EMIS 528_Assignment(Security in E Commerce)

SECURITY IN E-COMMERCE EMIS-528 (Information Security Management System)

Submitted To Md. Rakibul Hoque

Assistant Professor Department of Management Information Systems University of Dhaka

Submitted By

MD. ABDULLAH AL AHAD | ID: 61323-16-029 MAHMUD PARVEJ | ID: I D: 61325-18-052 SHUVAJYOTI ROY | ID: 61426-19-020

MBA (Evening) Program, Department of Management Information Systems University of Dhaka

Executive Summary

Electronic Commerce may include any computer mediated business process, but a common usage is to use it to describe commerce (buying and selling of a product or service) taking place using the World Wide Web (WWW ) as an enabling transport [1]. Since the invention of WWW in 1989, Internet-based electronic commerce has been transformed from a mere idea into reality. Consumers browse through catalogues, searching for best offers, order goods, and pay them electronically. Most financial institutions have some sort of online presence, allowing their customers to access and manage their accounts, make financial transactions, trade stocks, and so forth. Electronic mails are exchanged within and between enterprises, and often already replace fax copies. Soon there is arguably no enterprise left that has no Internet presence, if only for advertisement reasons [2]. Thus, doing some electronic business on the Internet is already an easy task. As is cheating and snooping. Several reasons contribute to this insecurity: The Internet does not offer much security per-se. Eavesdropping and acting under false identity is simple. Stealing data is undetectable in most cases. Popular PC operating systems offer little or no security against virus or other malicious software, which means that users cannot even trust the information displayed on their own screens. At the same time, user awareness for security risks is threateningly low. In this paper, various probable crime through e-commerce along with their potential reasons and plausible security measures are outlined.

1|Page

Security in E-Commerce

Introduction ................................................................................................................ 3 Security Issues in E-commerce .................................................................................. 5 Dimensions of E-commerce Security .................................................................................................. 5 The Tension between Security and Other Values............................................................................... 6 Security Threats in the E-commerce Environment ............................................................................. 6 A Typical e-commerce transaction ................................................................................................. 6 Vulnerable Points ............................................................................................................................ 7 Detailing of Security vulnerabilities in electronic commerce ............................................................. 7 Viable causes behind Security Threats ............................................................................................... 9

Probable Crimes in E-commerce Environment ........................................................ 10 Most Common Security Threats in the E-commerce Environment .................................................. 10 Unwanted Programs ......................................................................................................................... 10 Phishing and Identity Theft ............................................................................................................... 11 Hacking and Cyber vandalism ........................................................................................................... 11 Credit Card Fraud .............................................................................................................................. 11 Spoofing (Pharming) and Spam (Junk) Web Sites ............................................................................. 12 DoS and DDoS Attacks ...................................................................................................................... 12 Denial of Service ............................................................................................................................... 13 SMURF Attack ................................................................................................................................... 13 Other Security Threats ...................................................................................................................... 13

Security Steps to Protect E-Commerce .................................................................... 14 Technology Solutions ........................................................................................................................ 15 Protecting Internet Communications: Encryption ........................................................................ 15 Network Transport Security .......................................................................................................... 17

Conclusion ............................................................................................................... 21 References ............................................................................................................... 22

2|Page


Introduction

The utilization of the internet is increasing rapidly every year; availability of low cost peripheral devices. and wider internet accessibility options are key contributing factors [3]. The progression of technology over the recent years have enabled the consumer a broader and much more enriched interactive experience [4]. The availability of a wide variety of applications and simple point and click interfaces has further contributed to this “experience” by it s ease of usability.

A wide variety of commerce is conducted via e-Commerce, including electronic funds transfer, supply chain management, Internet

marketing,

online

transaction

processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems. US online retail sales reached $175 billion in 2007 and are projected to grow to $335 billion by 2012 [5]. Due to this, IT usage in present times has become a common practice. Business to customer (B2C) transactions and business (B2B) transactions are commonly used in the market. The fusion and integration of these two types of transactions has produced e-commerce [6] [7]. Chen and Dhillon have defined e- commerce as “the transaction of goods and services over the internet “[4]. It is also described as the “sharing, transferring and e xchanging of information” [8]. Over the

