SlideShare uma empresa Scribd logo

E-commerce Security

Transferir como DOC, PDF
L
Lindsey Landolfi
Economia e finançasTecnologia
1 de 11
E-COMMERCE SEC. 1 Running Head: E-COMMERCE SEC. E-commerce Security Lindsey Landolfi Towson University Network Security Professor Charles Pak July 2011 1
E-COMMERCE SEC. 2 E-commerce or commerce done via electronic means has become an increasingly popular method of shopping; its prevalence will become mainstream for much of society as electronic forms of payment become preferred over physical cash or checks. The convenience and speed of e-commerce must be accompanied by the required security and protection of the transactions and payments. Every new opportunity for a retailer also becomes a new opportunity for an attacker; as more money is exchanged over electronic means it will attract more attackers hoping to reap a profit. This document will provide an overview of the risks presented by e-commerce, how proper network security will mitigate these risks, and provide real world examples of how technology and policies failed to protect the consumer. As technology has progressed so has the way consumers use that technology when making purchases. Stores have begun transitioning from the traditional brick-and-mortar, physical, stores to having an online presence. Some companies have started without the presence of a brick-and-mortar store, offering a shopping experience available exclusively online. As retailers begin making these transitions, consumers have abandoned physical currency in favor of electronic payment means. Several electronic payment systems are currently in widespread use. Credit and debit cards are the most prevalent form of electronic currency and have been in use for several years. Online wallets such as PayPal that allow you to pay directly from an online account or charge a credit card have also become popular. A new payment technology still in its infancy is Near Field Communications (NFC) for mobile phones. NFC devices will allow a consumer to hold their mobile phone over a reader to process the payment, allowing the consumer to stop carrying cash or credit cards altogether. While these new payment methods allow for unprecedented convenience to the consumer to pay for services and goods, for a network security person they present new challenges and 2
E-COMMERCE SEC. 3 threats. The industry has established standard security compliance requirements to protect networks, customer data, and brand reputation. The Payment Card Industry Data Security Standard (PCI DSS) requires annual compliance validation for organizations conducting e- commerce. See appendix, figure 1 for PCIDSS control objectives and requirements. Many of the same security tools used to protect a computer network may also be employed to defend the networks that process payment transactions. Firewalls may be used to prevent systems holding or processing transactions from accessing any system other than those necessary to carry out its function. Firewalls should be configured to allow systems to only access other systems directly necessary to complete the transaction. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) may be used to detect or stop an attack in progress should an attacker get through the firewall, mitigating any damage or compromise of data the attacker may attempt. IDS and IPS should be deployed behind the firewall and should monitor traffic in multiple locations. In this way, the IPS/IDS is capable of reporting if any one part of the network should become compromised. Encryption may be employed to render any stored data indecipherable to an attacker, but care must be taken to use strong encryption algorithms and keys. Encryption keys should be carefully protected and only accessible to those who require access. Finally policies must be in place that will direct employees on how to properly maintain a secure environment. An employee training program that educates employees to recognize an attack and common attack methodologies should be standard. Additionally, it would prove beneficial to require refresher classes to be held yearly. Employees should also have easy access to a technical security team to report any suspicious activity, files, or e-mails. No one of these tools individually will be a "magic bullet" and successfully prevent or mitigate an attack, but if properly combined together into a comprehensive security plan and 3
E-COMMERCE SEC. 4 defense they may be used to avert an attacker towards an easier target. When not implemented properly, security tools may leave the company at risk for an information breach. Data breaches may lead to lawsuits, loss of consumer trust, loss of revenue, and make the victim target for future attacks. One example of how incorrectly implemented technology failed to provide sufficient security was in the case of the TJ Maxx payment processing center in 2005. TJ Maxx, a discount store, utilized Wi-Fi networks in its stores to connect the Point Of Sale (POS) systems to a central server for the retail location. This central server was responsible for forwarding requests for credit card authorizations to TJ Maxx's central payment processing center. The payment processing center would then contact the customer's bank, obtain authorization, and return the payment authorization to the POS server and register. While this system was sucessful at accomplishing the goal of processing sales transactions, it lacked a number of important