SECURITY THREATS

UNIT 3
E COMMERCE
BY: SWATI CHAWLA
 SECURITY THREATS
• E-commerce systems are based upon internet
use, which provides open and easy
communications on a global basis. 
• However, because the internet is unregulated,
unmanaged and uncontrolled, it poses a wide
range of risks and threats to the systems
operating on it.
 Threat of Accidents and Malfunctions
• Operator error
• Hardware malfunction
• Software bugs
• Data errors
• Accidental disclosure of information
• Damage to physical facilities
• Inadequate system performance
• Liability for system failure
 Threat of Computer Crime:
Theft
• Theft of software and equipment
• Unauthorized use of access codes and
financial passwords
• Theft by entering fraudulent transaction data
• Theft by stealing or modifying data
• Internet hoaxes for illegal gain
• Theft by modifying software
 Threat of Computer Crime: Sabotage
and Vandalism
• Trap door
– A set of instructions that permits a user to bypass
the computer system’s security measures
• Trojan horse
– A program that appears to be valid but contains
hidden instructions that can cause damage
 Threat of Computer Crime: Sabotage
and Vandalism (cont.)
• Logic bomb
– A type of Trojan horse set to activate when a
particular condition occurs
• Virus
– A special type of Trojan horse that can replicate
itself and spread
• Denial of service attack
– Sabotaging a Web site by flooding it with incoming
messages
 CONT….
• Malware
– Malware is short for “malicious software.” Wikipedia
describes malware as a term used to mean a “variety of forms
of hostile, intrusive, or annoying software or program code.”
Malware could be computer viruses, worms, Trojan horses,
dishonest spyware, and malicious root kits.
• Computer Virus
– A computer virus is a small piece of software that can spread
from one infected computer to another. The virus could
corrupt, steal, or delete data on your computer—even erasing
everything on your hard drive. A virus could also use other
programs like your email program to spread itself to other
computers. Threat, a computer virus is a program written to
alter the way a computer operates, without the permission or
knowledge of the user. A virus replicates and executes itself,
usually doing damage to your computer in the proces
 CONT….
• Phishing
– Phishing scams are fraudulent attempts by
cybercriminals to obtain private information. Phishing
scams often appear in the guise of email messages
designed to appear as though they are from
legitimate sources.
– For example, the message would try to lure you into
giving your personal information by pretending that
your bank or email service provider is updating its
website and that you must click on the link in the
email to verify your account information and
password details.
 CONT…
• Spyware Threats
– A serious computer security threat, spyware is any
program that monitors your online activities or
installs programs without your consent for profit
or to capture personal information.

• Bluenarfing
– The act of stealing personal data, specifically
calendar and contact information, from a
Bluetooth enabled device.
 CONT….
• Social Engineering
– Tricking computer users into revealing computer
security or private information, e.g. passwords, email
addresses, etc, by exploiting the natural tendency of a
person to trust and/or by exploiting a person’s
emotional response.
• Adware
– Is a form of threat where your computer will start
popping out a lot of advertisement. It is not really
harmful threat but can be pretty annoying and
destroy the customer’s experience.
 CONT….
• Cookies
– Cookies is not really a Malware. It is just
something used by most websites to store
something into your computer. It is here because
it has the ability to store things into your
computer and track your activities within the site.
If you really don’t like the existence of cookies,
you can choose to reject using cookies for some of
the sites which you do not know.
 CONT….
• Keylogger
– Something that keeps a record of every keystroke
you made on your keyboard. Keylogger is a very
powerful threat to steal people’s login credential
such as username and password. It is also usually
a sub-function of a powerful Trojan.
 Known Vulnerabilities to E com
Platforms
• Cross Site Scripting (MALICIOUS JAVA SCRIPT CODE)
– In this form of attack, an attacker will insert a JavaScript
snippet on a vulnerable webpage that to a browser that
looks like a normal script and is therefore executed.
– This further performs a no of harmful actions –accessing a
user’s cookie information to impersonate them
– This form of attack targets website’s users
– In 2016, over 6000 Ecom websites were impacted as
customer credit card was stolen despite of HTTPS
encryption
 CONT....
• SOL Injections
• It effects websites using SQL databases
• In this type of attack attacker executes malicious SQL
statements that controls web application’s database
server.
• It is used to add, modify and delete records in a database,
affecting data integrity (causing repudiation issues)
• Altering data voids transactions, altering balances and
other records
• Attackers gets an unauthorized access to sensitive data
including customer data, personal information, trade
secrets, intellectual property and other sensitive
information
 CONT....
• Denial of Service (DDoS) Attacks
• These attacks come from many sources which
look similar to the legitimate traffic.
• This attack type overloads servers, slows down
the sites and or taking the site temporarily
offline.
• This attack type prevents legitimate users from
accessing sites or completing orders
• In Oct 2016, DNS provider Dyn was targeted by a
DDoS attack and thousands of websites were
taken offline as a result
 CONT....
• Bad Bots
• Bots are prevalent on internet and can be both good
and bad
• E com companies make websites visible to these bots
so that when user searches for keywords related to
their site; it shows up in the results. (Google)
• However, malicious boots when run gathers
information from the websites such as
– Pricing Data
– Holding products in carts without an intent to buy them
– Taking over real accounts by guessing the passwords
– Stealing information of User logins
 CONT....
• A recent survey found that 97% of sites are hit
with some sort of bad bots.
• For ecommerce sites, bad bots account for an
average of 15.6% of website’s traffic.
• Boots perform a wide range of activities
• Price scrapping:
– These Bots collect price and product data and send it
back to bot-maker (competitor), so they can lower
their prices and take sales away.
– These bots hurt SEO as scrappers create duplicate
content
 CONT....
• Login Frauds
• Bots can attempt to login using real user’s credentials
by guessing passwords through a brute-force approach.
• Bots steal stored credit Card information of users that
result in loss of trust and money
• Bots steal large list of account logins on the websites.
• Bots can also create new accounts in order to test
stolen credit card numbers
• Bots attempt to guess expiration date and CVV number
of stored credit cards and make fraudulent purchase.
 CONT...
• Limiting inventory for actual users
• Bots act more quickly than human browsers.
• Bots add and hold items in cart and might
purchase resell products on a third party
website
• If bots not purchase then site shows out of
stock items and hence actual visitors may
abandon the website.
 CONT....
• Incorrect Analytics
• Since bots imitate human behavior, they will be
included in analytics
• Bots harm important metrics like page views,
bounce rate, conversion rate.
• Bots impact final sales as they increase cart
abandonment rates.
• Bots make online ads to falsely appear working
good when they are not and convince to spend
money on wrong ads and keywords
 Factors that Increase the Risks
• The nature of complex systems
• Human limitations
• Pressures in the business environment
 Methods for Minimizing Risks
• Controlling system development and
modifications
– Software change control systems