past few years E-commerce has maintained a rapid yet steady pace. It has been a dynamic force, a catalyst in changing the nature of business transactions and operations all around the world [9]. It should also be noted that unlike traditional commerce; EC does not allow physical interaction between the consumers and retailers or suppliers for that matter [4]. This fact raises a number of risks and issues including technological, security, privacy, trust, legal and other related issues [9]. The following research focuses on two of these issues, security and privacy. The factoring of Security and privacy in e-commerce models is of considerable importance to consumers, businesses, and regulators [10]. The majority of customers feel insecure towards the existing policies and guidelines with respect to privacy and security online. Such insecurities have a negative impact upon any economic model. That said, online security breaches can be considered as a fast 3|Page


spreading menace in current day economical settings around the world. E-Commerce providers must also protect against a number of different external security threats, most notably Denial of Service (DoS). The financial services sector still bears the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced the greatest increase in the number of attacks was e-Commerce. Attacks in this sector have risen by 15% from 2006 to 2007 [11].

4|Page


Security Issues in E-commerce

In e-commerce development security is a critical factor to consider [12]. It is one of the pivotal success factors of e- commerce. Security is defined as “the protection of data against accidental or intentional disclosure to unauthorized persons, or unauthorized modifications or destruction” [13]. It usually refers to the provision of access control, privacy, confidentiality, integrity, authentication, non-repudiation, availability and effectiveness [9][14][15]. Surveys conducted and compiled recently shows increasing concerns on security risks and have become a global issue [6]. When customers lose confidence in a systems ability to protect sensitive and confidential data such as credit card information its feasibility will be compromised. The system t thus will be rendered helpless [16]. Electronic commerce has been weakened by the deterioration of confidence held towards it by the consumer public. This in turn poses an immense threat to the overall expansion and success of it.

[13]. In fact, Hoffman et al. stated that 63%

of online end-users intentionally delay when providing personal information due to diminished confidence and trust in sites [4]. If credibility is to be achieved, improvised security and privacy protocols should be incorporated . At present security is pivotal and concerns surrounding its efficiency is perhaps the key cause for web users not making online purchases [13]. The US- based Better Business Bureau confirmed that online security was a great concern in 2001[4]. Types of security threats include identity theft i.e. the illegal use of personal information and is in fact the USA’s leading

occurrence of fraud [17]. List of other threats include

gaining physical access to premises, accessing wiretaps, unauthorized acquiring of information, viruses, lack of integrity, financial fraud, vandalism, etc [16][9]. Dimensions of E-commerce Security 

Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party



Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions



Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet

5|Page




Confidentiality: ability to ensure that messages and data are available only to those authorized to view them



Privacy: ability to control use of information a customer provides about himself or herself to merchant



Availability: ability to ensure that an e-commerce site continues to function as intended Copyright

The Tension between Security and Other Values 

Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes



Too much security can harm profitability, while not enough security can put you out of business



Tension between the desire of individuals to act anonymously (to hide their identity) and the needs to maintain public safety that can be threatened by criminals or terrorists.



The Internet is both anonymous and pervasive, an ideal communication tool for criminal and terrorist groups (Coll and Glasser 2005)

Security Threats in the E-commerce Environment

Three key points of vulnerability: Client



Server





Communications channel

A Typical e-commerce transaction

6|Page


Vulnerable Points

Detailing of Security vulnerabilities in electronic commerce

There are many points of failure, or vulnerabilities, in an e-commerce environment. Even in a simplified e-commerce scenario – a single user contacts a single web site, and then gives his credit card and address information for shipping a purchase – many potential security vulnerabilities exist. Indeed, even in this simple scenario, there are a number of systems and networks involved. Each has security issues: 

A user must use a web site and at some point identify, or authenticate, himself to the site. Typically, authentication begins on the user’s home computer and

its browser. Unfortunately, security problems in home computers offer hackers other ways to steal e- commerce data and identification data from users. Some current examples include a popular home- banking system that stores a user’s account number in a Web “cookie” which hostile web -sites can crack [18];

ineffective encryption or lack of encryption for home wireless networks [19]; and, mail-borne viruses that can steal the user's financial data from the local disk [20] or even from the user's keystrokes [21]. While these specific security problems will be fixed by some software developers and web-site administrators, similar problems will continue to occur. Alternatives to the home 7|Page


computer include Point-of-Sale (POS) terminals in brick-and-mortar stores, as well as a variety of mobile and handheld devices. 

