Explain security issues and protection about unwanted threat in E-Commerce. Explain Security E-Commerce Environment. Security Threat in E-Commerce Environment.

1. SECURITY ISSUES IN E-COMMERCE

2. OBJECTIVES
 To understand the need and concept of Security issues in E-
Commerce.
 To Understand about basic dimension E-Commerce security.
 To know about the threat.
 To understand about the authentication etc.
 To understand about security threat in E-Commerce.
 To understand about Encryption and decryption in E-commerce.
 To understand about protection of E-Commerce Security.

3. E-Commerce Security
1. E-Commerce Security protect data from unauthorized access and virus ( malicious code & trojan
horse ).
2. Ecommerce security refers to the measures taken to protect your business and your customers
against cyber threats.
3. Ecommerce security refers to the principles which guide safe electronic transactions, allowing the
buying and selling of goods and services through the Internet, but with protocols in place to
provide safety for those involved. Successful business online depends on the customers’ trust that a
company has Ecommerce security basics in place.
4. E-commerce security is the protection of e-commerce assets from unauthorized access, use,
alteration, or destruction.
5. E-commerce security is a set of protocols that guards e-commerce transactions. Security
requirements must be in place to protect customers and companies alike from threats such as
credit card fraud, scamming and malware.
6. E-commerce Security is a part of the Information Security framework and is specifically applied to
the components that affect e-commerce that include Computer Security, Data security and other
wider realms of the Information Security framework.

4. Need of E-Commerce Security
1. To protect data from unauthorized access and virus.
2. To protect your business and customer against cyber
threats.
3. To protect customer for online transaction like fund transfer,
buying goods and selling goods.
4. To protect data from unauthorized person. (Hacker)
5. To monitoring transaction online.
6. To protect your information against threat.

5. Basic Security issues and concept of E-Commerce Security
E-commerce security is the protection of e-commerce assets from unauthorized access, use, alteration,
or destruction. Security is an essential part of any transaction that takes place over the internet.
Customers will lose his/her faith in e-business if its security is compromised. Following are the essential
requirements for safe e-payments/transactions −
 Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted
during the transmission.
 Integrity − Information should not be altered during its transmission over the network.
 Authorization - The process that ensures that the person has the right to access certain resources.
 Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required
information.
 Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a
message, the sender should not be able to deny sending the message. Similarly, the recipient of message should
not be able to deny the receipt. Nonrepudiation is the assurance that someone cannot deny something.
 Privacy: provision of data control and disclosure.

6. There should be a mechanism to authenticate a user before giving him/her an access to the
required information. The process by which one entity can verifies that another entity is who.
Authentication

7. The process that ensures that the person has the right to access certain resources.
Authorization

8. Keeping private or sensitive information from being disclosed to unauthorized individuals,
entities or process. protection against unauthorized data disclosure.
Confidentiality

9. The ability to protect data from being altered or destroyed by unauthorized access or
accidental manner. Information should not be altered during its transmission over the network.
Integrity

10.  The ability to limit parties from refusing that legitimate transaction took place, usually by
means of a signature. It is the protection against the denial of order or denial of payment.
Once a sender sends a message, the sender should not be able to deny sending the
message. Similarly, the recipient of message should not be able to deny the receipt.
Non Repudiation

11. 1. You should see a screen for accessing the application or system, asking for your username and password.
2. Entering the password or passphrase (something that only you know) to get to the system (technically to access the private key to use the
SSL Certificate).
3. Selecting usual operations that needs to have strong authentication (e.g. transfers, loans).
4. You will see the exact information for the transaction that you need to sign.
5. Asking to the user for enter a second factor authentication (hardware or software token, cards, matrix cards, SMS).
6. Authentication is completed, so is the access to the private key for signing.
7. The document (that you are viewing gets signed with your private key).

12.  provision of data control and disclosure
Privacy
https://termly.io/resources/templates/ecommerce-privacy-policy/#privacy-policy-template-for-
ecommerce-full-text-download

13. Anyone with the capability, technology, opportunity, and intent to do harm. Potential threats
can be foreign or domestic, internal or external, state-sponsored or a single rogue element.
Terrorists, insiders, disgruntled employees, and hackers are included in this profile. There are 4
types of security threats in e-Commerce:
1. Intellectual property threats -- use existing materials found on the Internet without the
owner's permission, e.g., music downloading, domain name (cybersquatting), software pirating.
Types of Security Threats

14. 2. Client computer threats
a) Trojan horse : Trojan horse viruses and malicious code are used to attack mobile platforms as well as
personal computers. For instance, your mobile phone can be infected by downloading a simple
application from Google Play, Apple, or similar sources.

