Module 3

E-commerce security environment.

Introduction.
The history of security in commercial transactions teaches that any security system can be
broken if enough resources are put against it. Security is not absolute. In addition, perfect
security of every item is not needed forever, especially in the information age. There is a time
value to information—just as there is to money. Sometimes it is sufficient to protect a message
for a few hours or days. Also, because security is costly, we always have to weigh the cost
against the potential loss. Finally, we have also learned that security is a chain that breaks most
often at the weakest link. Our locks are often much stronger than our management of the keys.
We can conclude then that good e-commerce security requires a set of laws, procedures,
policies, and technologies that, to the extent feasible, protect individuals and organizations

from unexpected behaviour in the e-commerce marketplace .

E-commerce security.
E-commerce security is the protection of e-commerce assets from unauthorized access use,
alteration or destruction.
Dimensions of e-commerce security.
 Integrity the ability to ensure that information being displayed on a website or
transmitted or received over the Internet has not been altered in any way by an
unauthorized party.
 Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny
(i.e., repudiate) their online actions.
 Authenticity refers to the ability to identify the identity of a person or entity with whom
you are dealing on the Internet.
 How does the customer know that the website operator is who it claims to be? How
can the merchant be assured that the customer is really who she says she is? Someone
who claims to be someone he is not is “spoofing” or misrepresenting himself.
 Confidentiality refers to the ability to ensure that messages and data are available only
to those who are authorized to view them.
 Privacy, which refers to the ability to control the use of information a customer
provides about himself or herself to an e-commerce merchant.
  Availability refers to the ability to ensure that an e-commerce site continues to function
as intended.
E-commerce Security Threats

1. Financial frauds
 Ever since the first online businesses entered the world of the internet, financial
fraudsters have been giving businesses a headache. There are various kinds of financial
frauds prevalent in the e-commerce industry, but we are going to discuss the two most
common of them.
a. Credit Card Fraud
 It happens when a cybercriminal uses stolen credit card data to buy products on your e-
commerce store. Usually, in such cases, the shipping and billing addresses vary.
b. Fake Return & Refund Fraud
 The bad players perform unauthorized transactions and clear the trail, causing
businesses great losses. Some hackers also engage in refund frauds, where they file fake
requests for returns.
2. Phishing.
 Several e-commerce shops have received reports of their customers receiving messages
or emails from hackers masquerading to be the legitimate store owners. Such fraudsters
present fake copies of your website pages or another reputable website to trick the users
into believing them.

3.Spamming.
 Some bad players can send infected links via email or social media inboxes. They can
also leave these links in their comments or messages on blog posts and contact forms.
Once you click on such links, they will direct you to their spam websites, where you
may end up being a victim.
4.Dos and DDOS.
 A denial-of-service or DoS attack is an attack on network that is designed to disable the
network by flooding it with useless traffic or activity.
 A DoS attack is an attack meant to shut down a machine or network, making it
inaccessible to its intended to users.
  A distributed denial-of-service attack uses multiple computers to launch a dos attack.
A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server
or network by overwhelming the target.
5.Malware attack.

 Hackers may design a malicious software and install on your IT and computer systems
without your knowledge. These malicious programs include spyware, viruses, Trojan,
and ransom ware.

 The systems of your customers, admins, and other users might have Trojan Horses
downloaded on them. These programs can easily swipe any sensitive data that might be
present on the infected systems and may also infect your website.

6.Bots.

 The attackers develop special bots that can scrape your website to get information about
inventory and prices. Such hackers, usually your competitors, can then use the data to
lower or modify the prices in their websites in an attempt to lower your sales and
revenue.

7.Bruteforce attack.

 The online environment also has players who can use brute force to attack your admin
panel and crack your password. These fraudulent programs connect to your website and
try out thousands of combinations in an attempt to obtain you site’s passwords.
8.E-Skimming.
 E-skimming involves infecting a website’s checkout pages with malicious software.
The intention is to steal the clients personal and payment details.

Technology Solutions in E-commerce .

 Encryption.

 Securing channels of communication.

 Protecting Networks.

 Protecting Server and clients

 1. Encryption.

 Encryption is the process of transforming plain text or data text that cannot be read by
anyone other than the sender and the receiver.

 The purpose of encryption is

 (a) to secure stored information

 (b) to secure information transmission

2. Securing channels of communication.

 Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

 The most common form of securing channels is through the Secure Sockets Layer (SSL)
and Transport Layer Security (TLS) protocols. When you receive a message from a
server on the Web with which you will be communicating through a secure channel,
this means you will be using SSL/TLS to establish a secure negotiated session. (Notice
that the URL changes from HTTP to HTTPS.).

 SSL provides security to the data that is transferred between web browser and server.

 A virtual private network (VPN) allows remote users to securely access a

corporation’s local area network via the Internet, using a variety of VPN protocols.
VPNs use both authentication and encryption to secure information from unauthorized
persons (providing confidentiality and integrity).

3. Protecting networks

i)Firewall refers to either hardware or software that filters communication packets and
prevents some packets from entering or exiting the network based on a security policy.

 The firewall controls traffic to and from servers and clients, forbidding communications
from untrustworthy sources, and allowing other communications from trusted sources
to proceed.

ii).Proxy servers (proxies) are software servers (often a dedicated computer) that handle
all communications originating from or being sent to the Internet by local clients, acting as
a spokesperson or bodyguard for the organization. Proxies act primarily to limit access of
internal clients to external Internet servers, although some proxy servers act as firewalls as
well.