The user’s web browser connects to the merchant front -end.

When a

consumer makes an online purchase, the merchant's web-server usually caches the order's personal information in an archive of recent orders. This archive contains everything necessary for credit-card fraud. Further, such archives often hold 90 days' worth of customers' orders. Naturally, hackers break into insecure web servers to harvest these archives of credit card numbers. Several recent thefts netted 100,000, 300,000, and 3.7 million creditcard data, respectively. Accordingly, an e-commerce merchant's first security priority should be to keep the web servers' archives of recent orders behind the firewall, not on the front-end web servers [22]. Furthermore, sensitive servers should be kept highly specialized, by turning off and removing all inessential services and applications (e.g., ftp, email). Other practical suggestions to secure web servers can be found in [23] and [24], among many others. 

The merchant back-end and database. A site’s servers can weaken the company's internal network. This not easily remedied, because the web servers need administrative connections to the internal network, but web server software tends to have buggy security. Here, the cost of failure is very high, with potential theft of customers’ identities or corporate data.

Additionally, the

back-end may connect with third party fulfillment centers and other processing agents. Arguably, the risk of stolen product is the merchant's least-important security concern, because most merchants' traditional operations already have careful controls to track payments and deliveries. However, these third parties can release valuable data through their own vulnerabilities. This is a simplified model of an e-commerce architecture; yet even in its simplicity, there are a number of security problems. Note that encrypted e-commerce connections do little to help solve any but network security problems. While other problems might be ameliorated by encryption, there are still vulnerabilities in the software clients and servers that must use the data.

We will discuss the

implications of these vulnerabilities below – users who may themselves release data or act in ways that place sites at jeopardy, the constant pressure of new technologies and the resulting constant threat of new vulnerabilities, as well as the 8|Page


requirements for critical organizational processes. However, before discussing potential requirements for e-commerce sites and their consumers, it is important to survey potential security technologies. Viable causes behind Security Threats

Reasons for high security risks include the imperfection of e-commerce laws, regulations, systems, technology and the internet .

Security is a key integral

issue for users, regardless of what the application maybe, ranging from locking a computer to conducting business via the internet [17]. The rapid development of ebusiness and e-commerce applications have resulted in increased the amount of illegal infiltration into information systems which were deemed initially safe [6]. Since E-commerce is completely reliant on IT, it could be stated that future developments in e-commerce will solely depend on IT security and risk management. Garg et al. states that "a percentage between 36 and 90 percent of organizations confirmed security breach es in the past year alone” [6]. These statistics help increase or maintain customer’s negative perception of the e -market and explains why a lot of

people are fearful or insecure about buying or performing sensitive transactions online. It seems like the only solution to extract the problem and increase e-sales is to provide fully secured networks that guarantee confidentiality and safety. It is however not that simple.

Technologies that provide flawless security measures and guarantees

are very expensive and in most cases not easily acquired. Web based e-commerce is comprised of hyperlinked web pages alongside applications and incompatible technologies to bring about business transactions amongst different companies spanning the globe [7]. Therefore, even if a business tries to deploy error free security software, success is not guaranteed as there are many factors influencing the flow and security of information in cyberspace. Moreover, in order for e-commerce to develop customer trust, the change has to be done in a collective manner, not just a few companies. In the case of small to medium businesses it is difficult and costly to incorporate complete IT security [6]. Leaving aside the multifaceted technologies required, e-commerce systems are founded and based on the World Wide Web which coincidently has a history of exposure to a variety of security threats [7]

9|Page


Probable Crimes in E-commerce Environment Most Common Security Threats in the E-commerce Environment



Malicious code (viruses, worms, Trojans)



Unwanted programs (spyware, browser parasites)



Phishing/identity theft



Hacking and cyber vandalism



Credit card fraud/theft



Spoofing (pharming)/spam (junk) Web sites



DoS and dDoS attacks

Sniffing





Insider attacks



Poorly designed server and client software



Try to impair computers, steal email addresses, logon credentials, personal data, and financial info.



