Chapter 4.

Security in E-commerce
What is eCommerce Security?
eCommerce security refers to the principles which guide safe electronic
transactions, allowing the buying and selling of goods and services through the
Internet, but with protocols in place to provide safety for those involved.
Successful business online depends on the customers’ trust that a company
has eCommerce security basics in place.

PURPOSE OF SECURITY
1. Data Confidentiality – is provided by encryption /decryption.

2. Authentication and Identification – ensuring that someone is who he or she

claims to be is implemented with digital Signatures.

3. Access Control – governs what resources a user may access on the system.
Uses valid IDs and passwords.

4. Data Integrity – ensures information has not been tampered with. Is

implemented by message digest or hashing.

5. Non-repudiation – not to deny a sale or purchase Implemented with digital

signatures. Plaintext/Clear text – message humans can read. Cipher text –
unreadable to humans, uses encryption. Reverse process is call decryption. A
cryptographic algorithm is called a cipher. It is a mathematical function. Most
attacks are focused on finding the ―key.

Privacy
One of the most obvious eCommerce security basics is privacy, which in this
situation means not sharing information with unauthorized parties. When you
shop online, your personal details or account information should not be
accessible to anyone except the seller you have chosen to share it with. Any
disclosure of that information by the merchant would be a breach of
confidentiality. The business is responsible to provide at least the minimum in
encryption, virus protection, and a firewall so that bank details and credit card
information remain private.
Integrity
A second concept which is crucial within secure eCommerce is the idea of
integrity—that none of the information shared online by the customer will be
altered in any way. This principle states that a secure transaction includes
unchanged data—that the business is only using exactly what was entered into
the Internet site by the buyer. Any tampering with information is breaking the
confidence of the buyer in the security of the transaction and the integrity of
the company in general.
Authentication
For eCommerce to take place, both seller and buyer have to be who they say
they are. A business cannot sell unless it’ s real, the products are real, and the
sale will go through as described online. The buyer must also provide proof of
identification so that the merchant can feel secure about the sale. In
eCommerce, fraudulent identification and authentication are possible, and
many businesses hire an expert to make sure these kinds of eCommerce
security basics are in place. Common solutions include technological
solutions—customer logins and passwords or additional credit card PINs.
Non-repudiation
Repudiation is denial, and good business depends on both buyers and sellers
following through on the part of the transaction which originated with
them—not denying those actions. Since eCommerce happens in cyberspace,
usually without any live video, it can feel less safe and sure. The legal principle
of non-repudiation adds another level of security by confirming that the
information which was sent between parties was indeed received and that a
purchase or email or signature cannot be denied by the person who completed
the transaction.
Customers who don’ t feel transactions are secure won’ t buy. Hesitation on
the part of the buyer will destroy eCommerce potential. Any breach will cost a
business in lost revenues and consumer trust. These eCommerce security
basics can guide any business owner regarding safe online transaction
protocol.
In Summary,
 Integrity: prevention against unauthorized data modification
 No repudiation: prevention against any one party from reneging on an
agreement after the fact
 Authenticity: authentication of data source
 Confidentiality: protection against unauthorized data disclosure
 Privacy: provision of data control and disclosure
 Availability: prevention against data delays or removal

SECURITY THREATS

There are various types of e-commerce threats. Some are accidental, some are
purposeful, and some of them are due to human error. The most common
security threats are phishing attacks, money thefts, data misuse, hacking,
credit card frauds and unprotected services.

There 3 types of security threats in e-Commerce

a. Client threats
i. Active content
ii. Malicious content
iii. Server-side masquerading
I've. Password cracking

b. Communication channel threats

i. Confidentially threats
ii. Integrity threats
iii. Availability threats

c. Server threats
i. Web-server threats
iii. Database threats
iv. Common gateway interface threats
v. Password cracking

CAUSES OF E-COMMERCE THREATS

Inaccurate management-One of the main reason to e-commerce threats is
poor management. When security is not up to the mark it poses a very
dangerous threat to the networks and systems. Also security threats occur
when there are no proper budgets are allocated for purchase of anti-virus
software licenses.

Price Manipulation-Modern e-commerce systems often face price

manipulation problems. These systems are fully automated; right from the first
visit to the final payment getaway. Stealing is the most common intention of
price manipulation. It allows an intruder to slide or install a lower price into
the URL and get away with all the data.