safeguards and contained several security vulnerabilities. While TJ Maxx never revealed the technical details of how the attack progressed I was able to draw some conclusions based on news reports and the way the hackers were able to extract the confidential data. TJ Maxx's Wi-Fi "was using a security protocol know as Wired Equivalent Privacy (WEP)" (Berg, Freeman, Schneider, 2008) at some of its retail sites. Even a properly configured WEP is relatively easy to crack; WEP weakness is evident in the authentication sequence due to the lack of key management. WEP encryption is so insubstantial that "researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute." (Berg, Freeman, Schneider, 2008) This use of weak encryption allowed the attacker to easily break the encryption cipher, join the retail location's wireless network, and access the machines processing payment transactions. There have been reports that some POS system 4
E-COMMERCE SEC. 5 passwords were "set to blank" (Goodwin, 2008), or employees "posted the password and username on a post-it note" (Goodwin, 2008) to the computer for easy access. TJ Maxx's retail locations did not use firewalls between the POS server and the payment processing center, nor did it include IDS or IPS systems at either the POS server or the payment processing center. They did not conform to the PCI standards for data retention policy by deleting data after a short time after the transaction was processed. See appendix, figure 2 for a comparison between data retained by TJ Maxx and the PCI retention standards. Finally, they did not have or did not enforce policies on secure network practices. This lack of comprehensive security allowed the attacker to war-drive to find the retail store's wireless network and gain entry to the retail location's local network. Wardriving software uses radio signals to locate and collect information on Wi-Fi network sources using weak or no encryption. Once inside the retail location's wireless network the attacker was able to gain entry to the payment processing center where he installed a packet sniffing program that collected confidential data that was exchanged between the POS and central server. Stolen information included private data such as credit and debit card numbers, Personal Identification Numbers (PINs), social security numbers, and driver's license numbers. This information was then periodically uploaded to servers "leased in Latvia and Ukraine" (Zetter, 2010). This process continued over the course of 18 months prior to detection, and the attacker was able to siphon off about 80 gigabytes worth of data. While any one of these issues alone may have allowed an attacker to gain entry to the network, when combined they allowed the attacker unprecedented access to millions of credit and debit card numbers, social security numbers, and bank account numbers. These issues could have been avoided with the proper application of security technology and adherence to security policies. 5
E-COMMERCE SEC. 6 The retail Wi-Fi networks should have required configurations with a strong encryption such as Wi-Fi Protected Access 2 (WPA2) or been physical connections such as Ethernet. Using a directional antennae and reduced signal strengths which limit the ability for the wireless signal to leave the building would have required the hacker to gain close physical proximity making it more difficult to access the Wi-Fi network and possibly deterring an attacker who desires to remain anonymous. Firewalls should have been deployed at both the POS server and the payment center that limited communication between the cashing terminals, in turn blocking any other systems from accessing one another. An IDS or IPS deployed at the POS server and the payment processing center could have alerted administrators of the attack in progress or that confidential data was leaving the facility and being sent to outside countries that the servers should never communicate with. While TJ Maxx claims that some transaction data was being deleted after a short time, some vital data was still being archived. Confidential data that had served its purpose and was no longer needed should have been deleted or if stored should have employed strong encryption to prevent access. Passwords to access systems that process confidential data should have used higher complexity requirements such as the Microsoft’s passfilt.dll file criterion, in order to lower the risk of a security breach. Finally TJ Maxx did not have, or did not enforce a security policy with guidelines on protecting systems that processed confidential data, policies guiding proper password selection and protection of passwords, policies on performing log analysis, or policies specifying communication guidelines to the outside world from machines that processed confidential data. Much of the research I found concentrates on what technology TJ Maxx did not have deployed, but without policies stating what how the technology should act and enforcements to ensure humans are configuring the technology correctly it will not provide proper protection. 6
