E-Commerce Security and Fraud Issues and Protections Chapter 10 E-Commerce Security and Fraud Issues and Protections
Learning Objectives Understand the importance and scope of security of information systems for EC. Describe the major concepts and terminology of EC security. Understand about the major EC security threats, vulnerabilities, and technical attacks. Understand Internet fraud, phishing, and spam. Describe the information assurance security principles
Learning Objectives Describe the major technologies for protection of EC networks, including access control. Describe various types of controls and special defense mechanisms. Describe consumer and seller protection from fraud. Discuss enterprisewide implementation issues for EC security. Understand why it is so difficult to stop computer crimes. Discuss the future of EC.
HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE The Problem The College does not regulate the types of devices people use in its network Students, faculty, and networks are vulnerable to a variety of security issues originating from social media websites The College encourages the use of social media as a collaborative, sharing, and learning environment
HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE Social media is also a leading target for malware writers, an ideal place for cybercriminals to insert viruses and hack into systems The attempt to use intelligent agents (which some students objected to having on their computers) as guards failed
HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE The university decided to rewrite its old usage policy to meet the needs of current technology Bandwidth usage was a problem The high level usage for non educational related activities sometimes interfered with classroom or research needs
HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE The Solution All students, faculty, and staff received a user ID for computer utilization Next, a new usage policy was implemented This policy was communicated to all users and was enforced by monitoring the usage for each ID, watching network traffic, and performing behavioral analysis
HOW STATE UNIVERSITY OF NEW YORK COLLEGE AT OLD WESTBURY CONTROLS ITS INTERNET USE The Results The modified system monitors performance and automatically sends alerts to management when deviations from the policy occur The users are contacted via e-mail and alerted to the problem via e-mail the user can go to the student computer lab for problem resolution Bandwidth is controlled only when classes are in session
LESSONS LEARNED FROM THE CASE This case demonstrates two problems: possible malware attacks and insufficient bandwidth The university can monitor when users are on the university network, look for any unusual activity, and take appropriate action if needed, demonstrates one of the defense mechanisms used by an organization
THE INFORMATION SECURITY PROBLEM What Is EC Security? The Status of Computer Security in the United States Personal Security National Security Security Risks for 2014 and 2015 Cyberespionage and cyberwars Attacks are now also against mobile assets Attacks on social networks and social software tools
Figure 10.1 Major EC Security Management Concerns Advanced Generic viruses and malware Protecting customer data and privacy Spam, DoS Clogged systems Fraud by buyers Fraud by sellers Attacking mobile devices, systems Business continuity (interrupting EC) Advance defence systems Cross border espionage and cyberwars Social engineering, Phishing Attacks on social networks
THE INFORMATION SECURITY PROBLEM Security Risks in Mobile Devices Cyberwars and Cyberespionage Across Borders Cyberwarefare Cyberespionage Attacking Information Systems Types of Attacks Corporate espionage Political espionage and warfare
THE INFORMATION SECURITY PROBLEM The Drivers of EC Security Problems The Internet’s Vulnerable Design The Spread of Computerized Medical Data The Shift to Profit-Induced Crimes Computers Everywhere The Increased Volume of Wireless Activities and the Number of Mobile Devices The Globalization of the Attackers
THE INFORMATION SECURITY PROBLEM The Darknet and the Underground Economy Darknet* The Internet Underground Economy* The Internet Silk Road Keystroke Logging in the Underground Economy Keystroke logging (keylogging) The Explosion of Social Networking The Dynamic Nature of EC Systems and the Acts of Insiders The Sophistication of the Attacks The Cost of Cyber Crime
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE Basic Security Terminology Business continuity plan* Cybercrime* Cybercriminal* Exposure* Fraud* Malware (malicious software)* Phishing* Risk* Spam* Vulnerability* Zombie*
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE The EC Security Battleground The Threats, Attacks, and Attackers Unintentional Threats Human Error Environmental Hazards Malfunctions in the Computer System Intentional Attacks and Crimes The Criminals and Methods Hacker* Cracker*