15. b) Active contents: Active content is a type of interactive or dynamic website content that includes
programs like Internet polls, JavaScript applications, stock tickers, animated images, ActiveX
applications, action items, streaming video and audio, weather maps, embedded objects, and much
more. Active content contains programs that trigger automatic actions on a Web page without the
user's knowledge or consent.

16. c) Viruses: Viruses are a software that is designed to specifically damage a computer. Spreading from
program to program and software to software. If a virus has been planted into a website this will cause
some problems and complaints from their customers as whenever they enter the website, the virus will
then hop onto their computer causing damage to the computer. Once this happens the customers will
then complain and will then refuse to use the website again and warn off other potential customers. The
e-commerce will then begin to lose customers and then money. Without money the e-commerce can
then no longer advertise and so will eventually be forgotten and then out of business. In order to prevent
this, the e-commerce website should be sure to download an anti-virus program in order to protect their
customers and their business.
https://sites.google.com/site/8ecommerce/risks/security

17. 3. Communication channel threats
a) Sniffer program: A program/device/tools that monitors data traveling over a network.
Sniffers can be used both for legitimate network management functions and for stealing
information off a network. Unauthorized sniffers can be extremely dangerous to a network's
security because they are virtually impossible to detect and can be inserted almost
anywhere. This makes them a favorite weapon in the hacker's arsenal. On TCP/IP networks,
where they sniff packets, they're often called packet sniffers.

18. b) Backdoor: A backdoor refers to any method by which authorized and unauthorized users
are able to get around normal security measures and gain high level user access (aka root
access) on a computer system, network, or software application. It’s like a malware.

19. c) Spoofing: Spoofing is the act of disguising a communication from an
unknown source as being from a known, trusted source. Spoofing can apply to
emails, phone calls, and websites, or can be more technical, such as a
computer spoofing an IP address, Address Resolution Protocol (ARP), or
Domain Name System (DNS) server , MAC ,e-mail , website, caller id , text
message, Facial Spoofing etc.

20. d) Denial-of-service: a denial-of-service attack (DoS attack) is a cyber-attack in which
the perpetrator seeks to make a machine or network resource unavailable to its intended users
by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of
service is typically accomplished by flooding the targeted machine or resource with
superfluous requests in an attempt to overload systems and prevent some or all legitimate
requests from being fulfilled.

21. 4. Server threats
a) Privilege setting: A person using a privileged account might be
able to change system configuration settings, read and modify
sensitive data, or grant access to critical assets to other users

22. b) Server Side Include (SSI), Common Gateway Interface (CGI): The biggest threat to server
security is the code that you or your users write for the server to execute. Two sources of these problems
are Common Gateway Interface (CGI) programs and Server Side Includes (SSI).
One of the biggest threats to server security is badly written CGI programs. Intruders exploit poor code by
forcing buffer overflows or by passing shell commands through the program to the system. The only way to
avoid this and still have the benefit of CGI programs, which can be written in C, Perl, Python, and other
programming languages, is to be very careful about the code that you make available on your system.

23. c) File transfer: An FTP server runs on a computer to provide basic, unencrypted file
transfer capability for connecting users. It is most commonly used for anonymous FTP, basically providing
public files to anyone. FTP uses clear text passwords for authentication. Password sniffing
attacks collecting user names and passwords from the network were common already in the mid-1990s.

24. d) Spamming : Spamming is the use of messaging systems to send an unsolicited
message (spam), especially advertising, as well as sending messages repeatedly on
the same website. While the most widely recognized form of spam is email spam, the
term is applied to similar abuses in other media: instant messaging spam, Usenet
newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified
ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions,
social spam, spam mobile apps.

25. How to Protect/Secure/Counter Measure Threats in E-Commerce
A procedure that recognizes, reduces, or eliminates a threat
1. Intellectual property protection
a) Legislature: Legislature is a word that comes from the Latin language, meaning "those who write the laws." A
legislature is therefore a group of people who vote for new laws, for example in a state or country.
Each person in the legislature is usually either elected or appointed. The constitution of that state or country usually tells
how a legislature is supposed to work.
In many countries, the legislature is called a Parliament, Congress, or National Assembly. Sometimes there are two
groups of members in the legislature. This is called a "bicameral" legislature. A unicameral legislature has only one group
of members.