Viruses: computer programs that have ability to replicate and spread to other files; most also deliver a “payload” of some sort (destructive or benign); include macro viruses, file-infecting viruses, and script viruses



Worms: Designed to spread from computer to computer; can replicate without being executed by a user or program like virus



Trojan horse: Appears to be benign, but then does something other than expected



Bots: Can be covertly installed on computer; responds to external commands sent by the attacker to create a network of compromised computers for sending spam, generating a DDoS attack, and stealing info from computers

Unwanted Programs



Installed without the user’s informed consent



Browser parasites: Can monitor and change settings of a user’s browser



Adware: Calls for unwanted pop-up ads

10 | P a g e




Spyware: Can be used to obtain information, such as a user’s keystrokes, e mail, IMs, etc

Phishing and Identity Theft



Any deceptive, online attempt by a third party to obtain confidential information for financial gain



Most popular type: e-mail scam letter, e.g., Nigerian’s rich for mer oil minister seeking a bank account to deposit millions of dollars, fake “account verification” emails from eBay or CitiBank asking to give up personal account

info, bank account no., and credit card no. 

One of fastest growing forms of e-commerce crime



197,000 unique new phishing emails sent within the first 6 months of 2007, 18% increased

Hacking and Cyber vandalism



Hacker: Individual who intends to gain unauthorized access to computer systems



Cracker: Hacker with criminal intent (two terms often used interchangeably)



Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site



Types of hackers include:



White hats – hired by corporate to find weaknesses in the firm’s computer system



Black hats – hackers with intention of causing harm



Grey hats – hackers breaking in and revealing system flaws without disrupting site or attempting to profit from their finds

Credit Card Fraud



Fear that credit card information will be stolen deters online purchases

11 | P a g e




Overall rate of credit card fraud is lower than users think, 1.6-1.8% of all online card transactions.



US’s federal law limits liability of individuals to $50 for a stolen credit card.



Hackers target credit card files and other customer information files on merchant servers; use stolen data to establish credit under false identity



One solution: New identity verification Mechanisms

Spoofing (Pharming) and Spam (Junk) Web Sites



Spoofing (Pharming)



Misrepresenting oneself by using fake e-mail addresses or masquerading as someone else



Threatens integrity of site; authenticity



Spoofing a Web site is called “pharming,” which involves redirecting a Web

link to another IP address different from the real one 

Pharming is carried out by hacking local DNS servers.



Threatens integrity of site by stealing business from the true site, or altering orders and sending them to the true site for processing and delivery.



Threatens authenticity by making it hard to discern the true sender of a message.



Spam (Junk) Web sites



Use domain names similar to legitimate one, redirect traffic to spammerredirection domains

DoS and DDoS Attacks



Denial of service (DoS) attack



Hackers flood Web site with useless traffic to inundate and overwhelm network



Use of bot networks built from hundreds of compromised workstations.

12 | P a g e




No. of DoS attacks per day grew from 119 during last 6 months of 2004 to 927 during first 6 months of 2005, a 679% increase [11].



Distributed denial of service (DDoS) attack



Hackers use numerous computers to attack target network from numerous launch points



Microsoft and Yahoo have experienced such attacks

Denial of Service



Ping Flooding



Attacker sends a flood of pings to the intended victim



The ping packets will saturate the victim’s bandwidth

SMURF Attack



Uses a ping packet with two extra twist



Attacker chooses an unwitting victim



Spoofs the source address



Sends request to network in broadcast mode

Other Security Threats



Sniffing: Type of eavesdropping program that monitors information traveling over a network; enables hackers to steal proprietary information from anywhere on a network



Insider jobs: Single largest financial threat



64% of business firms experienced an “inside security breach” in their

systems in 2006. 

Poorly designed server and client software : Increase in complexity of software programs (e.g., MS’s Win32 API) has contributed to MS s increase is vulnerabilities that hackers can exploit

13 | P a g e


Security Steps to Protect E-Commerce

There are many relevant technologies, including cryptographic technologies that can mitigate the previously mentioned vulnerabilities. However, none is comprehensive or airtight by itself.

Accordingly, we next present a brief overview of the major

technologies, also considering the advantages and disadvantages of each. There are four components involved in E-Commerce Security: client software, server software, the server operating system, and the network transport. Each component has its own set of issues and challenges associated with securing them:



Client software is becoming increasingly more security-focused, however single-user desktop operating systems historically have had no security features implemented. E-Commerce software that relies on the security of the desktop operating system is easily compromised without the enforcement of strict physical controls.



Server software is constantly under test and attack by the user community. Although there have been cases of insecurities, a system administrator keeping up with the latest patches and vendor information can provide a high degree of confidence in the security of the server itself.