Snowshoe Spam-Now spam is something which is very common. Almost each

one of us deals with spam mails in our mail box. The spam messages problem
has never been actually solved but now it is turning out to be a not so general
issue. The reason for this is the very nature of a spam message. A spam is
something which is sent by one person; but unfortunately a new development
is taking place in the cyber world. It is called as snowshoe spam. Unlike a
regular spam it is not sent from one computer but is sent from many users. In
such a case it becomes difficult for the anti-spam software to protect the spam
messages.

Malicious code threats-These code threats typically involve viruses, worms,

Trojan horses.

 Viruses are normally external threats and can corrupt the files on the
website if they find their way in the internal network. They can be very
dangerous as they destroy the computer systems completely and can
 damage the normal working of the computer. A virus always needs a host
as they cannot spread by themselves.
 Worms are very much different and are more serious than viruses. It
places itself directly through the internet. It can infect millions of
computers in a matter of just few hours.
 A Trojan horse is a programming code which can perform destructive
functions. They normally attack your computer when you download
something. So always check the source of the downloaded file.

Hacktivism-The full form of Hacktivism is hacking activism. At first it may

seem like you should hardly be aware of this cyber threat. After all it is a
problem not directly related to you. Why you should be bothered at all?
However that’ s not the case. Firstly hacktivists do not target directly to those
associated only with politics. It can also be a socially motivated purpose. It is
typically using social media platforms to bring to light social issues. It can also
include flooding an email address with so much traffic that it temporarily shuts
down.

Wi-Fi Eavesdropping-It is also one of the easiest ways in e-commerce to steal

personal data. It is like a “ virtual listening” of information which is shared
over a Wi-Fi network which is not encrypted. It can happen on public as well as
on personal computers.

Other threats-Some other threats which include are data packet sniffing, IP
spoofing, and port scanning. Data packet sniffing is also normally called as
sniffers. An intruder can use a sniffer to attack a data packet flow and scan
individual data packs. With IP spoofing it is very difficult to track the attacker.
The purpose here is to change the source address and give it such a look that it
should look as though it originated from another computer.

Security measures for online shopping/ Ways to combat e-commerce

threats.

Developing a through implementation plan is the first step to minimize a cyber

threat. There are various security measures to be taken for online shopping
like

 Firewalls – Software and Hardware,

 Public Key infrastructure
 Encryption software
 Cryptography
 Security/deigital certificates
 Digital Signatures
 Passwords
 Biometrics – retinal scan, fingerprints, voice
  Locks and bars – network operations centers
 Secured protocols
 Security audits
Encryption-It is the process of converting a normal text into an encoded text
which cannot be read by anyone except by the one who sends or receives the
message. Encryption the process of converting information or data into a code,
especially to prevent unauthorized access. It is an important way you, as a
business owner, can secure your online data. It requires a password to
‘ unlock’ a file in order to read its contents. For an eCommerce site, this
protection is vital. Below are a list of some encryption services out there for you
to choose from:

Folder Lock: While it’ s one of the priciest options, it shares the same
algorithm used by many government agencies. It offers relied-upon safety and
security, and extra features like file shredding, as well as its apparent ‘ stealth
mode.’

Secure IT: Touted as the easiest encryption program to use, this data
encryption software is one anyone can access, as it doesn’ t require a tech wiz
to set it up. This is a great option for business owners new to eCommerce, no
matter what your level of encryption understanding is. One benefit of using
Secure IT is that it compresses your files, saving you space.

Kruptos 2 Pro: This is another great option to keep your files and data safe
from thieves and hackers. It offers extras like file name changing as well as file
shredding. It also has a great help guide that makes itself known right from the
beginning, so you never feel lost or like you are on your own.

While these are some of the industry leaders, there are many other choices for
encryption software available. How do you choose the one that is right for you?
These are suggested: Performance, Security, Version compatibility and The
accessibility of the help and support desk

 Having digital certificates - It is a digital certificate which is issued by a

reliable third party company. A digital certificate contains the following
 things the name of the company (Only in EV SSL Certificate), the most
important digital certificate serial number, expiry date and date of issue.
An EV SSL Certificate is necessary which provides a high level of
authentication to your website. The very function of this kind of
certificate is to exclusively protect an e-commerce website from
unwanted attacks such Man-In_middle Attack. Also there are different
Types of SSL Certificates available (such as Wildcard SSL, SAN, SGC,
Exchange Server certificate, etc.) which you can choose according to the
need of your website.
 Perform a security audit-a routine examination of the security
procedures of the firm.