E-COMMERCE SEC. 7 A second case that illustrates the problems of lacking proper policies is that of RSA and its SecurID tokens. RSA SecurID tokens are used to authenticate a user based on the ‘something you have’ principle. The ‘something you have’ human authorization approach requires a tangible object such as a hardware token or an i.d. card. The second aspect of RSA SecurID’s two-factor authentication is the ‘something you know’ approach, such as password. RSA is “the only solution that automatically changes your password every 60 seconds.” (RSA SecurID, 2011) The tokens generate a random number based on the current time and a seed value set at the factory. So long as the seed value and algorithm to generate the random number are kept secret, it is impossible for an attacker to calculate the current or next random number in a sequence. The security offered by SecurIDs led many large corporations and the US Government to use RSA technology to secure their own networks and Virtual Private Networks (VPN). As a company specializing in security products, RSA was an industry leader in maintaining a secure local network including defensive countermeasures such as firewalls, IDS/IPS, secure passwords, and encryption. RSA fell victim to an Advanced Persistent Threat (APT) in 2011; an ATP typically progresses through different phases each customized to achieve the maximum effect. RSA's network initially came under a social engineering attack when low level employees received "two different phishing emails over a two day period" (Rivner, 2011) containing Excel spreadsheet attachments harboring malicious code. The employees did not have the necessary security training to advise them not to open the attachments or to forward them to a security department for examination. When the infected attachments were opened a Trojan was executed that began an escalation of privilege until the attacker was able to access accounts of individuals with credential to access to the database containing the seeds used for initializing the SecurID tokens. See appendix, figure 3 for a visual of the various stages of the ATP attack 7
E-COMMERCE SEC. 8 strategy on RSA. Additionally, the algorithm used to generate the random number from the seed was also compromised rendering the SecurID tokens vulnerable. Shortly after the RSA attack, "several large defense contractors" (Diodati, 2011) were attacked and had confidential data removed from their systems. RSA utilized the latest in security technology enabling the company's Computer Incident Response Team to detect and stop the attack quickly, but not quickly enough to stop the attackers from obtaining confidential data. In RSA's case it was not a lack of technology but instead a lack of policy on training employees to recognize threats and procedures for non-technical employees to confirm or report those threats that lead to the data breach. A policy defining the amount of training employees receive, what types of threats they should be trained to watch for, and ways for non-technical employees to report suspicious e-mails could have prevented the initial attack. Companies must be prepared for the transition to cyberspace. New e-commerce opportunities for online retailers will also bring new opportunities for cybercrime and cybercriminals. For companies offering e-commerce these case examples should be used to understand the risks of placing networks open to the internet. If companies are not properly prepared for the internet threats of tomorrow they will lose money, reputation and consumer confidence. For retailers that wish to thrive in this new environment a proper network defense, strongly enforced security policies, and proper training will allow companies to defend against new attacks that will be attracted when money changes hands on the internet. Security it not simply technology, it is the human implementation, enforcement, and management of that technology supported by security policy which enables strong defense. 8
E-COMMERCE SEC. 9 References Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx data security fiasco. The CPA Journal, 34-39. Retrieved from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm Diodati, M. (2011, June 2). The seed and the damage done: RSA SecurID [Web log post]. Retrieved from Gartner: http://blogs.gartner.com/mark-diodati/2011/06/02/ the-seed-and-the-damage-done-rsa-securid/ Goodin, D. (2008, May 27). TJX employee fired for exposing shoddy security. The Register. Retrieved from http://www.securityfocus.com/news/11520 Rivner, U. (2011, April 1). Anatomy of an attack [Web log post]. Retrieved from RSA: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ RSA SecurID. (2011). Securing your future with two-factor authentication. Retrieved from EMC Corporation website: http://www.rsa.com/node.aspx?id=1156 Zetter, K. (2010, March 25). TJX Hacker Gets 20 Years in Prison [Web log post]. Retrieved from WIRED threat level: privacy, crime and security online: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/ 9
E-COMMERCE SEC. 10 Appendix Figure 1: Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives and Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security PCI Security Standards Council 10
E-COMMERCE SEC. 11 Figure 2: Suspected TJX Data Retention Practice Compared with PCI Standards Data Retained by PCI Retention Data Item TJX Standards Primary Account Number Cardholder Data (PAN) Yes Yes Cardholder Name * Yes Yes Service Code* Yes Yes Expiration Date* Yes Yes Sensitive Full Magnetic Stripe Yes No Authentication Data† CVC2/CVV2/CID Yes No PIN/PIN Block Yes No * Must be protected if stored in conjunction with PAN. † Sensitive authentication data must not be stored after authorization (even if encrypted). (Berg, Freeman, Schneider, 2008) Figure 3: The Various Stages of the ATP Attack Strategy on RSA (Rivner, 2011) 11