Operating systems used for hosting E-Commerce servers are securable, but rarely shipped from the vendor in a default configuration that are secure. ECommerce servers must protect the database of customer information accumulating on the server as well as provide security while the server is handling a transaction. If it is easier for a thief to compromise the server to obtain credit card numbers, why bother sniffing the network for individual c redit card numbers?



Session transport between the client and server uses network protocols that may have little or no built-in security. In addition, networking protocols such as TCP/IP were not designed to have confidentiality or authentication capabilities

14 | P a g e


Technology Solutions



Protecting Internet communications (encryption)



Securing channels of communication (SSL, S-HTTP, VPNs)



Protecting networks (firewalls)



Protecting servers and clients

Protecting Internet Communications: Encryption

In the mass media, the most visible security technologies are the encryption algorithms. For a general introduction to these technologies see [25]; a popularization can be found in [26]. Two classic textbooks are [27] and [28], and encyclopedic compendia include [29] and [30]. Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone other than the sender and receiver Purpose: Secure stored information and information transmission Provides: 

Message integrity

Nonrepudiation



Authentication



Confidentiality



Symmetric Key Encryption: Symmetric key encryption is also known as secret key encryption. Secret-key cryptography is the more traditional form, and has been used for all kinds of communications throughout the ages. In this method, one "key" is used to both encrypt and decrypt the data. A key can be anything from a secret-decoder ring found in a cereal box to a highly complex mathematical algorithm; keys really only differ in the ease with which they can be broken by third parties. In secretkey cryptography, the sender and receiver must have the same key in order for the transmission to work correctly.

15 | P a g e




Both the sender and receiver use the same digital key to encrypt and decrypt message



Requires a different set of keys for each transaction



Advanced Encryption Standard (AES): Most widely used symmetric key encryption today; offers 128-, 192-, and 256-bit encryption keys; other standards use keys with up to 2,048 bits

Public Key Encryption: The key management problem inherent to secret-key cryptography needed to be addressed in order for large-scale, secure use of data encryption techniques. In 1976, Whitfield Diffie, a cryptographer and privacy advocate, and Martin Hellman, an electrical engineer, working together discovered the concept of public-key encryption. Instead of having one key shared among both users of an encrypted transmission, each user has his or her own public/private key pair. A user makes the public key open and available to anyone (by publishing it on-line or registering it with a public key server), and keeps the private key hidden away where (hopefully) no one can get at it. The private key is mathematically derived from the public key, and thus the two are linked together. In order to send someone a message, the sender encrypts the transmission with the receiver's public key. This can then only be decrypted by the receiver's private key. Thus, anyone can encrypt a message with someone else's public key, but only that person would ever be able to read it.



Solves symmetric key encryption problem of having to exchange secret key



Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner)



Both keys used to encrypt and decrypt message



Once key used to encrypt message, same key cannot be used to decrypt message



For example, sender uses recipient’s public key to encrypt message; recipient

uses his/her private key to decrypt it

16 | P a g e


Digital signatures Public-key also provides a mechanism for authenticating messages that secret-key techniques do not: digital signatures. The sender of a message completes a calculation (performed by a hash function) involving the actual file structure to be transmitted, and his or her private key, and the result of this (the digital signature itself) is appended to the end of the transmission. The receiver can then perform a calculation involving the received message and the sender's public key, and if everything is valid, the sender's identity will have been verified. A benefit of this signature method is that it not only verifies the sender's identity; it also verifies that the original contents of the transmission have not been altered in anyway. Because the signature is derived from both the key and the data itself, changing the data later on will cause the receiver's verification to fail. This provides authentication that is even better than a signature on a paper document: a signature can be forged, or the contents of the document could somehow be secretly altered, but with public-key authentication, this cannot be done.

Network Transport Security

Models such as SET, CAFÉ, DigiCash, First Virtual, and Millicent provide a secure payment method. However, the transaction still depends on the privacy and authentication of the data stream. Basic TCP/IP networking protocols do not include encryption and strong authentication. Higher level protocols such as HTTP, FTP, and Telnet do little to provide advanced security measures beyond user id and password authentication. All information sent using these protocols is unencrypted, so the data stream lacks confidentiality.

