Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lesson 03 E-commerce Security

Published byDomenic Lambert Modified over 6 years ago

Similar presentations

Presentation on theme: "Lesson 03 E-commerce Security"— Presentation transcript:

1 Lesson 03 E-commerce Security
ISM 41113, Electronic Commerce By: S. Sabraz Nawaz Senior Lecturer in MIT Department of MIT Faculty of Management and Commerce, SEUSL

2 ANTHEM DATA BREACH 7Anthem Insurance Inc. was a victim of a massive cyber attack in February Back in February, Cyber attackers executed a very sophisticated attack to gain unauthorized access to the company’s IT systems that had database of some 80 million people and obtained personal identifiable information relating to its consumers and employees. The information accessed included: Names, Birthdays, Social security numbers, addresses Employment information, including income data The hackers gained access to Anthem's data by stealing the network credentials of at least five of its employees with high-level IT access. The path may have been "Phishing", in which a fraudulent could have been used to trick employees into revealing their network ID and password, or into unknowingly downloading software code that gives the hackers long-term access to Anthem’s IT environment. The company informed millions of its affected customers of the massive data breach that potentially exposed the personal information of its former as well as current customers. Anthem appointed Mandiant, world’s leading cyber security organization, to evaluate the scenario and provide necessary solutions. ISM 41113: E-Commerce, By S. Sabraz Nawaz

3 INTERNET SECURITY No single “magic bullet” solution exists for Internet security any more than for general societal security. With respect to payment systems, the key point is that the Web has not created completely new methods of payment, although it has changed how methods of payment are implemented. Web consumers predominantly use credit cards for purchases, and efforts to prevent consumers away from their credit cards have generally failed. The primary exception to this is PayPal, which still relies on the stored value provided by credit cards or checking accounts. ISM 41113: E-Commerce, By S. Sabraz Nawaz

4 INTERNET SECURITY For law-abiding citizens, the Internet holds the promise of a huge and convenient global marketplace, providing access to people, goods, services, and businesses world- wide, all at a bargain price For criminals, the Internet has created entirely new- and lucrative ways to steal from the more than 01 billion Internet consumers ISM : E-Commerce, By S. Sabraz Nawaz

5 THE E-COMMERCE SECURITY ENVIRONMENT
To achieve the highest degree of security possible, new technologies are available and should be used. But these technologies by themselves do not solve the problem Organizational policies and procedures are required to ensure the technologies are not undermined. Industry standards and government laws are required to enforce payment mechanisms, as well as to investigate and prosecute violators of laws. ISM : E-Commerce, By S. Sabraz Nawaz

6 DIFFERENT DIMENSIONS OF E-COMMERCE SECURITY
Integrity: the ability to ensure that information being displayed on a Web site or transmitted or received over the Internet has not been altered in any way by an unauthorized party Nonrepudiation: the ability to ensure that e-commerce participants do not deny their online action Authenticity: the ability to identify the identity of a person or entity with whom you are dealing on the Internet Confidentiality: the ability to ensure that messages and data are available only to those who are authorized to view them Privacy: the ability to control the use of information a customer provides about himself or herself to an e-commerce merchant Availability: the ability to ensure that an e-commerce site continues to function as intended. ISM : E-Commerce, By S. Sabraz Nawaz

7 Dimensions of E-Commerce Security

8 Security Threats in the E-commerce Environment
From technology perspective, three key points of vulnerability in e-commerce environment when dealing with e-commerce: Client, Server and Internet communications channels. A Typical E-commerce Transaction ISM : E-Commerce, By S. Sabraz Nawaz

9 Vulnerable Points in an E-commerce Transaction
ISM : E-Commerce, By S. Sabraz Nawaz 1/3/2019

10 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
MALICIOUS CODE (malware): the term used to describe any code in any part of a software system that is intended to cause undesired effects, security breaches or damage to a system. Drive-by downloads: Malware that comes with a downloaded file that a user requests. Viruses: A computer virus is a malware program that, when executed, replicates by inserting copies of itself into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected". Worms: A computer worm is a standalone malware program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. ISM : E-Commerce, By S. Sabraz Nawaz

11 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
Trojan Horse Appears to be harmless, but then does something other than expected. It is not itself a virus because it does not replicate, but is often a way for viruses. Bots (short for Robots): A type of malicious code that can be covertly installed on computers when attached to the Internet. When installed, the bot responds to external commands sent by the attacker; the computer can be controlled by third party. ISM : E-Commerce, By S. Sabraz Nawaz

12 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
POTENTIALLY UNWANTED PROGRAMS: programs that installs itself on a computer, typically without the user’s informed consent. These programs are increasingly found on social networking sites and user- generated content sites where users are fooled into downloading them. Adware: Typically used to call for pop-up ads to display when the user visits certain sites; while annoying , adware is not typically used for criminal activities Browser Parasite: Program that can monitor and change the settings of a user’s browser, for example, changing browser’s homepage or sending information about the sites visited to a remote computer Spyware: Program used to obtain information such as a user’s keystrokes, , instant messages, screenshots and so on. ISM : E-Commerce, By S. Sabraz Nawaz