SECURE ONLINE SHOPPING GUIDELINES/ Guidelines for safe on-line

shopping
When a customer is a regular to online shopping he/she must be follow the
following guide lines.

a. Use Familiar Websites. Use a trusted site rather than shopping with a
search engine. Search results can be rigged to lead you stray, especially when
you drift past the first few pages of links. If you know the site, chances are it's
less likely to be a rip off. Beware of misspellings or sites using a different top-
level domain (.net instead of .com, for example)—those are the oldest tricks in
the book. Yes, the sales on these sites might look enticing, but that's how they
trick you into giving up your info.

b. Look for the Lock. Never ever buy anything online using your credit card
from a site that doesn't have SSL (secure sockets layer) encryption installed—at
the very least. You'll know if the site has SSL because the URL for the site will
start with HTTPS:// (instead of just HTTP ://). An icon of a locked padlock will
appear, typically in the status bar at the bottom of your web browser, or right
next to the URL in the address bar. It depends on your browser. Never give
anyone your credit card over email.

c. Don't Tell All. No online shopping store needs your social security number or
your birthday to do business. However, if crooks get them, combined with your
credit card number for purchases, they can do a lot of damage. The more they
know, the easier it is to steal your identity. When possible, default to giving up
the least amount of information.

d. Check Statements. After successful shopping regularly during the holiday

season and look at electronic statements for your credit card, debit card, and
checking accounts. Make sure you don't see any fraudulent charges, even
originating from sites like PayPal. (After all, there's more than one way to get to
your money.)If you do see something wrong, pick up the phone to address the
matter quickly. In the case of credit cards, pay the bill only once you know all
your charges are accurate. You have 30 days to notify the bank or card issuer
of problems, however; after that, you might be liable for the charges anyway.

e. Use Strong Passwords. The best practice over online shopping is to change
the passwords in periodically. Our tips for password can come in handy during
a time of year when shopping around probably means creating new accounts
on all sorts of e-commerce sites.

f. Think Mobile. Most of the young generation when they are going to purchase
any product from online they start compare the products from various sites.
The National Retail Federation says that 5.7 percent of adults will use their
mobile devices to do comparison shopping before making a purchase.

g. Avoid Public Terminals. Hopefully we don't have to tell you it's a bad idea to
use a public computer to make purchases, but we still will. If you do, just
remember to log out every time you use a public terminal, even if you were just
checking email.

h. Don't Fall for "Phishing" Messages Identity thieves send massive numbers of
emails to Internet users that ask them to update the account information for
their banks, credit cards, online payment service, or popular shopping sites.
The email may state that your account information has expired, been
compromised or lost and that you need to immediately resend it to the
company. a Some emails sent as part of such ―phishing‖ expeditions often
contain links to official-looking Web pages. Other times the emails ask the
consumer to download and submit an electronic form.

I. Count the Cards. Gift cards are the most requested holiday gift every year.
Stick to the source when you buy one; scammers like to auction off gift cards
on sites like eBay with little or no funds on them.

j. Use Shopper's Intuition. Look at the site with a critical eye. And heed the old
adage, "If it looks too good to be true, it probably is." If any of these questions
trigger a warning bell in your head; it is wise to find another online merchant:

 Are there extraordinary claims that you question?

 Do the company's prices seem unusually low?
 Does it looks like the merchant is an amateur?
 Are there a lot of spelling or grammar errors?
  Does the company's phone go unanswered.
 The use of a post office box might not send up a red flag, but a merchant
who does not also provide the company's physical address might be
cause for concern.

k. Before purchasing the goods on global sites make sure about the currency or
exchange rates.

l. Find the cost of delivery charges and whether the product is delivered to your
location or not.

m. If you are bidding on E-bay check out the buyers and sellers feedback. This
should become standard before you ever place a bid.

n. Find the FAQ‘s on the online shopping sites for more information and their
rules, acts and regulations.

o. If someone demands cash for a payment, ―say no‖. Use your credit card to
make your payment; this will protect you against fraud. Credit card companies
refund accounts where fraudulent activity transpires.

p. Read the full term and conditions briefly before placing an order and also
privacy policy of the e-commerce web site.

q. If you are unsure about a site, try doing a search with Google or any of the
other search engines. You may find comments posted about the shopping site
from other customers.