17 | P a g e


Virtual Private Networking (VPN)

The Internet’s lack of security may leave you leery. What can you do if you just want

to give company insiders and a few select business partners and customers easy and relatively secure remote access to company data via the Internet? You can set up a virtual private network. Virtual Private Networking technology provides the medium to use the public Internet backbone as an appropriate channel for private data communication. With encryption and encapsulation technology, a VPN essentially carves out a private passageway through the Internet. VPNs will allow remote offices, company road warriors, and even business partners or customers to use the Internet, rather than pricey private lines, to reach company networks. So the companies can save a lot of money. You can also use VPNs to link remote LANs together or give traveling staffers, workat-home employees, and business partners a simple way to reach past company firewalls and tap into company resources. Virtual private networks are flexible. They are point-to-multipoint connections, rather than point-to-point links. They can be set up or closed down at the network administrator's will, making them ideal for short-term projects. VPN has many advantages: It is much cheaper for connecting WANs than 800 numbers or dedicated T1 lines. It provides encryption and authentication services for a fairly good measure of privacy. Maintenance of the WAN-to-WAN connection is left to Internet Service Providers. It is highly flexible, and can be set up and taken down very easily.

18 | P a g e


IPSec (Ipv6) IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). IPSec provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec acts at the network layer, protecting and authenticating IP packets between participating IPSec devices ("peers"), such as Cisco routers. Secure Socket Layer (SSL) SSL is the Secure Sockets Layer protocol. Version 2.0 originated by Netscape Development Corporation, and version 3.0 was designed with public review and input from industry. SSL (Secure Sockets Layer) is a communication system that ensures privacy when communicating with other SSL-enabled products. Technically speaking, SSL is a protocol that runs above TCP/IP and below HTTP or other top -level protocols. It is symmetric encryption nested within public-key encryption, authenticated through the use of certificates. An SSL connection can only occur between an SSL-enabled client and an SSL-enabled server. In fact, when a server is running in SSL mode, it can only communicate through SSL. S-HTTP was designed by E. Rescorla and A. Schiffman of EIT to secure HTTP connections. S-HTTP provides a wide variety of mechanisms to provide for confidentiality, authentication, and integrity. Separation of policy from mechanism was an explicit goal. The system is not tied to any particular cryptographic system, key infrastructure, or cryptographic format. The Internet draft is fairly clear in its presentation of the protocol, although implementation details are sketchy. S-HTTP is a superset of HTTP, which allows messages to be encapsulated in various ways. Encapsulations can include encryption, signing, or MAC based authentication. This encapsulation can be recursive, and a message can have several security transformations applied to it. S-HTTP also includes header definitions to provide key transfer, certificate transfer, and similar administrative functions. S-HTTP appears to be extremely flexible in what it will allow the programmer to do. S-HTTP also offers the potential for substantial user involvement in, and oversight of, the authentication & encryption activities. 19 | P a g e


How SSL relates to TCP/IP and application protocols.

An SSL connection is initiated by a network browser when it asks a server to send a document through HTTPS, LDAPS, SNEWS, or other secure protocol. Transport Layer Security (TLS) TLS, more commonly known as SSL, is a popular mechanism for enhancing TCP communications with privacy and authentication. TLS is in wide use with the HTTP protocol, and is also being used for adding security to many other common protocols that run over TCP.

20 | P a g e


Conclusion

In summary, the e-commerce industry faces a challenging future in terms of the security risks it must avert. With increasing technical knowledge, and its widespread availability on the internet, criminals are becoming more and more sophisticated in the deceptions and attacks they can perform. Novel attack strategies and vulnerabilities only really become known once a perpetrator has uncovered and exploited them. Both privacy and security are still ongoing research problems. Privacy is now understood, by many, to be a social construction with expectations the largest consideration. Yet, privacy is also considered a public issue by regulators, who have nonetheless largely allowed technology to unfold to date. Security is now understood to be largely imperfect, the continual cat-and-mouse game of security expert and hacker. In saying this, there are multiple security strategies which any e-commerce provider can instigate to reduce the risk of attack and compromise significantly. Awareness of the risks and the implementation of multi-layered security protocols, detailed and open privacy policies and strong authentication and encryption measures will go a long way to assure the consumer and insure the risk of compromise is kept minimal.