Figure 10.2 The EC Security Battleground
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE The Targets of the Attacks in Vulnerable Areas Vulnerable Areas Are Being Attacked Vulnerability Information Attacking E-Mail Attacking Smartphones and Wireless Systems The Vulnerability of RFID Chips The Vulnerabilities in Business IT and EC Systems Pirated Videos, Music, and Other Copyrighted Material
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE EC Security Requirements Authentication* Authorization* Auditing Availability Nonrepudiation*
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE The Defense: Defenders, Strategy, and Methods EC Defense Programs and Strategy EC security strategy* Deterrent methods* Prevention measures* Detection measures* Information assurance (IA)*
BASIC E-COMMERCE SECURITY ISSUES AND LANDSCAPE Possible Punishment Defense Methods and Technologies Recovery
TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE Technical and Nontechnical Attacks: An Overview The Major Technical Attack Methods Malware (Malicious Code): Viruses, Worms, and Trojan Horses Viruses*
Figure 10.3 The Major Technical Security Attack Methods (in descending order of importance)
Figure 10.4 How a Computer Virus Can Spread
TECHNICAL MALWARE ATTACK METHODS: FROM VIRUSES TO DENIAL OF SERVICE Worms* Macro Viruses and Microworms* Trojan horse* Some Security Bugs: Heartbleed and Crytolocker Heartbleed Cryptolocker Denial-of-service (DoS) attack* Botnets* Home Appliance “Botnet” Malvertising
NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD Social Engineering and Fraud Social Phishing Example: The Target Security Breach Fraud and Scams on the Internet Examples of Typical Online Fraud Attacks Types of Scams - Literary scams, jury duty scams, banking scams, e-mail scams, lottery scams, Nigerian scams (or “419” fraud), credit cards scams, work at/from home scams, IRS e-mail scams, and free vacation scams E-Mail Scams
From Phishing to Financial Fraud and Crime Figure 10.5 Social Engineering: From Phishing to Financial Fraud and Crime
Figure 10.6 How Phishing Is Accomplished
NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD Top 10 Attacks and Remedies Identity Theft and Identify Fraud Identity theft* Identity Fraud* Cyber Bank Robberies
NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD Spam Attacks E-mail spam* Typical Examples of Spamming Spyware*
NONTECHNICAL METHODS: FROM PHISHING TO SPAM AND FRAUD Social Networking Makes Social Engineering Easy How Hackers Are Attacking Social Networks Spam in Social Networks and in the Web 2.0 Environment Automated Blog Spam Search Engine Spam and Splogs Search engine spam* Spam sites* Splogs* Data Breach (Leak)*
THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY CIA security triad* Confidentiality, Integrity, and Availability Confidentiality* Integrity* Availability* Authentication, Authorization, and Nonrepudiation E-Commerce Security Strategy
Figure 10.7 E-Commerce Security Strategy Framework
THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY The Defense Side EC Systems Defending access to computing systems, data flow, and EC transactions Defending EC networks General, administrative, and application controls Protection against social engineering and fraud Disaster preparation, business continuity, and risk management Implementing enterprisewide security programs Conduct a vulnerability assessment and a penetration test Back up the data
THE INFORMATION ASSURANCE MODEL AND DEFENSE STRATEGY Assessing Vulnerabilities and Security Needs Conduct a vulnerability assessment of your EC systems Vulnerability assessment* Conduct penetration (pen) tests (possibly implemented by hiring ex-hackers) to find the vulnerabilities and security weaknesses of a system Penetration test (pen test)*
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE The Defense I: Access Control, Encryption, and PKI Access Control* Authorization and Authentication Authentication Biometric Systems Biometric authentication* Biometric systems* Thumbprint or fingerprint Retinal scan
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE Encryption and the One-Key (Symmetric) System Encryption* Plaintext* Ciphertext* Encryption algorithm* Key (key value)* Symmetric (Private) Key Encryption*
Figure 10.8 Symmetric (Private) Key Encryption
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE Public Key Infrastructure (PKI)* Public (Asymmetric) Key Encryption* Public key* Private key* The PKI Process: Digital Signatures and Certificate Authorities Digital signatures* Certificate Authority (CAs)* Secure Socket Layer (SSL)
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE The Defense II: Securing E-Commerce Networks Firewalls* The Dual Firewall Architecture: The DMZ Virtual Private Networks (VPNs)* Intrusion Detection Systems (IDS)* Dealing with DoS Attacks
