Unit 5: Security in E-Commerce (7 Hrs.

eCommerce security is the guideline that ensures safe transactions through the
internet. It consists of protocols that safeguard people who engage in online
selling and buying goods and services. You need to gain your customers’ trust
by putting in place eCommerce security basics. Such basics include:

Dimension of E-commerce security

Integrity:
ability to ensure that information being displayed on a Web site or
transmitted/received over the Internet has not been altered in any
way by an unauthorized party .

Nonrepudiation: the ability to ensure that e-commerce

participants do not deny (repudiate) online actions .

Authenticity: ability to identify the identity of a person or entity

with whom you are dealing on the Internet .

Confidentiality: ability to ensure that messages and data are available

only to those authorized to view them

Privacy: the ability to control the use of information a customer

provides about himself or herself to merchant .
Page 1
Availability: ability to ensure that an e-commerce site continues
to function as intended.

Page 2
 Threat to E-Commerce

E-commerce threat is occurring by using the internet for unfair means with
the intention of stealing, fraud and security breach. There are various types
of e-commerce threats. Some are accidental, some are purposeful, and
some of them are due to human error. The most common security threats
are an electronic payments system, e-cash, data misuse, credit/debit card
frauds, etc.

Page 3
Electronic payments system:
The electronic payment systems have a very important role in e-commerce. E-commerce
organizations use electronic payment systems that refer to paperless monetary transactions.

Some of them are:

The Risk of Fraud

An electronic payment system has a huge risk of fraud. The computing devices use an
identity of the person for authorizing a payment such as passwords and security
questions. These authentications are not full proof in determining the identity of a
person.

The Risk of Tax Evasion

The Internal Revenue Service law requires that every business declare their financial
transactions and provide paper records so that tax compliance can be verified. The
problem with electronic systems is that they don't provide cleanly into this paradigm.

The Risk of Payment Conflicts

In electronic payment systems, the payments are handled by an automated electronic
system, not by humans. The system is prone to errors when it handles large amounts of
payments on a frequent basis with more than one recipients involved.

Page 4
E-cash
E-cash is a paperless cash system which facilitates the transfer of funds anonymously. E-
cash is free to the user while the sellers have paid a fee for this. The e-cash fund can be
either stored on a card itself or in an account which is associated with the card. The
most common examples of e-cash system are transit card, PayPal, GooglePay, Paytm,
etc.

E-cash has four major components-

1. Issuers - They can be banks or a non-bank institution.

2. Customers - They are the users who spend the e-cash.
3. Merchants or Traders - They are the vendors who receive e-cash.
4. Regulators - They are related to authorities or state tax agencies.

In e-cash, we stored financial information on the computer, electronic device or on the

internet which is vulnerable to the hackers. Some of the major threats related to e-cash
system are-

Page 5
Backdoors Attacks
It is a type of attacks which gives an attacker to unauthorized access to a system by
bypasses the normal authentication mechanisms. It works in the background and hides
itself from the user that makes it difficult to detect and remove.

Denial of service attacks

A denial-of-service attack (DoS attack) is a security attack in which the attacker takes
action that prevents the legitimate (correct) users from accessing the electronic devices.
It makes a network resource unavailable to its intended users by temporarily disrupting
services of a host connected to the Internet.

Direct Access Attacks

Direct access attack is an attack in which an intruder gains physical access to the
computer to perform an unauthorized activity and installing various types of software to
compromise security. These types of software loaded with worms and download a huge
amount of sensitive data from the target victims.

Eavesdropping
This is an unauthorized way of listening to private communication over the network. It
does not interfere with the normal operations of the targeting system so that the sender
and the recipient of the messages are not aware that their conversation is tracking.

Page 6
Credit/Debit card fraud
A credit card allows us to borrow money from a recipient bank to make purchases. The
issuer of the credit card has the condition that the cardholder will pay back the
borrowed money with an additional agreed-upon charge.

Some of the important threats associated with the debit/credit card are:

ATM (Automated Teller Machine)-

It is the favourite place of the fraudster from there they can steal our card details. Some
of the important techniques which the criminals opt for getting hold of our card
information is:

Skimming-It is the process of attaching a data-skimming device in the card reader of

the ATM. When the customer swipes their card in the ATM card reader, the information
is copied from the magnetic strip to the device. By doing this, the criminals get to know
the details of the Card number, name, CVV number, expiry date of the card and other
details.

Unwanted Presence-

It is a rule that not more than one user should use the ATM at a time. If we find more
than one people lurking around together, the intention behind this is to overlook our
card details while we were making our transaction.

Vishing/Phishing

Phishing is an activity in which an intruder obtained the sensitive information of a user

such as password, usernames, and credit card details, often for malicious reasons, etc.

Page 7
Vishing is an activity in which an intruder obtained the sensitive information of a user via
sending SMS on mobiles. These SMS and Call appears to be from a reliable source, but
in real they are fake. The main objective of vishing and phishing is to get the customer's
PIN, account details, and passwords.

