The presentation discussed the what is e-commerce security and its dimensions, threat concerns, ways to protect e-commerce site from hacking and fraud. It also includes the different e-commerce payment methods.
3. “◎“If you think technology can solve
your security problems, then you don’t
understand the problems and you
don’t understand the technology.”
◎– Bruce Schneier
5. TABLE OF CONTENTS
• E-commerce security and
its dimensions
• E-commerce Threat
Concerns
• E-commerce Threats
• Ways to Protect your
Ecommerce Site from
Hacking and Fraud
• E-Commerce Payment
Methods
6. WHAT IS E-COMMERCE SECURITY?
E-commerce security
is the protection of e-commerce assets from
unauthorized access, use, alteration, or destruction.
8. E-COMMERCE THREATS
Threats: anyone with the capability, technology,
opportunity, and intent to do harm.
Potential threats can be foreign or domestic, internal
or external, state-sponsored or a single rogue
element.
Terrorists, insiders, disgruntled employees, and
hackers are included in this profile.
13. Intellectual Property Threats
use existing materials found on the Internet without
the owner's permission, e.g., music downloading,
domain name (cybersquatting), software pirating
22. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Start by Going with an e-commerce
Platform You Know is Secure
• A secure online checkout
• Enterprise-level, layered security
• Encryption for all customer data, including
tools that don't store any of the credit card
information
• Constant fraud monitoring
• PCI compliance and scans
• Card verification value
• Address verification system
23. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Some Words on the Address Verification
System (AVS) and the Card Verification
Value (CVV)
24. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Have a Backup Plan
25. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Prevent Chargebacks with Tracking
Numbers and a Human Monitoring All
Orders
26. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
An Automated Fraud Detection System
Helps Too
27. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Configure System Alerts For When
Suspicious Activity Occurs
28. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Force Yourself and All Employees to
Have Strong Passwords
29. WAYS TO PROTECT E-COMMERCE SITE FROM HACKING AND FRAUD
Set Limits on Purchases from Accounts
on a Given Day
- Eavesdropping is secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary.[1] The practice is commonly believed to be unethical.
- A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or areas of its software that would not otherwise be allowed (for example, to an unauthorized user) and often masks its existence or the existence of other software.
Sniffer program. A computer program that analyzes data on a communication network to gather intelligence, such as detecting passwords of interest that are transmitted over the Internet. Sniffers are used by crackers on compromised systems to spy on network traffic and steal access information for even more systems.2. Backdoor. A backdoor is a method, often secret, of bypassing normal authentication or encryption in a computer system, a product, or an embedded device (e.g. a home router), or its embodiment, e.g. as part of a cryptosystem, an algorithm, a chipset, or a "homunculus computer"[1] (such as that as found in Intel's AMT technology). Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.
3. a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data, thereby gaining an illegitimate advantage.
4. A denial-of-service attack is a security event that occurs when an attacker takes action that prevents legitimate users from accessing targeted computer systems, devices or other network resources.
Encryption
* Public-key encryption (asymmetric) vs Private-key encryption (symmetric) (Figure 5-6)
* Encryption standard: Data Encryption Standard (DES), Advanced Encryption Standard (AES)
Protocol
* Secure Sockets Layer (SSL) (Figure 5.10)
* Secure HyperText Transfer Protocol (S-HTTP)
Digital signature
* Bind the message originator with the exact contents of the message
* A hash function is used to transform messages into a 128-bit digest (message digest).
* The sender’s private key is used to encrypt the message digest (digital signature)
* The message + signature are sent to the receiver
* The recipient uses the hash function to recalculate the message digest
* The sender’s public key is used to decrypt the message digest
* Check to see if the recalculated message digest = decrypted message digest
Access control and authentication
* Digital signature from user
* Username and password
* Access control list
Firewalls (Figure 5.11)
* International Computer Security Association's classification:
Packet filter firewall: checks IP address of incoming packet and rejects anything that does not match the list of trusted addresses (prone to IP spoofing)
Application level proxy server: examines the application used for each individual IP packet (e.g., HTTP, FTP) to verify its authenticity.
Stateful packet inspection: examines all parts of the IP packet to determine whether or not to accept or reject the requested communication.
The Payment Card Industry Data SecurityStandard (PCI DSS) is a set of security standardsdesigned to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
We've all encountered the CVV. It's the little three digit code on the back of your credit card. With reputable ecommerce platforms with solid checkouts you're going to have this system already configured. If not, you might have to go out and find an app or a service for that. However, it's a wonderful way to prevent fraud from people who have only stolen the credit card numbers and not the CVV.
The AVS is a little different. Customers don't see this on the frontend of the site, but once again, most reputable platforms provide this service. Basically, it checks to see if the address in the billing address field matches that of the address on file for the credit card. For instance, a fraudulent user might want to send a product to their address, but a stolen credit card would have another person's address on file, triggering a warning for you.