26. There should be a mechanism to authenticate a user before giving him/her an access to the
required information. The process by which one entity can verifies that another entity is who.
b) Authentication
Step 1: Promote Good Password Hygiene.
Step 2: Use HTTPS.
Step 3: Choose a Secure E-Commerce Platform.
Step 4: Don't Store Sensitive User Data.
Step 5: Employ Your Own Website Monitor.
Step 6: Maintain a Security-Focused Mindset.

27. 2. Client computer threats
a) Privacy: provision of data control and disclosure.
(i) Cookies Blockers: Cookies are files created by websites you visit. They make your online experience
easier by saving browsing information. With cookies, sites can keep you signed in, remember your site
preferences, and give you locally relevant content. There are two types of cookies:
1. First-party cookies are created by the site you visit. The site is shown in the address bar.
2. Third-party cookies are created by other sites. These sites own some of the content, like ads or images,
that you see on the webpage you visit.

28. (ii) Anonymizer: An anonymizer or an anonymous proxy is a tool that attempts to make activity on the
Internet untraceable. It is a proxy server computer that acts as an intermediary and privacy shield
between a client computer and the rest of the Internet. It accesses the Internet on the user's behalf,
protecting personal information by hiding the client computer's identifying information.

29. b) Digital Certificate: A Digital Certificate is an electronic "password" that allows a person, organization to
exchange data securely over the Internet using the public key infrastructure (PKI). Digital Certificate is
also known as a public key certificate or identity certificate.

30. c) Browser Protection: Protect yourself against Potentially Unwanted Extensions (PUEs) that can
unexpectedly change your browser settings, disrespect your privacy, or otherwise cause problems.
Browser Protection helps you keep your browser in top shape. Once added to your browser, it scans for
PUEs and helps you remove them when found.

31. d) Anti Virus Software: Antivirus software is a type of program designed and developed to protect
computers from malware like viruses, computer worms, spyware, botnets, rootkits, keyloggers and
such. Antivirus programs function to scan, detect and remove viruses from your computer.

32. e) Computer Forensics Experts: computer forensics engineers, examiners, analysts, or investigators,
computer forensics experts investigate cyber crimes, including data breaches and other security
incidents. Often collaborating with other security professionals, these professionals gather and inspect
evidence from information technology (IT) equipment, computer networks, and related contexts before
submitting evidence to law enforcement and/or other authorities.

33. 3. Communication channel protection
Encryption: Encryption is a process that encodes a message or file so that it
can be only be read by certain people. Encryption uses an algorithm to
scramble, or encrypt, data and then uses a key for the receiving party to
unscramble, or decrypt, the information. The message contained in an
encrypted message is referred to as plaintext. In its encrypted, unreadable
form it is referred to as cipher text. Basic forms of encryption may be as simple
as switching letters. When this normal text convert to cipher text so this
technique is called encryption. There are two types of encryption protection.
Decryption: Decryption is a process of converting encoded/encrypted data in
a form that is readable and understood by a human or a computer. This
method is performed by decrypting the text manually or by using keys used to
encrypt the original data.

35. a) Private-key encryption (symmetric):
Symmetric encryption is a conventional method of Encryption. It is also the simplest of two techniques.
Symmetric encryption is executed by means of only one secret key known as ‘Symmetric Key’ that is
possessed by both parties. This key is applied to encode and decode the information. The sender uses this
key before sending the message and the receiver uses it to decipher the encoded message.
This is a pretty straightforward technique and as a result, it doesn’t take much time. When it comes to
transferring huge data, symmetrical keys are preferred. Caesar’s Cipher happens to be a good example
of symmetric encryption. Modern approaches of symmetric encryption are executed using algorithms
such as RC4, AES, DES, 3DES, QUAD, Blowfish etc.

