8/2/2019 Short Para Ecom
1/2
1.IntroductionE-commerceisdefinedasthebuyingandsellingofproductsorservicesoverelectronicsystemssuchastheInternetandtoalesserextent,othercomputernetworks.AwidevarietyofcommerceisconductedviaeCommerce,includingelectronicfundstransfer,supplychainmanagement,Internetmarketing,onlinetransactionprocessing,electronicdatainterchange(EDI),inventorymanagementsystems,andautomateddatacollectionsystems.USonlineretailsalesreached$175billionin2007andareprojectedtogrowto$335billionby2012(Mulpuru,2008).ThismassiveincreaseintheuptakeofeCommercehasledtoanewgenerationofassociatedsecuritythreats,butanyeCommercesystemmustmeetfourintegralrequirements:a)privacyinformationexchangedmustbekeptfromunauthorizedpartiesb)integritytheexchangedinformationmustnotbealteredortamperedwithc)authenticationbothsenderandrecipientmustprovetheiridentitiestoeachotherandd)non-repudiationproofisrequiredthattheexchangedinformationwasindeedreceived(Holcombe,2007).ThesebasicmaximsofeCommercearefundamentaltotheconductofsecurebusinessonline.Attacksinthissectorhaverisenby15%from2006to2007(Symantec,2007).2.PrivacyPrivacyhasbecomeamajorconcernforconsumerswiththeriseofidentitytheftandimpersonation,andanyconcernforconsumersmustbetreatedasamajorconcernforeCommerceproviders.AccordingtoConsumerReportsMoneyAdviser(Perro
tta,2008),theUSAttorneyGeneralhasannouncedmultipleindictmentsrelatingtoamassiveinternationalsecuritybreachinvolvingninemajorretailersandmorethan40millioncredit-anddebit-cardnumbers.USattorneysthinkthatthismaybethelargesthackingandidentity-theftcaseeverprosecutedbythejusticedepartment.BothEUandUSlegislationatboththefederalandstatelevelsmandatescertainorganizationstoinformcustomersaboutinformationusesanddisclosures.Suchdisclosuresaretypicallyaccomplishedthroughprivacypolicies,bothonlineandoffline(Vailetal.,2008).Privacynowformsanintegralpartofanye-commercestrategyandinvestmentinprivacyprotectionhasbeenshowntoincreaseconsumersspend,trustworthinessandloyalty.3.Integrity,Authentication&Non-RepudiationInanye-commencesystemthefactorsofdataintegrity,customer&clientauthen
ticationandnon-repudiationarecriticaltothesuccessofanyonlinebusiness.Dataintegrityistheassurancethatdatatransmittedisconsistentandcorrect,thatis,ithasnotbeentamperedoralteredinanywayduringtransmission.Authenticationisameansbywhichbothpartiesinanonlinetransactioncanbeconfidentthattheyarewhotheysaytheyareandnon-repudiationistheideathatnopartycandisputethatanactualeventonlinetookplace.Proofofdataintegrityistypicallytheeasiestofthesefactorstosuccessfullyaccomplish.Adatahashorchecksum,suchasMD5orCRC,isusuallysufficienttoestablishthatthelikelihoodofdatabeingundetectablychangedisextremelylow.Notwithstandingthesesecuritymeasures,itisstillpossibletocompromisedataintransitthroughtechniquessuchasphishingorman-in-the-middleattacks(Desmedt,2005)Oneofthekeydevelopmentsine-commercesecurityandonewhichhasledtothe
widespreadgrowthofe-commerceistheintroductionofdigitalsignaturesasameansofverificationofdataintegrityandauthentication.Anelectronicsignaturemaybedefinedasanyletters,characters,orsymbolsmanifestedbyelectronicorsimilarmeansandexecutedoradoptedbyapartywiththeintenttoauthenticateawriting(Blythe,2006).Inorderforadigitalsignaturetoattainthesamelegalstatusasanink-on-papersignature,asymmetrickeycryptologymusthavebeenemployedinitsproduction(Blythe,2006).DigitalSignaturesusingpublic-keycryptographyandhashfunctionsarethegenerallyacceptedmeansofprovidingnon-repudiationofcommunications4.TechnicalAttacks
