Source: Ecommerce (Chapter 5) Pearson Education E-commerce Security and Payment Systems Source: Ecommerce (Chapter 5) Pearson Education

Cyberwar: MAD 2.0 (Mutually assured destruction) Cyber-offensive actions to destroy aggressors’ Internet and other critical infrastructure Cyberspace has become new battle field with algorithms and computer codes as weaponry The release of Stuxnet in 2010 by US/Israeli task force to disable the software and computers in Iranian uranium enrichment process which reportedly delay the Iran’s ability to make nuclear arms by 5 years

Cyberwar: MAD 2.0 (contd..) In 2012, Shamoon virus wiped out data on 75% of the computers on the main network of Saudi Arabia’s Amarco, an US ally In 2012, another DDoS (Distributed Denial of Service) attack on Websites of US financial banks As an example of the modern version of cold war era, the US CyberCommand has mentioned publicly of having 40 cyberteams, including 123 focusing on offensive operations

Types of Attacks Against Computer Systems (Cybercrime) Copyright © 2010 Pearson Education, Inc. Types of Attacks Against Computer Systems (Cybercrime) Source: Based on data from Computer Security Institute, 2009.

The E-commerce Security Environment Copyright © 2010 Pearson Education, Inc. The E-commerce Security Environment Overall size and losses of cybercrime unclear Reporting issues 2008 CSI survey: 49% respondent firms detected security breach Of those that shared numbers, average loss $288,000 Underground economy marketplace Stolen information stored on underground economy servers

What Is Good E-commerce Security? Copyright © 2010 Pearson Education, Inc. What Is Good E-commerce Security? To achieve highest degree of security New technologies Organizational policies and procedures Industry standards and government laws Other factors Time value of money Cost of security vs. potential loss Security often breaks at weakest link

The E-commerce Security Environment Figure 5.1, Page 252

Dimensions of E-commerce Security Integrity ensures that info sent and received has not been altered by unauthorized party Nonrepudiation ability to ensure that participants do not deny (repudiate) their online actions Authenticity ability to identify the person’s identity with whom you are dealing with over the internet Confidentiality authorized to be seen by those who should view it Privacy ability to control who sees your info Availability e-commerce site functions as intended

Table 5.3, Page 254

The Tension Between Security and Other Values Ease of use The more security measures added, the more difficult a site is to use, and the slower it becomes Security costs money and too much of it can reduce profitability Public safety and criminal uses of the Internet Use of technology by criminals to plan crimes or threaten nation-state

Security Threats in E-commerce Environment Three key points of vulnerability in e-commerce environment: Client Server Communications pipeline (Internet communications channels)

A Typical E-commerce Transaction Figure 5.2, Page 256

Vulnerable Points in an E-commerce Transaction Figure 5.3, Page 257

Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits) Exploits are designed to take the advantages of software vulnerabilities in a computer’s operating system, Web browsers, or other software components (e.g., 91% of all Web threats detected by AVG was Blackhole exploit kit as of 2012) Drive-by downloads malware that comes with a downloaded file the user intentionally or unintentionally request (e.g., ads on Websites directed users to malicious sites) Viruses are computer programs to destroy files or reformatting the drives

Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits) Worms spread from computer to computer without human intervention (e.g., Slammer targeted Microsoft’s SQL server, infecting more than 90% of vulnerable computers worldwide within 10 minutes of its release, crashed Bank of America’s cash machine, took down the Internet connectivity South Korea and caused dip in stock market) Ransomware (scareware) used to solicit money from users by locking up your browser or files and displaying fake notices from FBI or IRS etc

Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits) Trojan horses appear benign but is a way to introduce viruses or other malicious codes into a computer system Threats at both client and server levels Miscellaneous Trojan downloaders or droppers were found on 95% of computers worldwide at the end of 2012 Backdoors introduce viruses, worms or Trojans that allow an attacker to remotely access a computer (e.g., Downadup is a worm with a Backdoor, Virut is a virus that affects a file type and include Backdoor to install additional threats)

Most Common Security Threats in the E-commerce Environment Malicious code (malware, exploits) Bots, as in robots, are malicious code that can be covertly installed on a computer when connected to the internet. Once installed, they respond to external commands from the attacker. Around 90% of the World’s spam and 80% of malwares are delivered by Botnets. Botnets are a collection of captured bot computers or zombies used to send spam, DDoS attacks, steal information from computers, and store network traffic for later analysis.

Most Common Security Threats (cont.) Potentially unwanted programs (PUPs) Example Vista antispyware 2013 infects computers running Vista which disabled user’s security software, divert the user to scam Websites for more malwares Browser parasites changes user’s browser settings and collect browsing histories Adware displays calls for pop-up ads when you visit sites Spyware may be used to obtain information such as keystrokes, copies of email, Instant Messages etc.

Most Common Security Threats (cont.) Phishing Social engineering relies on human curiosity, greed, and gullibility to trick users into taking action that results into downloading malware E-mail scams (e.g., Nigerian letter e-mail scam) Spear-phishing messages targeting to known customers of a trusted bank or business Identity fraud/theft As per 2012, 1 in every 400 emails contained Phishing attack

Most Common Security Threats (cont.) Hacking Hackers intend to gain unauthorized access White hat role is to help identify and fix vulnerabilities Black hat intent on causing harm, breaks into Websites for confidential or proprietary information Grey hat breaks in to expose flaws and report them without disrupting the company. They may even try to profit from the event Crackers have criminal intent Hacktivist are politically motivated which typically attack governments, organizations or individuals for political purposes

Most Common Security Threats (cont.) Cybervandalism: Disrupting, defacing, destroying Web site or stealing personal/corporate information for financial benefit Data breach Losing control over corporate information to outsiders A significant data breach at Zappos.com affected 24 million customers A breach at LinkedIn exposed the data of 6.5 million members