Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
security
Munazza Ayub
Neelum Raffique
Rida Irfan
Uzma Noorin
E-COMMERCE
SECURITY ISSUES
Now-a-days e-commerce services have become more and more popular
on Internet. Security is very important for e-commerce service and it is
the key factor that affects the success of electronic commerce.
Security Issues related to E-Commerce
Client-side Security Issues
Server-side Security Issues
Transaction Security Issues
The problem of the identity unsure
The problem of alter transactions
Client-side Security Issues
client-side security requires proper user authentication and authorization
Server-side Security Issues
Server-side security requires proper client authentication and authorization and
accountability.
Transaction security requires various security services, such as data authentication,
access control, data confidentiality, data integrity.
Network security technologies typically address access control and Communication
Security
Access control
Access control includes authentication, and authorization.
Identification and authentication determine who can log on to a system.
Authorization determines what a subject can do;
Accountability identifies what a subject did
Communications security (COMSEC) is the prevention of unauthorized
access to any information that is transmitted or transferred. COMSEC
includes
Cryptographic Security
This encrypts data, rendering it unreadable until the data is decrypted.
Physical security
This ensures the safety of, and prevents unauthorized access to,
cryptographic information.
Transmission security
This protects transmissions from unauthorized access, thereby preventing
interruption and harm.
Complexity
A framework must be developed in which possible attacks against cryptographic
primitives (algorithms, protocols, and applications) can be explored.
Availability
New security techniques must be developed that can be used to protect against denial-
of-service or degradation-of-service attacks
Code Autonomy
With regard to mobile code it is important to find solutions for the problems of
How to protect mobile code against malicious hosts?
How to protect hosts against malicious mobile code?
Security features are categorized in to tangible and intangible features.
Tangibles features
are the security features on the website that can be checked by users visiting the website
such as padlocks, and security certificates.
Intangible features
are not visible on website however the user needs to understand and has knowledge of
them. such as whether the website is well-known.
When considering website security, the intangible issues are given the highest priority
and after these the tangible ones may check.
Security features in e-commerce Categorizing of security features
website
Padlock Tangible
Security certificate Tangible
Known identity (company has physical Intangible
building)
Brief description of the issues that the Tangible
customer should be aware of on the
website
Trusted Intangible
Respected company Intangible
Well Rated Intangible
Some respondents specified that the website should contain details about security and website
policies.
Some of the participants specified that the reputation of the website is also very important.
Some participants highlighted the significance of website’s existing known (and typically physical)
identity.
Some respondents believe that generally customers have negative attitude
towards online shopping.
Some respondents specified that the customer viewpoint should be considered.
Some respondents specified that they provide a customer with a friendly
website.
Some respondents specified that there is no way to judge that the website is
secure or not.
Staff involved in development of website did not consider the checking of
tangible factors in determining the security of website.
Thus from organizational perspective, customer only considered the intangible
factors to judge whether the website is trustworthy or not.
Three types of security threats
denial of service
unauthorized access
theft and fraud
Two primary types of DOS attacks:
Spamming
viruses
Sending unsolicited commercial emails to individuals
E-mail bombing caused by a hacker targeting one computer or network,
and sending thousands of email messages to it
DDOS (distributed denial of service attacks) involves hackers placing
software agents onto a number of third-party systems and setting them off
to simultaneously send requests to an intended target
Viruses: self-replicating computer programs designed to perform
unwanted events.
Worms: special viruses that spread using direct Internet connections.
Trojan Horses: disguised as legitimate software and trick users into
running the program for Illegal access to systems, applications or data
Passive unauthorized access
–listening to communications channel for finding secrets.
–May use content for damaging purposes
Active unauthorized access
–Modifying system or data
–Message stream modification
Masquerading or spoofing
–sending a message that appears to be from someone else.
–by changing the name (changing the from/field) or IP (changing the
source and/or destination IP address of packets in the network)
theft
software that illegally access data traversing across the network
Fraud
occurs when the stolen data is used or modified.
There are number of techniques using which you can enjoy secure online
shopping.
Shop at Secure Web Sites
Research the Web Site before You Order
Be Aware of Cookies and Behavioural Marketing
What's Safest: Credit Cards, Debit Cards, Cash, or Checks?
Never Give Out Your Social Security Number
Disclose Only the Bare Facts When You Order
Keep Your Password Private
Check the Web Site Address
Don't Fall for "Phishing" Messages
Always Save Copies of Your Orders
Learn the Merchant's Cancellation, Return and Complaint-
Handling Policies
Use Shopper's Intuition
Consider Using Single-use Card Numbers
Know How Online Auctions Operate
Understand Your Responsibility for Sales and Use Taxes Online
Be Aware of Dynamic Pricing
Network harms
Issue of transaction
The problems of security conformity
At present, the security agreement has not the global principles and norms,
which in result causes problems of security conformity.
Anti-virus problem
There are many viruses with faster transmit speed on the web, which often
caused tens billion dollars of economic losses.
The safety issues of servers
Servers are the core of the E-commerce. There are some ways to attack the
servers: the unlawful user send a large number of invalid request to host
computer to consume the available resource of server, thus cause servers
cannot continue to provide normal services to clients which cause web
application collapse.
The problem of the identity unsure
E-commerce is the virtual network platform which does not require the two
sides gathering, thereby the transaction has the danger that the two sides
identity uncertain.
The validity of the information
control and prevent the possible threat which including system
failure, application program error, hardware failure, software errors
and computer viruses to guarantee that the transaction of data at
definite time and place is efficient.
The authenticity of the trader’s identity
The two traders are indeed existing, not fake.
Data encryption technique
Firstly use technical ways change the significant message into cipher
text Secondly send the cipher text to target; thirdly restore cipher text
to the message.
Biometric is the use of physical or behavioral characteristics to determine
or verify the identity of an individual.
Biometric systems convert data derived from behavioral or physical
characteristics into templates, which are used for later matching.
Enrollment
Submission
Acquisition device
Biometric sample
Feature extraction
Template
Matching
Score
Threshold
Decision.
The binding of the user's identity and biometric feature data to an entity
is provided by an authority through a digitally signed data structure
called a biometric certificate.
Cardholder's
Public
Double hashed key
fingerprint Fingerprint template
Blind credit card info.
Expiry date
Double hashed
Serial #
credit card info. Issuer bank
CA's
Certificate
Authentication system of schemes:
Both schemes have a biometric authentication system as shown in the figure
below,
Two major factors are necessary for successful e-payment transactions:
Create privacy protection or information privacy in e-payment
transactions, to achieve cardholder's trust and prevent misuse of sensitive
information.
Implement robust authentication that ideally should be a real time
authentication, to prevent fraud and theft in credit card and smart card
transactions.
There are two schemes for e-payment transactions which meet the
mentioned two factors.
Scheme one is suitable for transactions with medium cost. Here the
customer does not need additional software; however needs to provide her/
his sample of fingerprint to achieve the second factor.