36. a) Public-key encryption (asymmetric):
Asymmetric encryption Asymmetric Encryption is a relatively new and complex mode of Encryption.
Complex because it incorporates two cryptographic keys to implement data security. These keys are
called a Public Key and a Private Key. The Public key, as the name suggests, is available to everyone
who wishes to send a message. On the other hand, the private key is kept at a secure place by the
owner of the public key. The public key encrypts the information to be sent. It uses a specific algorithm in
doing so. Whereas, the private key, which is in possession of the receiver, decrypts it. The Same algorithm
is behind both these processes.
The involvement of two keys makes Asymmetric Encryption a complex technique. Thus, it proves to be
massively beneficial in terms of data security. Diffie-Hellman and RSA algorithm are the most widely used
algorithms for Asymmetric Encryption.

37. Comparison between Symmetric vs Asymmetric
Comparison Factor Symmetric Encryption Asymmetric Encryption
Number of Cryptographic Keys
Symmetric encryption incorporates only one key for
encryption as well as decryption.
Asymmetric Encryption consists of two
cryptographic keys. These keys are regarded
as Public Key and Private Key.
Complexity
Symmetric encryption is a simple technique
compared to asymmetric encryption as only one key
is employed to carry out both the operations.
Contribution from separate keys for
encryption and decryption makes it a rather
complex process.
Swiftness of Execution
Due to its simplistic nature, both the operations can be
carried out pretty quickly.
Because of encryption and decryption by two
separate keys and the process of comparing
them make it a tad slow procedure.
Algorithms Employed
RC4 RSA
AES Diffie-Hellman
DES ECC
3DES El Gamal
QUAD DSA

38. b) Data Encryption Standard (DES) and Advanced Encryption Standard (AES):
Data encryption standard (DES) has been found vulnerable against very powerful attacks and therefore,
the popularity of DES has been found slightly on decline. DES is a block cipher, and encrypts data in
blocks of size of 64 bit each, means 64 bits of plain text goes as the input to DES, which produces 64 bits
of cipher text. The same algorithm and key are used for encryption and decryption, with minor
differences. The key length is 56 bits.

39. b) Data Encryption Standard (DES) and Advanced Encryption Standard (AES):
Advanced Encryption Standard (AES): The AES has three fixed 128-bit block ciphers with cryptographic
key sizes of 128, 192 and 256 bits. Key size is unlimited, whereas the block size maximum is 256 bits. The AES
design is based on a substitution-permutation network (SPN) and does not use the Data Encryption
Standard (DES) Feistel network. The AES replaced the DES with new and updated features:
Block encryption implementation , 128-bit group encryption with 128, 192 and 256-bit key lengths
,Symmetric algorithm requiring only one encryption and decryption key ,Data security for 20-30 years
,Worldwide access, No royalties ,Easy overall implementation

40. Protocol: A protocol is a standard set of rules that allow electronic devices to communicate
with each other. These rules include what type of data may be transmitted, what commands
are used to send and receive data, and how data transfers are confirmed. There are two
types of protocol:
a) Secure Socket Layer (SSL) provide security to the data that is transferred between web
browser and server. SSL encrypt the link between a web server and a browser which ensures
that all data passed between them remain private and free from attack.

41. b) Secure Hypertext Transfer Protocol : S-HTTP stands for Secure Hypertext
Transfer Protocol, is an Internet protocol for encryption of Hypertext Transfer
Protocol (HTTP) traffic. Secure Hypertext Transfer Protocol (S-HTTP) is an
application-level protocol that extends the HTTP protocol by adding
encryption to Web pages. It also provides mechanisms for authentication and
signatures of messages.

42. Digital Signature: Digital signatures are like electronic “fingerprints.” In the form
of a coded message, the digital signature securely associates a signer with a
document in a recorded transaction. Digital signatures use a standard,
accepted format, called Public Key Infrastructure (PKI), to provide the highest
levels of security and universal acceptance. They are a specific signature
technology implementation of electronic signature (eSignature).

43. 4. Server Protection
a) Username and Password: set user name and password your file.
b) Access Control List: set permission according to user. Like administrator
set full permission and user only read permission of file. So that user can
not perform any changes in file only read permission provide in file.

44. c) Firewall: A firewall is a network security device that monitors incoming and outgoing network traffic and decides
whether to allow or block specific traffic based on a defined set of security rules. Firewalls have been a first line of
defense in network security for over 25 years. They establish a barrier between secured and controlled internal
networks that can be trusted and untrusted outside networks, such as the Internet. A firewall can be hardware,
software, or both.
1. Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of
trusted addresses (prone to IP spoofing)
2. Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to
verify its authenticity.
3. Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject
the requested communication.

45. How to make Secure E-Commerce

47. THANK YOU