Examples Of Security Threats For Ecommerce Websites:

Ecommerce security risks can be accidental, intentional or caused by a human
error. The most prevalent cybersecurity threats include phishing attacks,
hacking, credit card fraud, data errors or unprotected online services. For an
ecommerce business, poor security management is the greatest cause of risk
for online retailers.
1.) Phishing attacks.
Phishing attacks target user data such as login credentials and credit card
numbers. Using social engineering, an attacker will pose as a trusted entity to
deceive a victim into opening an email, text message or instant message.
2.) Credit card fraud.
Within an ecommerce site, there are multiple vulnerable areas that can serve
as an intrusion point for a hacker to gain payment and user information. Using
malware, an attacker will extract the credit card information and sell the data,
sometimes on black markets. Fraud is then committed to extract the greatest
value possible through ecommerce transactions, ATM withdrawals, etc.
Ecommerce Security Best Practices:
What can online store owners do to strengthen their websites' security?
Most ecommerce platforms have an arsenal of built-in security features
dedicated to mitigating electronic commerce threats. Here are some of the ways
online merchants can bolster safer credit card processing and data security.
1.) Make sure your ecommerce platform has multi-layered security.
The best way to keep your ecommerce business safe from cybercriminal activity
is to layer your security. Make sure your platform host has protections in place
on an application-level like contact forms, search tools and login fields.
2.) Monitor all transactions.
Ensure you and your hosting provider are monitoring all transactions for
suspicious activity. Set up an alert system to flag potential threats like a billing
address and shipping address not matching, or multiple orders being placed by
a single user with different credit cards.
3.) Deploy regular PCI scans and updates.
Your ecommerce platform should issue frequent updates and PCI scans to field
for any potential threats that may be targeting your online store. Automatic
updates should also be a standard practice in preventing new vulnerabilities to
viruses and malware.
4.) Utilize the Address Verification System.
To facilitate safer credit card processing, use an Address Verification System to
compare the billing address a customer has entered to what the credit card
issuer has on file. An AVS will automatically separate legitimate transactions
from fraudulent attempts.
5.) Require a CVV.
Card Verification Value is the three- or four-digit code on the back of a credit
card. Under PCI standards, retailers are not allowed to store this number, even
if they record customers' names, addresses and credit card numbers for future
transactions. Additionally, many cybercriminals have a credit card number,
but not the physical card. A CVV requirement makes it much more difficult for
a fraudulent transaction to be processed.
6.) Require stronger passwords.
Hackers use algorithms that generate customers' passwords. These programs
run through all the possible combinations for a four-digit password, with the
ability to find the right alpha-numeric password quickly. Longer passwords
with at least one special character and a capitalization are more secure. If
implementing stricter password standards, let customers know it's for their
protection.
7.) Use SSL certificates to facilitate a secure connection.
SSL certificates authenticate the identity of your business and secure the data
in transit during checkout. This keeps your company and your customers
protected from having financial or important information compromised by
hackers.
8.) Choose a hosting provider that is PCI compliant.
In order to be PCI compliant, and ecommerce platform must adhere to a strict
set of policies and procedures that guarantee the security of payment via credit
or debit card. Some of those measures include encryption, anti-malware
software, extensive monitoring, risk analysis and more.
9.) Make sure your platform protects against DoS/DDoS attacks.
Most websites simply don’ t have the bandwidth to protect against a
DoS/DDoS attack, however, the ecommerce platform you choose should have
the security in place to counter this threat.

FAQs About Ecommerce Security:

Is ecommerce safe?
As more consumers adopt online shopping, security in ecommerce is a high
priority for both merchants and shoppers alike. Customers should always
research how secure a site is before entering financial information, while
merchants should have multiple layers of security in place to keep valuable
data protected.
What is cryptography in ecommerce?
Cryptography is the practice of encrypting data into an unreadable format,
known as cypher text. Typically used to protect data, payment information or
emails, only those who possess a secure key can decrypt the messages into
plain text.
What is SET protocol in ecommerce?
Secure Electronic Transaction Protocol (SET) is a three-way transaction
between the user, merchant and bank using specific protocols.
What is encryption in ecommerce?
Encryption is the practice of encoding data to ensure the data can be securely
relayed over the internet. It acts as one of the most effective methods in
mitigating ecommerce security risks to safeguard data integrity.
What is an SSL certificate?
SSL certificates use small data files to secure a cryptographic key to a
company’ s file. When an SSL certificate is installed on a web server, it uses
specific protocols to facilitate a secure connection from the server to a browser.
What is online credit card fraud?
Online credit card fraud uses phishing attacks, hacking or malware to steal
financial information for fraudulent transactions.
What is a payment gateway?
Merchants use payment gateways provided by an ecommerce platform or
ecommerce application to authorize credit card payments for online retailers or
traditional brick and mortar stores.