Recomendados

Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
NetstarterSL
 
Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Security
phanleson
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
Retail
Retail Retail
Retail
CMR WORLD TECH
 

Recomendados

Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
SensePost
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce Security
Rebecca Jones
 
Security Threats in E-Commerce
Security Threats in E-CommerceSecurity Threats in E-Commerce
Security Threats in E-Commerce
Dattatreya Reddy Peram
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
NetstarterSL
 
Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...Implementing High Grade Security in Cloud Application using Multifactor Auth...
Implementing High Grade Security in Cloud Application using Multifactor Auth...
IJwest
 
Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Security
phanleson
 
protection & security of e-commerce ...
protection & security of e-commerce ...protection & security of e-commerce ...
protection & security of e-commerce ...
Rishav Gupta
 
Retail
Retail Retail
Retail
CMR WORLD TECH
 
e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
tumetr1
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
Nis
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
Chiheb Chebbi
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
Patrick Bouillaud
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
abe8512000
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
John ILIADIS
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
Titas Ahmed
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
E commerce security
E commerce securityE commerce security
E commerce security
Shakti Singh
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
caca1009
 
Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce security
Nuth Otanasap
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
EMC
 
E commerce Security
E commerce Security E commerce Security
E commerce Security
Wisnu Dewobroto
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
Tawhid Rahman
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
Mike Spaulding
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
politegcuf
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
BPalmer13
 
Energy Drink
Energy DrinkEnergy Drink
Energy Drink
Tawsif Yousuf
 
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoillaBradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Rose Ane Damn
 

Mais conteúdo relacionado

Mais procurados

04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
monchai sopitka
 
E commerce security
E commerce securityE commerce security
E commerce security
Shakti Singh
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
caca1009
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
CSCJournals
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
m8817
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
BPalmer13
 

Mais procurados (20)

e commerce security and fraud protection
e commerce security and fraud protectione commerce security and fraud protection
e commerce security and fraud protection
 
Strong authentication implementation guide
Strong authentication implementation guideStrong authentication implementation guide
Strong authentication implementation guide
 
Security In Internet Banking
Security In Internet BankingSecurity In Internet Banking
Security In Internet Banking
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
E-Commerce Security: A Primer
E-Commerce Security: A PrimerE-Commerce Security: A Primer
E-Commerce Security: A Primer
 
Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce Privacy and Security Issues in E-Commerce
Privacy and Security Issues in E-Commerce
 
04-1 E-commerce Security slides
04-1 E-commerce Security slides04-1 E-commerce Security slides
04-1 E-commerce Security slides
 
E commerce security
E commerce securityE commerce security
E commerce security
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
 
Ec2009 ch10 e commerce security
Ec2009 ch10 e commerce securityEc2009 ch10 e commerce security
Ec2009 ch10 e commerce security
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
E commerce Security
E commerce Security E commerce Security
E commerce Security
 
Banking and Modern Payments System Security Analysis
Banking and Modern Payments System Security AnalysisBanking and Modern Payments System Security Analysis
Banking and Modern Payments System Security Analysis
 
E-Commerce security
E-Commerce security E-Commerce security
E-Commerce security
 
Security in E-commerce
Security in E-commerceSecurity in E-commerce
Security in E-commerce
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
Ecommerce security
Ecommerce securityEcommerce security
Ecommerce security
 
E-commerce Security and Threats
E-commerce Security and ThreatsE-commerce Security and Threats
E-commerce Security and Threats
 

Destaque

Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoillaBradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Rose Ane Damn
 
Forrester Wave Human Resource Management Systems Q1 2012 1
Forrester Wave Human Resource Management Systems Q1 2012 1Forrester Wave Human Resource Management Systems Q1 2012 1
Forrester Wave Human Resource Management Systems Q1 2012 1
tporter_64
 
แนวทางการปฏิรูป
แนวทางการปฏิรูปแนวทางการปฏิรูป
แนวทางการปฏิรูป
Uraiwantia
 
Portfolio ka juli 2012
Portfolio ka juli 2012Portfolio ka juli 2012
Portfolio ka juli 2012
kennisfestival
 
