptographic system, key
infrastructure, or cryptographic format. The Internet draft is fairly clear in its
presentation of the protocol, although implementation details are sketchy.
S-HTTP is a superset of HTTP, which allows messages to be encapsulated in various
ways. Encapsulations can include encryption, signing, or MAC based authentication.
This encapsulation can be recursive, and a message can have several security
transformations applied to it. S-HTTP also includes header definitions to provide key
transfer, certificate transfer, and similar administrative functions. S-HTTP appears to
be extremely flexible in what it will allow the programmer to do. S-HTTP also offers the
potential for substantial user involvement in, and oversight of, the authentication &
encryption activities.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
21/24
20 | P a g e Security in E-Commerce
How SSL relates to TCP/IP and application protocols.
An SSL connection is initiated by a network browser when it asks a server to send a
document through HTTPS, LDAPS, SNEWS, or other secure protocol.
Transport Layer Security (TLS)
TLS, more commonly known as SSL, is a popular mechanism for enhancing TCP
communications with privacy and authentication. TLS is in wide use with the HTTP
protocol, and is also being used for adding security to many other common protocols
that run over TCP.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
22/24
21 | P a g e Security in E-Commerce
Conclusion
In summary, the e-commerce industry faces a challenging future in terms of the
security risks it must avert. With increasing technical knowledge, and its widespreadavailability on the internet, criminals are becoming more and more sophisticated
in the deceptions and attacks they can perform. Novel attack strategies and
vulnerabilities only really become known once a perpetrator has uncovered and
exploited them.
Both privacy and security are still ongoing research problems. Privacy is now
understood, by many, to be a social construction with expectations the largest
consideration. Yet, privacy is also considered a public issue by regulators, who havenonetheless largely allowed technology to unfold to date. Security is now understood
to be largely imperfect, the continual cat-and-mouse game of security expert and
hacker.
In saying this, there are multiple security strategies which any e-commerce provider
can instigate to reduce the risk of attack and compromise significantly. Awareness of
the risks and the implementation of multi-layered security protocols, detailed and
open privacy policies and strong authentication and encryption measures will go
a long way to assure the consumer and insure the risk of compromise is kept minimal.
-
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
23/24
22 | P a g e Security in E-Commerce
References
[1] http://www.msen.com/~chad/ecomm_sec.html
[2] Peixian LI, Issues of Security and Privacy in Electronic Commerce[3] Mayor.S.Desai, Thomas.C.Richards and Kiran.J.Desai, E-commerce
policies and customer privacy. Information management and computersecurity, 2003(11/1).
[4] Bruce Chien-Ta ho and Kok-Boon Oh, An empirical study of the use of e-security seals in e-commerce. E-security seals in e-commerce, 2008.
[5] MULPURU, S. (2008) B2C eCommerce Expected To Top $300B In Five
Years. Forrester, Research, 1
7.[6] Atul Gupta and Rex Hammond, Information systems security issues and
decisions for small businesses. IS security issues and decisions 2003.
[7] M.T.Chan and L.F.Kwok, Integrating security design into the softwaredevelopment process for e-commerce systems. Informationmanagement and computer security, 2001(9/3).
[8] Xiaoming Meng, Analyze and prevent the security risks of e-commerceprivacy.International conference on management of e-commerce and e-
government, 2008(7/8).[9] George. S. Oreku, Jianzhong Li, Rethinking e-commerce security. CIMGA-
IAWTIC, 2005(0/05).
[10] Mauricio. S. Featherman, Anhtony. D. Miyazaki and David. E. Sprott,Reducing online privacy risk to facilitate e- service adoption: the influence ofperceived ease of use and corporate credibility. Journal of services marketing,2010(24/3).
[11] SYMANTEC (2007) Attacks rise as e
tailers lag finance sector on security. Computer, Weekly, 44.
[12] Xin Tian, Wei Dai, Study on information management and security of e-commerce system. LEE, 2101. (9/10)
[13] Godwin. J. Udo, Privacy and Security. Information management and computersecurity, 2001(9/4)
[14] Licun Wang, Changing Zou, Shubin Zhang, A study on the commercesecurity characteristics for electronic business. International conferenceone-business and e-government, 2010. (3/10)
http://www.msen.com/~chad/ecomm_sec.htmlhttp://www.msen.com/~chad/ecomm_sec.html -
7/25/2019 EMIS 528_Assignment(Security in E Commerce)
24/24
[15] Ralph Holbein, Thomas Gaugler, IT security in electronic commerce:from cost to value driver. International Workshop on Database and ExpertSystems Applications, 1999. (4/7)
[16] Someswar Kashe, Sam Ramanujan, Sridhar Nerur, A framework for analyzing
e-commerce security. Information management and computer security,2001(10/4).
[17] Norman Desmarais, Body language. Library Hi Tech, 2000(18/1).
[18] Graves, P., and M. Curtin. 2000. Bank One Online Puts Customer AccountInformation At Risk.http://www.interhack.net/pubs/bankone-online.
[19] Borisov, N., I. Goldberg, and D. Wagner. 2001. Intercepting MobileCommunications: The Insecurity of 802.1. Proceedings of the Seventh AnnualInternational Conference on Mobile Computing and Networking : 180-189.
[20] Roberts, P. 2002. Bugbear Virus Spreading Rapidly. PC World Online,Ocotober 2, 2002,
[21] Neyses, J. 2002. Higher Education Security Alert From the U.S. SecretService: List of Keystroke Logging Programs.http://www.unh.edu/tcs/reports/sshesa.html.
[22] Winner, D. 2002. Making Your Network Safe for Databases. SANSInformation Security Reading Room, July 21, 2002,
[23] Tipton, Harold, and Micki Krause. 2002. Information Security ManagementHandbook. New York: CRC Press.
[24] Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical UnixInternet Security. Cambridge, MA: O'Reilley.
[25] Treese, G. Winfield, and Lawrence C. Stewart. 1998. Designing Systems ForInternet Commerce. New York: Addison-Wesley.
[26] Levy, Steven. 2001. Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age. New York: Viking.
[27] Denning, D. 1983. Cryptography and Data Security. New York: Addison-Wesley.
[28] Koblitz, N. 1994. A course in number theory and cryptography. Berlin:Springer-Verlag.
[29] Schneier, B. 1996. Applied Cryptography. New York: John Wiley & Sons.
[30] Menezes, Alfred J., Van Oorschot, Paul C., and Scott A. Vanstone. 1996.Handbook of Applied Cryptography. New York: CRC Press.
http://www.interhack.net/pubs/bankone-onlinehttp://www.unh.edu/tcs/reports/sshesa.htmlhttp://www.unh.edu/tcs/reports/sshesa.htmlhttp://www.interhack.net/pubs/bankone-online