Online Transaction

Online transaction can be made by the customer to do shopping and pay their bills over
the internet. It is as easy as for the customer, also easy for the customer to hack into our
system and steal our sensitive information. Some important ways to steal our
confidential information during an online transaction are-

o By downloading software which scans our keystroke and steals our password and
card details.
o By redirecting a customer to a fake website which looks like original and steals
our sensitive information.
o By using public Wi-Fi

POS Theft:It is commonly done at merchant stores at the time of POS transaction. In
this, the salesperson takes the customer card for processing payment and illegally
copies the card details for later use.

Common Security Vulnerabilities in E-commerce

Cyber attackers will try innumerable tricks and tactics to identify vulnerabilities
in your IT infrastructure, and devise more such tactics every day. That

Page 8
said,compliance officers can start with the following list of common security
vulnerabilities that you may face:

Phishing and Malware

Phishing scams remain popular with hackers despite companies’ educational
and awareness efforts. In this method, a hacker sends an email to an
employee, often posing as a colleague and trying to persuade the employee
to click on a malicious link or reveal sensitive information like passwords or
credit card numbers.

Phishing is a common technique for installing malware on a device; once an

employee has clicked the link, the malware can infect your system and begin
accessing your sensitive data.

Malicious code
Malicious code is unwanted files or programs that can cause harm to a computer
or compromise data stored on a computer. Various classifications of malicious code
include viruses, worms, and Trojan horses.

Adware

Adware is a form of malware that hides on your device and serves you
advertisements. Some adware also monitors your behavior online so it can target you
with specific ads.

Page 9
 Spyware:
Spyware is a type of malicious software -- or malware -- that is installed on a
computing device without the end user's knowledge. It invades the device, steals
sensitive information and internet usage data, and relays it to advertisers, data firms or
external users.

Social engineering

Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to
trick users into making security mistakes or giving away sensitive information. Social
engineering attacks happen in one or more steps.

Page 10
 Hacking

Hacking refers to activities that seek to compromise digital devices, such as computers,
smartphones, tablets, and even entire networks. And while hacking might not always be
for malicious purposes, nowadays most references to hacking, and hackers,
characterize it/them as unlawful activity by cybercriminals—motivated by financial gain,
protest, information gathering (spying), and even just for the “fun” of the challenge.

Page 11
 Spoofing

What Is Spoofing?
Spoofing is a type of scam in which a criminal disguises an email address,
display name, phone number, text message, or website URL to convince a
target that they are interacting with a known, trusted source. 1 Spoofing often
involves changing just one letter, number, or symbol of the communication so
that it looks valid at a quick glance. For example, you could receive an email
that appears to be from Netflix using the fake domain name “netffix.com.”

Pharming

What is pharming?
Pharming is a scamming practice in which malicious code is installed on a
personal computer (PC) or server, misdirecting users to fraudulent websites
without their knowledge or consent. The aim is for users to input their personal
information. Once information, such as a credit card number, bank account
number or password, has been entered at a fraudulent website, criminals
have it, and identity theft can be the end result.

Page 12
 Client and Server Security

It is precisely the distribution of services between client and server that open them up
to damage, fraud, and misuse. Security consideration must include the host systems,
personal computers (PCs), local area networks (LANs), global wide area networks
(WANs), and users. Because security investments don’t produce immediately visible
returns and client-server buyers sometimes don’t educate themselves about security,
this area of development is often overlooked until a problem occurs.
Page 13
 Transaction security

Transaction security ensures that users that attempt to run a transaction are entitled to
do so. You might come across the alternative terms of attach-time security or transaction-
attach security to describe transaction security. Transaction security is the most
fundamental form of security checking that is required to secure a CICS region and its
application; you should always enable transaction security. Without transaction security,
any user who has access to CICS can run any transaction without even needing to sign
on.

The security section of the documentation assumes that transaction security is enabled.

Security Mechanisms

Types of Security Mechanism are :

1. Encipherment :
This security mechanism deals with hiding and covering of data which helps
data to become confidential. It is achieved by applying mathematical
calculations or algorithms which reconstruct information into not readable
form. It is achieved by two famous techniques named Cryptography and

Page 14
 Encipherment. Level of data encryption is dependent on the algorithm used
for encipherment.
2. Access Control :
This mechanism is used to stop unattended access to data which you are
sending. It can be achieved by various techniques such as applying
passwords, using firewall, or just by adding PIN to data.
3. Notarization :
This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so that if
any chance of conflict is reduced. This mediator keeps record of requests
made by sender to receiver for later denied.
4. Data Integrity :
This security mechanism is used by appending value to data to which is
created by data itself. It is similar to sending packet of information known to
both sending and receiving parties and checked before and after data is
received. When this packet or data which is appended is checked and is the
same while sending and receiving data integrity is maintained.
5. Authentication exchange :
This security mechanism deals with identity to be known in communication.
This is achieved at the TCP/IP layer where two-way handshaking
mechanism is used to ensure data is sent or not
6. Bit stuffing :
This security mechanism is used to add some extra bits into data which is
being transmitted. It helps data to be checked at the receiving end and is
achieved by Even parity or Odd Parity.
7. Digital Signature :
This security mechanism is achieved by adding digital data that is not visible
to eyes. It is form of electronic signature which is added by sender which is
checked by receiver electronically. This mechanism is used to preserve data
which is not more confidential but sender’s identity is to be notified.

Page 15
Prepared by: LBK Page 16