Greatest moments of soccer in guayaquil
Greatest moments of soccer in guayaquilGreatest moments of soccer in guayaquil
Greatest moments of soccer in guayaquil
ALEX CUESTA SALAZAR
 
Curriculum javier segovia english version
Curriculum javier segovia english versionCurriculum javier segovia english version
Curriculum javier segovia english version
Javier Segovia
 

Destaque (20)

Energy Drink
Energy DrinkEnergy Drink
Energy Drink
 
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoillaBradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
Bradley Associates raporttien hyödykkeiden kuuluvat oltava markkinoilla
 
Forrester Wave Human Resource Management Systems Q1 2012 1
Forrester Wave Human Resource Management Systems Q1 2012 1Forrester Wave Human Resource Management Systems Q1 2012 1
Forrester Wave Human Resource Management Systems Q1 2012 1
 
แนวทางการปฏิรูป
แนวทางการปฏิรูปแนวทางการปฏิรูป
แนวทางการปฏิรูป
 
Portfolio ka juli 2012
Portfolio ka juli 2012Portfolio ka juli 2012
Portfolio ka juli 2012
 
BIKIN PEREDAM SUARA RUANGAN
BIKIN PEREDAM SUARA RUANGANBIKIN PEREDAM SUARA RUANGAN
BIKIN PEREDAM SUARA RUANGAN
 
Greatest moments of soccer in guayaquil
Greatest moments of soccer in guayaquilGreatest moments of soccer in guayaquil
Greatest moments of soccer in guayaquil
 
Internet search techniques for K12
Internet search techniques for K12Internet search techniques for K12
Internet search techniques for K12
 
Javelin stampman1 0
Javelin stampman1 0Javelin stampman1 0
Javelin stampman1 0
 
Women music
Women musicWomen music
Women music
 
Ez2Wrap Car Wrap Portoflio
Ez2Wrap Car Wrap PortoflioEz2Wrap Car Wrap Portoflio
Ez2Wrap Car Wrap Portoflio
 
Nuovi sentieri di ricerca nella promozione
Nuovi sentieri di ricerca nella promozioneNuovi sentieri di ricerca nella promozione
Nuovi sentieri di ricerca nella promozione
 
KONTRAKTOR PEREDAM SUARA STUDIO MUSIK
KONTRAKTOR PEREDAM SUARA STUDIO MUSIKKONTRAKTOR PEREDAM SUARA STUDIO MUSIK
KONTRAKTOR PEREDAM SUARA STUDIO MUSIK
 
Power profesiones
Power profesionesPower profesiones
Power profesiones
 
NEURON SAKSHI
NEURON SAKSHINEURON SAKSHI
NEURON SAKSHI
 
Polariteiten - van Monoloog naar Dialoog
Polariteiten - van Monoloog naar DialoogPolariteiten - van Monoloog naar Dialoog
Polariteiten - van Monoloog naar Dialoog
 
Curriculum javier segovia english version
Curriculum javier segovia english versionCurriculum javier segovia english version
Curriculum javier segovia english version
 
Sbobet
SbobetSbobet
Sbobet
 
Training certificates
Training certificatesTraining certificates
Training certificates
 
Кейтеринговая компания "Лови Момент" Казань - Новый Год 2015
Кейтеринговая компания "Лови Момент" Казань - Новый Год 2015Кейтеринговая компания "Лови Момент" Казань - Новый Год 2015
Кейтеринговая компания "Лови Момент" Казань - Новый Год 2015
 

Semelhante a E-commerce Security

Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
Octogence
 
Design and Development of an E-Commerce Security Using RSA Cryptosystem
Design and Development of an E-Commerce Security Using RSA CryptosystemDesign and Development of an E-Commerce Security Using RSA Cryptosystem
Design and Development of an E-Commerce Security Using RSA Cryptosystem
AM Publications,India
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
amitkhanna2070
 

Semelhante a E-commerce Security (20)

Retail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—RecommendationsRetail Stores and Wireless Security—Recommendations
Retail Stores and Wireless Security—Recommendations
 