21 | P a g e


References

[1]

http://www.msen.com/~chad/ecomm_sec.html

[2]

Peixian LI, Issues of Security and Privacy in Electronic Commerce

[3]

Mayor.S.Desai, Thomas.C.Richards and Kiran.J.Desai, E-commerce policies and customer privacy. Information management and computer security, 2003(11/1).

[4]

Bruce Chien-Ta ho and Kok-Boon Oh, An empirical study of the use of esecurity seals in e-commerce. E-security seals in e-commerce, 2008.

[5]

MULPURU, S. (2008) B2C eCommerce Expected To Top $300B In Five Years. Forrester, Research, 1 ‐7.

[6]

Atul Gupta and Rex Hammond, Information systems security issues and decisions for small businesses. IS security issues and decisions 2003.

[7]

M.T.Chan and L.F.Kwok, Integrating security design into the software development process for e-commerce systems. Information management and computer security, 2001(9/3).

[8]

Xiaoming Meng, Analyze and prevent the security risks of e-commerce privacy.International conference on management of e-commerce and egovernment, 2008(7/8).

[9]

George. S. Oreku, Jianzhong Li, Rethinking e-commerce security. CIMGAIAWTIC, 2005(0/05).

[10]

Mauricio. S. Featherman, Anhtony. D. Miyazaki and David. E. Sprott, Reducing online privacy risk to facilitate e- service adoption: the influence of perceived ease of use and corporate credibility. Journal of services marketing, 2010(24/3).

[11]

SYMANTEC (2007) Attacks rise as e‐ tailers lag finance sector on security. Computer, Weekly, 4 ‐4.

[12]

Xin Tian, Wei Dai, Study on information management and security of ecommerce system. LEE, 2101. (9/10)

[13]

Godwin. J. Udo, Privacy and Security. Information management and computer security, 2001(9/4)

[14]

Licun Wang, Changing Zou, Shubin Zhang, A study on the commerce security characteristics for electronic business. International conference one-business and e-government, 2010. (3/10)

22 | P a g e


[15]

Ralph Holbein, Thomas Gaugler, IT security in electronic commerce: from cost to value driver. International Workshop on Database and Expert Systems Applications, 1999. (4/7)

[16]

Someswar Kashe, Sam Ramanujan, Sridhar Nerur, A framework for analyzing e-commerce security. Information management and computer security, 2001(10/4).

[17]

Norman Desmarais, Body language. Library Hi Tech, 2000(18/1).

[18]

Graves, P., and M. Curtin. 2000. Bank One Online Puts Customer Account Information At Risk. http://www.interhack.net/pubs/bankone-online.

[19]

Borisov, N., I. Goldberg, and D. Wagner. 2001. Intercepting Mobile Communications: The Insecurity of 802.1. Proceedings of the Seventh Annual International Conference on Mobile Computing and Networking : 180 -189.

[20]

Roberts, P. 2002. Bugbear Virus Spreading Rapidly. PC World Online, Ocotober 2, 2002,

[21]

Neyses, J. 2002. Higher Education Security Alert From the U.S. Secret Service: List of Keystroke Logging Programs. http://www.unh.edu/tcs/reports/sshesa.html.

[22]

Winner, D. 2002. Making Your Network Safe for Databases. SANS Information Security Reading Room, July 21, 2002,

[23]

Tipton, Harold, and Micki Krause. 2002. Information Security Management Handbook. New York: CRC Press.

[24]

Garfinkel, Simson, Alan Schwartz, and Gene Spafford. 2003. Practical Unix Internet Security. Cambridge, MA: O'Reilley.

[25]

Treese, G. Winfield, and Lawrence C. Stewart. 1998. Designing Systems For Internet Commerce. New York: Addison-Wesley.

[26]

Levy, Steven. 2001. Crypto: How the Code Rebels Beat the Government-Saving Privacy in the Digital Age. New York: Viking.

[27]

Denning, D. 1983. Cryptography and Data Security. New York: AddisonWesley.

[28]

Koblitz, N. 1994. A course in number theory and cryptography. Berlin: Springer-Verlag.

[29]

Schneier, B. 1996. Applied Cryptography. New York: John Wiley & Sons.

[30]

Menezes, Alfred J., Van Oorschot, Paul C., and Scott A. Vanstone. 1996. Handbook of Applied Cryptography. New York: CRC Press.

23 | P a g e


EMIS 528_Assignment(Security in E Commerce)

Recommend Documents