13 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
PHISHING is the act of sending an to a user falsely claiming to be a legitimate enterprise in an attempt to cheat the user into surrendering private information that will be used for identity theft. IDENTITY THEFT is the fraudulent practice of using another person's name and personal information in order to obtain credit, loans, etc. Social Engineering: Relies on human curiosity as well as greed in order to trick people into taking an action that will result in the downloading of malware. Phishing attacks do not involve malicious code but instead rely on straightforward misrepresentation and fraud, so-called social engineering techniques. Most popular is the scam (fraudulent in computing) letter. Some pretending to be eBay, PayPal or others writing to you for “account verification” Click on a link in the will take you to a website controlled by the scammer and where you enter your confidential details such as account number and PIN codes, etc. ISM : E-Commerce, By S. Sabraz Nawaz

14 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
HACKING is gaining unauthorized access to data in a system or computer and CYBER-VANDALISM is intentionally disrupting, defacing or even destroying a site. Hacker: individual who intends to gain unauthorized access to a computer system. White hats are good hackers who help organizations locate and fix security flaws, they do their work with agreement from clients. Black hats are hackers who act with the intention of causing harm. Grey hats discover weaknesses in a system’s security and then publish the weakness without disrupting the site; their only reward is the prestige of discovering weakness. ISM : E-Commerce, By S. Sabraz Nawaz

15 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
CREDIT CARD THEFT. Is one of the most feared occurrences on the Internet. Fear that credit card information will be stolen prevents users from making online purchases. SPOOFING (PHARMING) AND SPAM (JUNK) WEB SITES. Spoofing is misrepresenting oneself by using fake addresses or masquerading (pretend) as someone else. Spam web sites promise to offer some product or service but in fact are a collection of advertisements for other sites, some of which contain malicious code. These web sites appear in search results and cloak their identities by using domain names similar to legitimate firm names. DENIAL OF SERVICE (DoS) ATTACK: Flooding a web site with useless traffic to drown and overwhelm the network. DoS attacks typically cause a web site to shut down, making it impossible for other users to access the site. Pharming: re-directing you to a hacker's site when you type in a company's Web address ISM : E-Commerce, By S. Sabraz Nawaz

16 MOST COMMON SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT
SNIFFING: Sniffer is a type of eavesdropping program that monitors information traveling over a network. INSIDER ATTACKS: Largest financial threats to business institutions come not from robberies but from misappropriation of funds by insiders. POORLY DESIGNED SERVER AND CLIENT SOFTWARE: Many security threats prey on poorly designed server and client software, sometimes in the operating system and sometimes in the application software including browsers. SOCIAL NETWORK SECURITY ISSUES: Social network sites like Facebook, Twitter, and LinkedIn provide a rich and rewarding environment for hackers. Viruses, identity theft, phishing, etc. are all found on social networks. MOBILE PLATFORM SECURITY ISSUES: Mobile users are filling their devices with personal and financial information making them excellent targets for hackers. CLOUD SECURITY ISSUES: the move of so many Internet services into the cloud also raises security risks. Safeguarding data being maintained in a cloud environment is also a major concern. ISM : E-Commerce, By S. Sabraz Nawaz

17 TECHNOLOGY SOLUTIONS ISM : E-Commerce, By S. Sabraz Nawaz

18 TECHNOLOGY SOLUTIONS A great deal of progress has been made by private security firms, corporate and home users, network administrators, technology firms, and government agencies. ISM 41033: E-Commerce, By S. Sabraz Nawaz

19 PROTECTING INTERNET COMMUNICATIONS
ENCRYPTION: The process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and the receiver. The purpose of encryption is a) to secure stored information and b) to secure information transmission. Encryption can provide four of the six key dimensions of e-commerce security Message integrity: provides assurance that the message has not been altered Nonrepudiation: prevents the user from denying he or she sent the message Authentication: provides verification of the identity of the person (or computer) sending the message Confidentiality: gives assurance that the message was not read by others ISM 41113: E-Commerce, By S. Sabraz Nawaz

20 PROTECTING INTERNET COMMUNICATIONS
ENCRYPTION… The transformation of plain text into cipher text is accomplished by using a key or cipher. A key or cipher is any method for transforming plain text into cipher text Ancient Egyptian commercial records were encrypted using substitution and transposition ciphers. Substitution cipher: every occurrence of a given letter is replaced systematically by another letter Transposition cipher: the ordering of the letters in each word is changed in some systematic way ISM 41113: E-Commerce, By S. Sabraz Nawaz

21 PROTECTING INTERNET COMMUNICATIONS
SYMMETRIC KEY ENCRYPTION: In order to decipher the messages, the receiver would have to know the secret cipher (key) that was used to encrypt the plain text. Both the sender and the receiver use the same key to encrypt and decrypt the message. This is also called as secret key encryption. Sender and receiver have to have the same key; they need to send the key over some communication media or exchange in person. Common flaws: Computers today can break this encryption quickly Both parties have to share the same key and key may be sent via insecure medium ISM 41113: E-Commerce, By S. Sabraz Nawaz