Fraud generally doesn't cause any problems with your content, but hacking does. Even with all of your security you might end up getting hacked. In that case, there's a possibility of having to relaunch your site or bring it back from the dead.
Tracking numbers give you a clear picture of how much inventory you have and what happens to a package after it's sent out from your warehouse. Most ecommerce platforms don't require tracking numbers and you can skip the whole UPS/USPS/FedEx tracking thing, but I recommend against that. It's the only evidence you have against someone who claims they never received their package.
Check with your ecommerce platform to see which types of fraud detection tools they use. Sometimes you have to pay a little extra for this.
Every time a suspicious user is on your site, you should know. Every time a person makes a purchase with a fishy address, you should know. This notification shouldn't be sent to a random folder you made in your email inbox, because it's big news that should be addressed instantly.
Don't write passwords down, and try to change them every month. There's really no reason to remember passwords with tools like Dashlane and Roboform. These password managers make up complicated passwords to combat brute force attacks, and you don't have to think of what you made your password last time.
Let's face it. Sometimes you're not going to be able to take a look at every single sale that goes through your site. Therefore, a random fraudulent purchase might slip through the cracks and get through. However, many ecommerce platforms allow for setting limits on purchases in a given day or other time frame. For example, you might set a limit of $1,000 per day per customer.
This way, if someone comes to your site and tries to buy $5,000 worth of merchandise, your website stops the transaction and notifies you. You're given a little extra time to breath and look at the transaction, and you might even scare away a criminal.
Cash on delivery (COD), sometimes called collect on delivery, is the sale of goods by mail order where payment is made on delivery rather than in advance. If the goods are not paid for, they are returned to the retailer.
Electronic funds transfer (EFT) is the electronic transfer of money from one bank account to another, either within a single financial institution or across multiple institutions, via computer-based systems, without the direct intervention of bank staff. EFT's are known by a number of names. In the United States, they may be referred to as electronic checks or e-checks.
The term covers a number of different payment systems, for example:
cardholder-initiated transactions, using a payment card such as a credit or debit card
direct deposit payment initiated by the payer
direct debit payments for which a business debits the consumer's bank accounts for payment for goods or services
wire transfer via an international banking network such as SWIFT
electronic bill payment in online banking, which may be delivered by EFT or paper check
transactions involving stored value of electronic money, possibly in a private currency.
Credit cards such as a Visa or a MasterCard, has a preset spending limit based on the user’s credit limit.
Debit cards removes the amount of the charge from the cardholder’s account and transfers it to the seller’s bank.
A charges card is a card that provides a payment method enabling the cardholder to make purchases which are paid for by the card issuer, to whom the cardholder becomes indebted. The cardholder is obligated to repay the debt to the card issuer in full by the due date, usually on a monthly basis, or be subject to late fees and restrictions on further card use. It can also be a smart card.
Though the terms charge card and credit card are sometimes used interchangeably, they are distinct protocols of financial transactions. Credit cards are revolving credit instruments that do not need to be paid in full every month. There is no late fee payable so long as the minimum payment is made at specified intervals (usually every thirty days). The balance of the account accrues interest, which may be backdated to the date of initial purchase. Charge cards are typically issued without spending limits, whereas credit cards usually have a specified credit limit that the cardholder may not exceed.
A smart card resembles a credit card in size and shape, but inside it is completely different. First of all, it has an inside -- a normal credit card is a simple piece of plastic. The inside of a smart card usually contains an embedded microprocessor. The microprocessor is under a gold contact pad on one side of the card. Think of the microprocessor as replacing the usual magnetic stripe on a credit card or debit card.
Electronic cash is a general term that describes the attempts of several companies to create a value storage and exchange system that operates online in much the same way that government-issued currency operates in the physical world.
A system that allows a person to pay for goods or services by transmitting a number from one computer to another.
Like the serial numbers on real currency notes, the E-cash numbers are unique.
This is issued by a bank and represents a specified sum of real money.
It is anonymous and reusable.
E-Wallet allows you to store multiple credit card and bank account numbers in a secure environment, and eliminate the need to enter in account information when making your payment. Once you have registered and created E-Wallet profiles, you can make payments faster and with less typing.
Based on algorithm that generates unique tokens that can be used in “real” world
Example: Bitcoin
a type of digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds, operating independently of a central bank.
Virtual Money can be defined as a digital representation of value that is issued and controlled by its developers, and used and accepted among the members of a specific (virtual) community. Unlike regular money, it is relying on a system of trust and not issued by a central bank or other banking authority.
Circulate within internal virtual world
Example: Linden Dollars in the virtual world called Second Life, Facebook Credits