8/2/2019 Short Para Ecom

1/2

1.IntroductionE-commerceisdefinedasthebuyingandsellingofproductsorservicesoverelectronicsystemssuchastheInternetandtoalesserextent,othercomputernetworks.AwidevarietyofcommerceisconductedviaeCommerce,includingelectronicfundstransfer,supplychainmanagement,Internetmarketing,onlinetransactionprocessing,electronicdatainterchange(EDI),inventorymanagementsystems,andautomateddatacollectionsystems.USonlineretailsalesreached$175billionin2007andareprojectedtogrowto$335billionby2012(Mulpuru,2008).ThismassiveincreaseintheuptakeofeCommercehasledtoanewgenerationofassociatedsecuritythreats,butanyeCommercesystemmustmeetfourintegralrequirements:a)privacyinformationexchangedmustbekeptfromunauthorizedpartiesb)integritytheexchangedinformationmustnotbealteredortamperedwithc)authenticationbothsenderandrecipientmustprovetheiridentitiestoeachotherandd)non-repudiationproofisrequiredthattheexchangedinformationwasindeedreceived(Holcombe,2007).ThesebasicmaximsofeCommercearefundamentaltotheconductofsecurebusinessonline.Attacksinthissectorhaverisenby15%from2006to2007(Symantec,2007).2.PrivacyPrivacyhasbecomeamajorconcernforconsumerswiththeriseofidentitytheftandimpersonation,andanyconcernforconsumersmustbetreatedasamajorconcernforeCommerceproviders.AccordingtoConsumerReportsMoneyAdviser(Perro

tta,2008),theUSAttorneyGeneralhasannouncedmultipleindictmentsrelatingtoamassiveinternationalsecuritybreachinvolvingninemajorretailersandmorethan40millioncredit-anddebit-cardnumbers.USattorneysthinkthatthismaybethelargesthackingandidentity-theftcaseeverprosecutedbythejusticedepartment.BothEUandUSlegislationatboththefederalandstatelevelsmandatescertainorganizationstoinformcustomersaboutinformationusesanddisclosures.Suchdisclosuresaretypicallyaccomplishedthroughprivacypolicies,bothonlineandoffline(Vailetal.,2008).Privacynowformsanintegralpartofanye-commercestrategyandinvestmentinprivacyprotectionhasbeenshowntoincreaseconsumersspend,trustworthinessandloyalty.3.Integrity,Authentication&Non-RepudiationInanye-commencesystemthefactorsofdataintegrity,customer&clientauthen

ticationandnon-repudiationarecriticaltothesuccessofanyonlinebusiness.Dataintegrityistheassurancethatdatatransmittedisconsistentandcorrect,thatis,ithasnotbeentamperedoralteredinanywayduringtransmission.Authenticationisameansbywhichbothpartiesinanonlinetransactioncanbeconfidentthattheyarewhotheysaytheyareandnon-repudiationistheideathatnopartycandisputethatanactualeventonlinetookplace.Proofofdataintegrityistypicallytheeasiestofthesefactorstosuccessfullyaccomplish.Adatahashorchecksum,suchasMD5orCRC,isusuallysufficienttoestablishthatthelikelihoodofdatabeingundetectablychangedisextremelylow.Notwithstandingthesesecuritymeasures,itisstillpossibletocompromisedataintransitthroughtechniquessuchasphishingorman-in-the-middleattacks(Desmedt,2005)Oneofthekeydevelopmentsine-commercesecurityandonewhichhasledtothe

widespreadgrowthofe-commerceistheintroductionofdigitalsignaturesasameansofverificationofdataintegrityandauthentication.Anelectronicsignaturemaybedefinedasanyletters,characters,orsymbolsmanifestedbyelectronicorsimilarmeansandexecutedoradoptedbyapartywiththeintenttoauthenticateawriting(Blythe,2006).Inorderforadigitalsignaturetoattainthesamelegalstatusasanink-on-papersignature,asymmetrickeycryptologymusthavebeenemployedinitsproduction(Blythe,2006).DigitalSignaturesusingpublic-keycryptographyandhashfunctionsarethegenerallyacceptedmeansofprovidingnon-repudiationofcommunications4.TechnicalAttacks