22 PROTECTING INTERNET COMMUNICATIONS
PUBLIC KEY ENCRYPTION This solves the problem of exchanging keys. Two mathematically related digital keys are used: a public key and a private key. The private key is kept secret by the owner, and the public key is widely disseminated. E.g.: When Mr. A wants to send a secure message to Mr.B, he uses B's public key to encrypt the message. Mr.B then uses his private key to decrypt it. Once the keys are used to encrypt a message, that same key cannot be used to unencrypt the message. ISM 41113: E-Commerce, By S. Sabraz Nawaz

23 Public Key cryptography – a simple case
ISM 41113: E-Commerce, By S. Sabraz Nawaz

24 PROTECTING INTERNET COMMUNICATIONS
DIGITAL ENVELOPES: If one uses 128 or 256 bit keys to encode large documents the public key encryption becomes computationally slow and more time will be needed to process. Symmetric key encryption is computationally faster but has weakness; key must be sent over insecure medium. Solutions is – Digital Envelope: a technique that uses symmetric encryption for large documents, but public key encryption to encrypt and send the symmetric key. So we will have a key within a key (digital envelope). Eg: an encrypted report and digital envelope are sent across the web. The recipient first uses his/her private key to decrypt the symmetric key and uses that key to decrypt the report. ISM 41113: E-Commerce, By S. Sabraz Nawaz

25 Public Key cryptography – Creating digital envelope
ISM 41113: E-Commerce, By S. Sabraz Nawaz

26 PROTECTING INTERNET COMMUNICATIONS
DIGITAL CERTIFICATES: A solution to address misrepresentation in online. How do we know that people or institution are who they claim to be? Before you place an order on Amazon, you want to be sure that it is really Amazon.com you have on the computer screen, and not a spoofer misrepresenting as Amazon. Digital certificates solve this problem of digital identity. It is a digital document issued by a trusted third-party institution known as certification authority (CA) such as VerisSign. Public key infrastructure (PKI) refers to the CAs and digital certificate procedures accepted by all parties. ISM 41113: E-Commerce, By S. Sabraz Nawaz

27 SECURING CHANNELS OF COMMUNICATION
SECURE SOCKETS LAYER (SSL) AND TRANSPORT LAYER SECURITY: The most common form of securing channels is through SSL and TLS protocols. When you communicate with a web server through secure channel, it means you are using SSL/TLS to establish secure session. Secure Session is a client-server session in which the URL of the requested document and contents are encrypted. You can notice that the HTTP changes to HTTPS. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Transport Layer Security (TLS) is an improved version of SSL ISM 41113: E-Commerce, By S. Sabraz Nawaz

28 SECURING CHANNELS OF COMMUNICATION
VIRTUAL PRIVATE NETWORKS (VPN): VPN is a network that is constructed by using public wires — usually the Internet — to connect to a private network, such as a company's internal network. This allows remote users to securely access internal networks via the Internet, using the Point-to-Point Tunneling Protocol (PPTP). VPNs use both authentication and encryption to secure information from unauthorized persons. Authentication prevents spoofing and misrepresentation of identities. ISM 41113: E-Commerce, By S. Sabraz Nawaz

29 PROTECTING NETWORKS FIREWALLS: refers to either hardware or software that filters communication packets and prevents some packets from entering the network based on a security policy. PROXY SERVERS: Software server that handles all communications originating from or being sent to the Internet, acting as a spokesperson or bodyguard for the organization. ISM 41113: E-Commerce, By S. Sabraz Nawaz

30 Firewall & Proxy Server
ISM 41113: E-Commerce, By S. Sabraz Nawaz

31 PROTECTING SERVERS AND CLIENTS
OPERATING SYSTEMS SECURITY ENHANCEMENTS: Windows/Apple computers’ security upgrades, password protection etc. ANTI-VIRUS SOFTWARE ISM 41113: E-Commerce, By S. Sabraz Nawaz

32 Thank you ISM 41113: E-Commerce, By S. Sabraz Nawaz

Download ppt "Lesson 03 E-commerce Security"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice HallCopyright © 2009 Pearson Education, Inc. Slide 5-1 Online Security and Payment Systems.
7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.

7.1 Copyright © 2011 Pearson Education, Inc. 7 Chapter Securing Information Systems.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Chapter 5 Security and Encryption

Chapter 5 Security and Encryption
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Threats To A Computer Network

Threats To A Computer Network
Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2004 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.

CHAPTER 3 Information Privacy and Security. CHAPTER OUTLINE  Ethical Issues in Information Systems  Threats to Information Security  Protecting Information.
ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.

ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.
Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Copyright © 2007 Pearson Education, Inc. Slide 5-1 E-commerce Kenneth C. Laudon Carol Guercio Traver business. technology. society. Second Edition.

Similar presentations

Ads by Google