E-commerce

security
 Munazza Ayub
 Neelum Raffique
 Rida Irfan
 Uzma Noorin
 E-COMMERCE
SECURITY ISSUES
 Now-a-days e-commerce services have become more and more popular
on Internet. Security is very important for e-commerce service and it is
the key factor that affects the success of electronic commerce.
Security Issues related to E-Commerce
 Client-side Security Issues
 Server-side Security Issues
 Transaction Security Issues
 The problem of the identity unsure
 The problem of alter transactions
Client-side Security Issues
client-side security requires proper user authentication and authorization
Server-side Security Issues
Server-side security requires proper client authentication and authorization and
accountability.
Transaction security requires various security services, such as data authentication,
access control, data confidentiality, data integrity.
Network security technologies typically address access control and Communication
Security
Access control
Access control includes authentication, and authorization.
Identification and authentication determine who can log on to a system.
Authorization determines what a subject can do;
Accountability identifies what a subject did
Communications security (COMSEC) is the prevention of unauthorized
access to any information that is transmitted or transferred. COMSEC
includes
 Cryptographic Security
This encrypts data, rendering it unreadable until the data is decrypted.
 Physical security
This ensures the safety of, and prevents unauthorized access to,
cryptographic information.
 Transmission security
This protects transmissions from unauthorized access, thereby preventing
interruption and harm.
Complexity
A framework must be developed in which possible attacks against cryptographic
primitives (algorithms, protocols, and applications) can be explored.
Availability
New security techniques must be developed that can be used to protect against denial-
of-service or degradation-of-service attacks
Code Autonomy
With regard to mobile code it is important to find solutions for the problems of
 How to protect mobile code against malicious hosts?
 How to protect hosts against malicious mobile code?
Security features are categorized in to tangible and intangible features.
 Tangibles features
are the security features on the website that can be checked by users visiting the website
such as padlocks, and security certificates.
 Intangible features
are not visible on website however the user needs to understand and has knowledge of
them. such as whether the website is well-known.
When considering website security, the intangible issues are given the highest priority
and after these the tangible ones may check.
Security features in e-commerce Categorizing of security features
website
Padlock Tangible
Security certificate Tangible
Known identity (company has physical Intangible
building)
Brief description of the issues that the Tangible
customer should be aware of on the
website

Trusted Intangible
Respected company Intangible
Well Rated Intangible
 Some respondents specified that the website should contain details about security and website
policies.
 Some of the participants specified that the reputation of the website is also very important.
 Some participants highlighted the significance of website’s existing known (and typically physical)
identity.
 Some respondents believe that generally customers have negative attitude
towards online shopping.
 Some respondents specified that the customer viewpoint should be considered.
 Some respondents specified that they provide a customer with a friendly
website.
 Some respondents specified that there is no way to judge that the website is
secure or not.
 Staff involved in development of website did not consider the checking of
tangible factors in determining the security of website.
Thus from organizational perspective, customer only considered the intangible
factors to judge whether the website is trustworthy or not.
Three types of security threats
 denial of service
 unauthorized access
 theft and fraud
Two primary types of DOS attacks:
 Spamming
 viruses
Sending unsolicited commercial emails to individuals
E-mail bombing caused by a hacker targeting one computer or network,
and sending thousands of email messages to it
DDOS (distributed denial of service attacks) involves hackers placing
software agents onto a number of third-party systems and setting them off
to simultaneously send requests to an intended target
Viruses: self-replicating computer programs designed to perform
unwanted events.
Worms: special viruses that spread using direct Internet connections.
Trojan Horses: disguised as legitimate software and trick users into
running the program for Illegal access to systems, applications or data
 Passive unauthorized access
–listening to communications channel for finding secrets.
–May use content for damaging purposes
 Active unauthorized access
–Modifying system or data
–Message stream modification
 Masquerading or spoofing
–sending a message that appears to be from someone else.
–by changing the name (changing the from/field) or IP (changing the
source and/or destination IP address of packets in the network)
 theft
software that illegally access data traversing across the network
 Fraud
occurs when the stolen data is used or modified.
 There are number of techniques using which you can enjoy secure online
shopping.
 Shop at Secure Web Sites
 Research the Web Site before You Order
 Be Aware of Cookies and Behavioural Marketing
 What's Safest: Credit Cards, Debit Cards, Cash, or Checks?
 Never Give Out Your Social Security Number
 Disclose Only the Bare Facts When You Order
Keep Your Password Private
Check the Web Site Address
Don't Fall for "Phishing" Messages
 Always Save Copies of Your Orders
 Learn the Merchant's Cancellation, Return and Complaint-
Handling Policies
 Use Shopper's Intuition
 Consider Using Single-use Card Numbers
 Know How Online Auctions Operate
 Understand Your Responsibility for Sales and Use Taxes Online
 Be Aware of Dynamic Pricing
 Network harms
 Issue of transaction
 The problems of security conformity
At present, the security agreement has not the global principles and norms,
which in result causes problems of security conformity.
 Anti-virus problem
There are many viruses with faster transmit speed on the web, which often
caused tens billion dollars of economic losses.
 The safety issues of servers
Servers are the core of the E-commerce. There are some ways to attack the
servers: the unlawful user send a large number of invalid request to host
computer to consume the available resource of server, thus cause servers
cannot continue to provide normal services to clients which cause web
application collapse.
 The problem of the identity unsure
E-commerce is the virtual network platform which does not require the two
sides gathering, thereby the transaction has the danger that the two sides
identity uncertain.
 The validity of the information
control and prevent the possible threat which including system
failure, application program error, hardware failure, software errors
and computer viruses to guarantee that the transaction of data at
definite time and place is efficient.
 The authenticity of the trader’s identity
The two traders are indeed existing, not fake.
 Data encryption technique
Firstly use technical ways change the significant message into cipher
text Secondly send the cipher text to target; thirdly restore cipher text
to the message.
 Biometric is the use of physical or behavioral characteristics to determine
or verify the identity of an individual.
 Biometric systems convert data derived from behavioral or physical
characteristics into templates, which are used for later matching.
 Enrollment
 Submission
 Acquisition device
 Biometric sample
 Feature extraction
 Template
 Matching
 Score
 Threshold
 Decision.
The binding of the user's identity and biometric feature data to an entity
is provided by an authority through a digitally signed data structure
called a biometric certificate.
Cardholder's
Public
Double hashed key
fingerprint Fingerprint template
Blind credit card info.
Expiry date
Double hashed
Serial #
credit card info. Issuer bank