• Providing security training

– Physical access controls
Controlling Access to Data, Computers,
and Networks
• Guidelines for manual data handling
• Access privileges
• Access control based on what you know
– Password schemes
• Access control based on what you have
• Access control based on where you are
• Access control based on who you are
• Controlling incoming data flowing through
networks and other media
– Commercially available virus protection products
– Firewall software that inspects each incoming
data packet, and decides whether it is acceptable
based on its IP address
Firewall and the Internet
 Making the Data Meaningless to
Unauthorized Users
• Public key encryption – encryption method
based on two related keys, a public key and a
private (secret) key
– Also used to transmit the secret key used by the
Data Encryption Standard (DES)
– Digital signatures – use public key encryption to
authenticate the sender of a message and the
message content
Encryption
 Essential steps of the digital signature process

• STEP 1 The signatory is the authorized holder a unique cryptographic key pair;
• STEP 2 The signatory prepares a data message (for example, in the form of an
electronic mail message) on a computer;
• STEP 3 The signatory prepares a “message digest”, using a secure hash algorithm.
Digital signature creation uses a hash result derived from and unique to the signed
message;
• STEP 4 The signatory encrypts the message digest with the private key. The
private key is applied to the message digest text using a mathematical algorithm.
The digital signature consists of the encrypted message digest,
• STEP 5 The signatory typically attaches or appends its digital signature to the
message;
• STEP 6 The signatory sends the digital signature and the (unencrypted or
encrypted) message to the relying party electronically;
 Essential steps of the digital signature process

• STEP 7 The relying party uses the signatory’s public key to verify the signatory’s
digital signature. Verification using the signatory’s public key provides a level of
technical assurance that the message came exclusively from the signatory;
• STEP 8 The relying party also creates a “message digest” of the message, using the
same secure hash algorithm;
• STEP 9 The relying party compares the two message digests. If they are the same,
then the relying party knows that the message has not been altered after it was
signed. Even if one bit in the message has been altered after the message has been
digitally signed, the message digest created by the relying party will be different
from the message digest created by the signatory;
• STEP 10 Where the certification process is resorted to, the relying party obtains a
certificate from the certification service provider (including through the signatory
or otherwise), which confirms the digital signature on the signatory’s message. The
certificate contains the public key and name of the signatory (and possibly
additional information), digitally signed by the certification service provider.
How Digital Signatures Work
 Controlling Traditional Transaction
Processing
• Data preparation and authorization
• Data validation
• Error correction
• Backup and recovery
 Maintaining Security in Web-Based
Transactions
• Public key infrastructure (PKI)
– Certification authority (CA) – a company that
issues digital certificates
• Computer-based records that identify the CA, identify
the sender that is being verified, contain the sender’s
public key, an is digitally signed by the CA
 Transaction Privacy, Authentication,
Integrity, and Nonrepudiation
• Web transactions are encrypted using the Secure
Socket Layer (SSL) protocol -
– Encrypts the transmission using a temporary key generated
automatically based on session information
• Transaction authentication – the process of verifying the
identity of the participants in a transaction
• Transaction integrity – ensuring that information is not changed
after the transaction is completed
• Nonrepudiation – ensuring that neither party can deny that the
transaction occurred
 Difficulties With Security Methods for
Web Transactions
• Secure Electronic Transaction (SET)
method:
– Proposed by a consortium of credit card
companies
– More secure than SSL
– Costly, and very slow adoption rate
THANK YOU