Security and Trust in E-Security and Trust in E-CommerceCommerce

The E-commerce Security Environment: The E-commerce Security Environment: The Scope of the ProblemThe Scope of the Problem

Overall size of cybercrime unclear; amount Overall size of cybercrime unclear; amount of losses significant but stable; individuals of losses significant but stable; individuals face new risks of fraud that may involve face new risks of fraud that may involve substantial uninsured lossessubstantial uninsured losses– Symantec: Cybercrime on the rise from 2006Symantec: Cybercrime on the rise from 2006– 2007 CSI survey: 46% detected security breach; 91% 2007 CSI survey: 46% detected security breach; 91%

suffered financial loss as a resultsuffered financial loss as a result– Underground economy marketplace that offers sales Underground economy marketplace that offers sales

of stolen information growingof stolen information growing

The Tension Between Security and The Tension Between Security and Other ValuesOther Values

Security vs. ease of use: the more Security vs. ease of use: the more security measures added, the more security measures added, the more difficult a site is to use, and the slower it difficult a site is to use, and the slower it becomesbecomes

Security vs. desire of individuals to act Security vs. desire of individuals to act anonymously anonymously

Security Threats in the E-commerce Security Threats in the E-commerce EnvironmentEnvironment

Three key points of vulnerability:Three key points of vulnerability:– ClientClient– ServerServer– Communications channelCommunications channel

55

A Typical E-commerce TransactionA Typical E-commerce Transaction

SOURCE: Boncella, 2000.

66

Vulnerable Points in an E-commerce Vulnerable Points in an E-commerce EnvironmentEnvironment

SOURCE: Boncella, 2000.

Most Common Security Threats in the Most Common Security Threats in the E-commerce EnvironmentE-commerce Environment

Malicious code (viruses,Trojans)Malicious code (viruses,Trojans) Unwanted programs (spyware, browser Unwanted programs (spyware, browser

parasites)parasites) Phishing/identity theftPhishing/identity theft Credit card fraud/theftCredit card fraud/theft DoS attacksDoS attacks Phishing and Identity TheftPhishing and Identity Theft Insider attacksInsider attacks

Malicious CodeMalicious Code Viruses: Have ability to replicate and spread to Viruses: Have ability to replicate and spread to

other files; most also deliver a “payload” of some other files; most also deliver a “payload” of some sort (destructive or benign); include macro sort (destructive or benign); include macro viruses, file-infecting viruses, and script virusesviruses, file-infecting viruses, and script viruses

Worms: Designed to spread from computer to Worms: Designed to spread from computer to computercomputer

Trojan horse: Appears to be benign, but then Trojan horse: Appears to be benign, but then does something other than expecteddoes something other than expected

Bots: Can be covertly installed on computer; Bots: Can be covertly installed on computer; responds to external commands sent by the responds to external commands sent by the attackerattacker

Unwanted ProgramsUnwanted Programs

Installed without the user’s informed Installed without the user’s informed consentconsent– Browser parasites: Can monitor and change settings Browser parasites: Can monitor and change settings

of a user’s browserof a user’s browser– Adware: Calls for unwanted pop-up adsAdware: Calls for unwanted pop-up ads– Spyware: Can be used to obtain information, such Spyware: Can be used to obtain information, such

as a user’s keystrokes, e-mail, IMs, etc.as a user’s keystrokes, e-mail, IMs, etc.

Phishing and Identity TheftPhishing and Identity Theft Any deceptive, online attempt by a third Any deceptive, online attempt by a third

party to obtain confidential information for party to obtain confidential information for financial gainfinancial gain– Most popular type: e-mail scam letterMost popular type: e-mail scam letter– One of fastest growing forms of e-commerce crimeOne of fastest growing forms of e-commerce crime

Hacking and CybervandalismHacking and Cybervandalism

Hacker: Individual who intends to gain Hacker: Individual who intends to gain unauthorized access to computer systemsunauthorized access to computer systems

Cracker: Hacker with criminal intent (two Cracker: Hacker with criminal intent (two terms often used interchangeably)terms often used interchangeably)

Cybervandalism: Intentionally disrupting, Cybervandalism: Intentionally disrupting, defacing or destroying a Web sitedefacing or destroying a Web site

Credit Card FraudCredit Card Fraud

Fear that credit card information will be Fear that credit card information will be stolen deters online purchasesstolen deters online purchases

Hackers target credit card files and other Hackers target credit card files and other customer information files on merchant customer information files on merchant servers; use stolen data to establish credit servers; use stolen data to establish credit under false identityunder false identity

One solution: New identity verification One solution: New identity verification mechanismsmechanisms

Spoofing (Pharming) and Spam (Junk) Spoofing (Pharming) and Spam (Junk) Web SitesWeb Sites

Spoofing (Pharming)Spoofing (Pharming)– Misrepresenting oneself by using fake e-mail Misrepresenting oneself by using fake e-mail

addresses or masquerading as someone elseaddresses or masquerading as someone else– Threatens integrity of site; authenticityThreatens integrity of site; authenticity

Spam (Junk) Web sitesSpam (Junk) Web sites– Use domain names similar to legitimate one, Use domain names similar to legitimate one,

redirect traffic to spammer-redirection domainsredirect traffic to spammer-redirection domains

DoS and DDoS AttacksDoS and DDoS Attacks Denial of service (DoS) attackDenial of service (DoS) attack

– Hackers flood Web site with useless traffic to inundate Hackers flood Web site with useless traffic to inundate and overwhelm networkand overwhelm network

Distributed denial of service (DDoS) attackDistributed denial of service (DDoS) attack– Hackers use numerous computers to attack target Hackers use numerous computers to attack target

network from numerous launch pointsnetwork from numerous launch points

Other Security ThreatsOther Security Threats Sniffing: Type of eavesdropping program that Sniffing: Type of eavesdropping program that

monitors information traveling over a network; monitors information traveling over a network; enables hackers to steal proprietary enables hackers to steal proprietary information from anywhere on a networkinformation from anywhere on a network

Insider jobs: Single largest financial threatInsider jobs: Single largest financial threat Poorly designed server and client software: Poorly designed server and client software:

Increase in complexity of software programs Increase in complexity of software programs has contributed to increase is vulnerabilities has contributed to increase is vulnerabilities that hackers can exploitthat hackers can exploit

Technology SolutionsTechnology Solutions

Protecting Internet communications Protecting Internet communications (encryption)(encryption)

Protecting networks (firewalls)Protecting networks (firewalls) Protecting servers and clients Protecting servers and clients