Figure 10.9 The Two Firewalls: DMZ Architecture
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE The Defense III: General Controls, Spam, Pop Ups, and Social Engineering Controls General controls* Application controls* General, Administrative, and Other Controls Physical Controls Administrative Controls Protecting Against Spam
DEFENDING INFORMATION SYSTEMS AND E-COMMERCE Protecting Your Computer from Pop-Up Ads Protecting Against Other Social Engineering Attacks Protecting Against Phishing Protecting Against Malvertising Protecting Against Spyware Protecting Against Cyberwar Business Continuity and Disaster Recovery Example: Hospital Paid Ransom after Malware Attack
CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD Consumer (Buyer) Protection Representative Tips and Sources for Your Protection Users should make sure that they enter the real website of well-known companies Check any unfamiliar site for an address and telephone and fax numbers Investigate sellers with the local chamber of commerce, Better Business Bureau, or TRUSTe
CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD Third-Party Assurance Services Protection by a Third-Party Intermediary TRUSTe’s “Trustmark” Better Business Bureau Which? WebTrust Seal Evaluation by Consumers The Computer Fraud and Abuse Act (CFAA)*
CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD Customers who deny that they placed an order Customers who download copyrighted software and sell it to others Customers who give fraudulent payment information (false credit card or a bad check) for products and services that they buy Imposters – sellers using the name of another seller What Can Sellers Do?
CONSUMER AND SELLER PROTECTION FROM ONLINE FRAUD Protecting Marketplaces and Social Network Services Protecting Both Buyers and Sellers: Using Electronic Signatures and Other Security Features Electronic signature* Authentication Fraud Detecting Systems
IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY The Drivers of EC Security Management The laws and regulations with which organizations must comply The conduct of global EC Information assets have become critical to the operation of many businesses New and faster information technologies are shared throughout organizations The complexity of both the attacks and the defense require an organization-wide collaboration approach Senior Management Commitment and Support
Figure 10.10 Enterprisewide EC Security and Privacy Process
IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY EC Security Policies and Training Know that data is being collected, and when it is done Give their permission for the data to be collected Have knowledge and some control over how the data is controlled and used Be informed that the information collected is not to be shared with other organizations
IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY EC Risk Analysis and Ethical Issues Business impact analysis (BIA)* Ethical Issues
IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY Why Is It Difficult to Stop Internet Crime? Making Shopping Inconvenient Lack of Cooperation by Business Partners Shoppers’ Negligence Ignoring EC Security Best Practices Design and Architecture Issues Lack of Due Care in Business Practices Standard of due care*
IMPLEMENTING ENTERPRISEWIDE E-COMMERCE SECURITY Protecting Mobile Devices, Networks, and Applications Mobile Security Issues The Defense
MANAGERIAL ISSUES What steps should businesses follow in establishing a security plan? Should organizations be concerned with internal security threats? What is the key to establishing strong e-commerce security?
SUMMARY The importance and scope of EC information security Basic EC security issues Threats, vulnerabilities, and technical attacks Internet fraud, phishing, and spam Information assurance
SUMMARY Securing EC access control and communications The different controls and special defense mechanisms Fraud on the Internet and how to protect consumers and sellers against it Enterprisewide EC security Why is it so difficult to stop computer crimes The future of EC
HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS BankWest of South Dakota An increasing number of incidents of social engineering experienced by customers Sweetheart schemes Letters, postal service, or e-mail Telephone scams Cell phone scams The bank now provides information about social engineering schemes on its website
HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS It is critical to combat social engineering attempts in order to increase customer confidence in Internet security The bank’s information security team regularly attend workshops and participate in forums related to social engineering and other fraud schemes Employee Rewards
HOW ONE BANK STOPPED SCAMS, SPAMS, AND CYBERCRIMINALS The Results Although the number of schemes has not decreased, the number of employees reporting such schemes has increased significantly