CA's
Certificate
 Authentication system of schemes:
Both schemes have a biometric authentication system as shown in the figure
below,
Two major factors are necessary for successful e-payment transactions:
 Create privacy protection or information privacy in e-payment
transactions, to achieve cardholder's trust and prevent misuse of sensitive
information.
 Implement robust authentication that ideally should be a real time
authentication, to prevent fraud and theft in credit card and smart card
transactions.
There are two schemes for e-payment transactions which meet the
mentioned two factors.
Scheme one is suitable for transactions with medium cost. Here the
customer does not need additional software; however needs to provide her/
his sample of fingerprint to achieve the second factor.

Benefits of this scheme:

 Issuer doesn’t need to have biometric server, having a biometric server
bring a high security requirement.
 Ease of implementation and higher speed.
 Because of using hash function, merchant or acquirer are able to compare
sample of biometric with template of certificate of cardholder and
recognize the genius cardholder.
Sensitive dealing needs real time authentication with more precise
biometric way than fingerprint, so iris scan selected.

Virtual password concept

Password is an accepted way in e-commerce transactions that is preferred
by customers. We can use virtual password concept to achieve one-time
password for authentication. To build a one-time password, we need two
items, a fixed alphanumeric password Ps and a function F.
We have F (Ps, R) = Pd, where R is a random number provided by the
server (challenge/response technique) and Pd is a dynamic password used
for authentication.
E-commerce security can be divided into two sections:
 computer network security
 e-commerce transaction security.

 Computer network security includes network equipment security,

network system security, and database security etc.
 E-commerce transaction security focuses on the security problems
occurring when the businesses are managed on the Internet.
Computer network security can be into five levels:
The confidence issue lays a prominent position in the e-commerce
transactions layer.
 For B2B, Its main support technology is PKI.
 For B2C or C2C, the main support technology is trust reputation system.
 Based on the theory and technology of public key cryptography, Public
Key Infrastructure is able to provide a transportation of various network
security services, and it provides different public key certificate services
for different services respectively. In PKI, each user has a certificate, where
user information is encrypted.
According to the grading method and the collection method of feedback information,
reputation system is classified into three types:
 the negative feedback reputation system
 the positive reputation system
 the mix reputation system.
 In negative feedback reputation system, the negative feedback reviews of entities,
such as complaints, are gathered to punish dishonesty behaviors.
 Positive feedback system provides entities a suggested believable list, where the
reputation information and the reasonable honesty behavior of the entities in the list
are stated.
 Mixed reputation system publishes positive and negative feedback achieve by
collecting and compiling entities’ reputation information, which is used for entities to
identify possible trading partner and to avoid the trading risks.