8/2/2019 Short Para Ecom
2/2
Technicalattacksareoneofthemostchallengingtypesofsecuritycompromiseane-commerceprovidermustface.Perpetratorsoftechnicalattacks,andinparticularDenial-of-Serviceattacks,typicallytargetsitesorserviceshostedonhigh-profilewebserverssuchasbanks,creditcardpaymentgateways,largeonlineretailersandpopularsocialnetworkingsites.DenialofServiceAttacksDenialofService(DoS)attacksconsistofoverwhelmingaserver,anetworkorawebsiteinordertoparalyzeitsnormalactivity(Lejeune,2002).TheUnitedStatesComputerEmergencyReadinessTeamdefinessymptomsofdenial-of-serviceattackstoinclude(McDowell,2007):UnusuallyslownetworkperformanceUnavailabilityofaparticularwebsiteInabilitytoaccessanywebsiteDramaticincreaseinthenumberofspamemailsreceivedDoSattackscanbeexecutedinanumberofdifferentways:ICMPFlood(SmurfAttack)TeardropAttackPhlashingDistributedDenial-of-ServiceAttacksDistributedDenialofService(DDoS)attacksareoneofthegreatestsecurityfearforITmanagers.Inamatterofminutes,thousandsofvulnerablecomputerscanfloodthevictimwebsitebychokinglegitimatetraffic(Tariqetal.,2006).ThemostfamousDDoSattacksoccurredinFebruary2000wherewebsitesincludingYahoo,Buy.com,eBay,Amazon
BruteForceAttacksAbruteforceattackisamethodofdefeatingacryptographicschemebytryingalargenumberofpossibilities;forexample,alargenumberofthepossiblekeysinakeyspaceinordertodecryptamessage.5.Non-TechnicalAttacksPhishingAttacksPhishingisthecriminallyfraudulentprocessofattemptingtoacquiresensitiveinformationsuchasusernames,passwordsandcreditcarddetails,bymasqueradingasatrustworthyentityinanelectroniccommunication.Phishingscamsgenerallyarecarriedoutbyemailingthevictimwithafraudulentemailfromwhatpurportstobealegitimateorganizationrequestingsensitiveinformation.Whenthevictimfollowsthelinkembeddedwithintheemailtheyarebroughttoanelaborateandsophisticatedduplicateofthelegitimateorganizationswebsite.SocialEngineering
Socialengineeringistheartofmanipulatingpeopleintoperformingactionsordivulgingconfidentialinformation.Socialengineeringtechniquesincludepretexting(wherethefraudstercreatesaninventedscenariotogetthevictimtodivulgeinformation),Interactivevoicerecording(IVR)orphonephishing(wherethefraudstergetsthevictimtodivulgesensitiveinformationoverthephone)andbaitingwithTrojanshorses(wherethefraudsterbaitsthevictimtoloadmalwareuntoasystem).6.ConclusionsInconclusionthee-commerceindustryfacesachallengingfutureintermsofthesecurityrisksitmustavert.Withincreasingtechnicalknowledge,anditswidespreadavailabilityontheinternet,criminalsarebecomingmoreandmoresophisticatedinthedeceptionsandattackstheycanperform.Novelattackstrategiesandvulnerabilitiesonlyreallybecomeknownonceaperpetratorhasuncoveredan
dexploitedthem.Insayingthis,therearemultiplesecuritystrategieswhichanye-commerceprovidercaninstigatetoreducetheriskofattackandcompromisesignificantly.Awarenessoftherisksandtheimplementationofmulti-layeredsecurityprotocols,detailedandopenprivacypoliciesandstrongauthenticationandencryptionmeasureswillgoalongwaytoassuretheconsumerandinsuretheriskofcompromiseiskeptminimal.
Top Related