4.Protecting Servers And Clients.

i)Operating System Security Enhancements

 The most obvious way to protect servers and clients is to take advantage of automatic
computer security upgrades.

 The Microsoft, Apple, and Linux/Unix operating systems are continuously updated to
patch vulnerabilities discovered by hackers.

 The most common known worms and viruses can be prevented by simply keeping your
server and client operating systems and applications up to date.

ii)Anti-Virus Software

 The easiest and least-expensive way to prevent threats to system integrity is to install
anti-virus software.

 Anti-virus programs can be set up so that e-mail attachments are inspected before you
click on them, and the attachments are eliminated if they contain a known virus or
worm.

MANAGEMENT POLICIES IN E-COMMERCE .

 Management Policies, Business Procedures, and Public Laws

In 2013, companies worldwide are expected to spend over $65 billion on security
hardware, software, and services However, most CEOs and CIOs of existing e-
commerce operations believe that technology is not the sole answer to managing the
risk of e-commerce.

 An e-commerce security plan would include a risk assessment, development of a

security policy, implementation plan, creation of a security organization, and a security
audit.

 Implementation may involve expanded forms of access controls – IDs, passwords,

access codes, biometrics (fingerprints, retina scans, speech recognition), etc.
 A security plan begins with risk assessment—an assessment of the risks and points of
vulnerability. The first step is to inventory the information and knowledge assets of the
e-commerce site and company.

 A security policy—a set of statements prioritizing the information risks, identifying

acceptable risk targets, and identifying the mechanisms for achieving these targets.

 An implementation plan—the steps you will take to achieve the security plan goals.
Specifically, you must determine how you will translate the levels of acceptable risk
into a set of tools, technologies, policies, and procedures. What new technologies will
you deploy to achieve the goals, and what new employee procedures will be needed?

 Access controls determine which outsiders and insiders can gain legitimate access to
your networks.

 Authentication procedures include the use of digital signatures, certificates of

authority. Now that e-signatures have been given the same legal weight as an original
pen-and-ink version, companies are in the process of devising ways to test and confirm
a signer’s identity.

 A security audit involves the routine review of access logs (identifying how outsiders
are using the site as well as how insiders are accessing the site’s assets)

Business procedures and public Laws in

E-commerce.

 Taxes

 Payment gateways

 Trademarks, patents and copyrights

 Shipping restrictions

 Age restrictions

 Business insurance

 Licenses and permits

 Customer privacy
1.Taxes

 Sales taxes vary by state and separate locations in states. 45 states and Washington D.C.
impose a state-wide sales tax. However, different cities, countries and “special taxing
districts” may also add local sales tax rates, on top of state-wide taxation.

2. Payment gateways.

 Payment gateways are the lifeline for securely processing customer payments.

 The keyword here is “security” as a payment data breach can lead to a major regulatory
fine. Not to mention result in indirect losses associated with damage to your brand
image.

3.Trademarks, patents and copyrights.

 Trademarks, patents and copyrights are considered business intellectual property and,
thus, protected by respective laws.

 Trademark: A word, phrase, symbol and/or design that identifies and distinguishes the
source of the goods of one party from those of others.

 Patent: A limited duration property right relating to an invention, granted by the United
States Patent and Trademark Office in exchange for public disclosure of the invention.

 Copyright: Protects works of authorship, such as writings, music and works of art that
have been tangibly expressed.

4. Shipping restrictions.

 E commerce shipping can be mind-boggling at times since logistics companies have

different rates, rules and restrictions for shipping different types of products

5. Age restrictions.

 This act includes quite a few regulations, but one that will likely apply to your site is
the inability to collect any personal information from a child under the age of 13.

6. Business insurance.

 Business insurance isn’t always legally mandatory for ecommerce store owners. If you
operate as a registered business entity such as a limited liability company (LLC), your
personal assets may already be protected.
7. Licenses and permits.

 Depending on which products you decide to offer, you may need a business license to
sell them.

8. Customer privacy.

 Ecommerce websites can collect a ton of valuable insights to create a data-driven for
shoppers. Data privacy laws around the world prohibit merchants from using
customers’ personal identifiable information (PII) for analytics purposes. This includes
full names, addresses, social security numbers, debit and credit card details, etc.

Payment systems in E-commerce.

1.Credit cards

 Credit cards are widely utilized for e-commerce transactions due to their secure features
and ease of use. Enabling credit card payments on your website can help your customer
shop without having to worry about paying upfront.

2.Debit cards

 Unlike credit cards, debit cards can be availed easily without any prerequisites related
to eligibility or documentation. Usually, everyone who opens a bank account is issued
a free debit card making it one of the important payment systems to include on your
website.

3.E-wallets

 E-wallets act just like physical wallets except that all the cards and money are virtually
stored. They help with instant payments and quick checkouts while purchasing on the
internet.

4.Net banking

 Transactions done through net banking help users pay online directly from their bank
account. Customers can access their bank account online through their user-id and
password and proceed to make the transaction.

5.Buy Now Pay Later

 Buy Now Pay Later (BNPL) is a popular method of payment among young buyers who
prefer easy access to credit that simplifies payments for them.