8/2/2019 Short Para Ecom

2/2

Technicalattacksareoneofthemostchallengingtypesofsecuritycompromiseane-commerceprovidermustface.Perpetratorsoftechnicalattacks,andinparticularDenial-of-Serviceattacks,typicallytargetsitesorserviceshostedonhigh-profilewebserverssuchasbanks,creditcardpaymentgateways,largeonlineretailersandpopularsocialnetworkingsites.DenialofServiceAttacksDenialofService(DoS)attacksconsistofoverwhelmingaserver,anetworkorawebsiteinordertoparalyzeitsnormalactivity(Lejeune,2002).TheUnitedStatesComputerEmergencyReadinessTeamdefinessymptomsofdenial-of-serviceattackstoinclude(McDowell,2007):UnusuallyslownetworkperformanceUnavailabilityofaparticularwebsiteInabilitytoaccessanywebsiteDramaticincreaseinthenumberofspamemailsreceivedDoSattackscanbeexecutedinanumberofdifferentways:ICMPFlood(SmurfAttack)TeardropAttackPhlashingDistributedDenial-of-ServiceAttacksDistributedDenialofService(DDoS)attacksareoneofthegreatestsecurityfearforITmanagers.Inamatterofminutes,thousandsofvulnerablecomputerscanfloodthevictimwebsitebychokinglegitimatetraffic(Tariqetal.,2006).ThemostfamousDDoSattacksoccurredinFebruary2000wherewebsitesincludingYahoo,Buy.com,eBay,Amazon

BruteForceAttacksAbruteforceattackisamethodofdefeatingacryptographicschemebytryingalargenumberofpossibilities;forexample,alargenumberofthepossiblekeysinakeyspaceinordertodecryptamessage.5.Non-TechnicalAttacksPhishingAttacksPhishingisthecriminallyfraudulentprocessofattemptingtoacquiresensitiveinformationsuchasusernames,passwordsandcreditcarddetails,bymasqueradingasatrustworthyentityinanelectroniccommunication.Phishingscamsgenerallyarecarriedoutbyemailingthevictimwithafraudulentemailfromwhatpurportstobealegitimateorganizationrequestingsensitiveinformation.Whenthevictimfollowsthelinkembeddedwithintheemailtheyarebroughttoanelaborateandsophisticatedduplicateofthelegitimateorganizationswebsite.SocialEngineering

Socialengineeringistheartofmanipulatingpeopleintoperformingactionsordivulgingconfidentialinformation.Socialengineeringtechniquesincludepretexting(wherethefraudstercreatesaninventedscenariotogetthevictimtodivulgeinformation),Interactivevoicerecording(IVR)orphonephishing(wherethefraudstergetsthevictimtodivulgesensitiveinformationoverthephone)andbaitingwithTrojanshorses(wherethefraudsterbaitsthevictimtoloadmalwareuntoasystem).6.ConclusionsInconclusionthee-commerceindustryfacesachallengingfutureintermsofthesecurityrisksitmustavert.Withincreasingtechnicalknowledge,anditswidespreadavailabilityontheinternet,criminalsarebecomingmoreandmoresophisticatedinthedeceptionsandattackstheycanperform.Novelattackstrategiesandvulnerabilitiesonlyreallybecomeknownonceaperpetratorhasuncoveredan

dexploitedthem.Insayingthis,therearemultiplesecuritystrategieswhichanye-commerceprovidercaninstigatetoreducetheriskofattackandcompromisesignificantly.Awarenessoftherisksandtheimplementationofmulti-layeredsecurityprotocols,detailedandopenprivacypoliciesandstrongauthenticationandencryptionmeasureswillgoalongwaytoassuretheconsumerandinsuretheriskofcompromiseiskeptminimal.