Mobile Ad Hoc Networks ( Manets )
Mobile Ad Hoc Networks ( Manets )Mobile Ad Hoc Networks ( Manets )
Mobile Ad Hoc Networks ( Manets )
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Key Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment SystemsKey Security Measures Behind Digital Payment Systems
Key Security Measures Behind Digital Payment Systems
 
Analysis the attack and E-commerce security
Analysis the attack and E-commerce securityAnalysis the attack and E-commerce security
Analysis the attack and E-commerce security
 
Ijnsa050215
Ijnsa050215Ijnsa050215
Ijnsa050215
 
All You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptxAll You Wanted To Know About Top Online Payment Security Methods.pptx
All You Wanted To Know About Top Online Payment Security Methods.pptx
 
Network Security
Network SecurityNetwork Security
Network Security
 
2
22
2
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
10 security problems unique to it
10 security problems unique to it10 security problems unique to it
10 security problems unique to it
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked WorldHirsch Identive | White Paper | Securing the Enterprise in a Networked World
Hirsch Identive | White Paper | Securing the Enterprise in a Networked World
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
Joint Presentation - Part 1: The Future Evolution of E-Banking & Cyber Securi...
 
Design and Development of an E-Commerce Security Using RSA Cryptosystem
Design and Development of an E-Commerce Security Using RSA CryptosystemDesign and Development of an E-Commerce Security Using RSA Cryptosystem
Design and Development of an E-Commerce Security Using RSA Cryptosystem
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
I want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdfI want you to Read intensively papers and give me a summary for ever.pdf
I want you to Read intensively papers and give me a summary for ever.pdf
 
Network Security of Data Protection
Network Security of Data ProtectionNetwork Security of Data Protection
Network Security of Data Protection
 

Mais de Lindsey Landolfi

Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
Department of Defense, U.S. Northern Command, National Guard, and Defense Su...Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
Lindsey Landolfi
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
Lindsey Landolfi
 
US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security Initiativesi
Lindsey Landolfi
 
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
Lindsey Landolfi
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
 
The Integration of Geospatial Technologies: GIS and GPS
The Integration of Geospatial Technologies: GIS and GPS The Integration of Geospatial Technologies: GIS and GPS
The Integration of Geospatial Technologies: GIS and GPS
Lindsey Landolfi
 
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Lindsey Landolfi
 
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Lindsey Landolfi
 
Towson University: COOP: Conduct of Classes During Campus Closings
Towson University: COOP: Conduct of Classes During Campus ClosingsTowson University: COOP: Conduct of Classes During Campus Closings
Towson University: COOP: Conduct of Classes During Campus Closings
Lindsey Landolfi
 
Generic College: Crisis Communication Plan
Generic College: Crisis Communication PlanGeneric College: Crisis Communication Plan
Generic College: Crisis Communication Plan
Lindsey Landolfi
 

Mais de Lindsey Landolfi (10)

Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
Department of Defense, U.S. Northern Command, National Guard, and Defense Su...Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
Department of Defense, U.S. Northern Command, National Guard, and Defense Su...
 
Proactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security StrategyProactive vs. Reactive Approaches to Software Security Strategy
Proactive vs. Reactive Approaches to Software Security Strategy
 
US Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security InitiativesiUS Government Software Assurance and Security Initiativesi
US Government Software Assurance and Security Initiativesi
 
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
The Risks and Security Standards of WLAN Technologies: Bluetooth and Wireles...
 
Insider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary DataInsider Attacks: Theft of Intellectual and Proprietary Data
Insider Attacks: Theft of Intellectual and Proprietary Data
 
The Integration of Geospatial Technologies: GIS and GPS
The Integration of Geospatial Technologies: GIS and GPS The Integration of Geospatial Technologies: GIS and GPS
The Integration of Geospatial Technologies: GIS and GPS
 
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
 
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
Nuclear Reactors, Materials, and Waste CIKR Sector: Case Study of the Nuclea...
 
Towson University: COOP: Conduct of Classes During Campus Closings
Towson University: COOP: Conduct of Classes During Campus ClosingsTowson University: COOP: Conduct of Classes During Campus Closings
Towson University: COOP: Conduct of Classes During Campus Closings
 
Generic College: Crisis Communication Plan
Generic College: Crisis Communication PlanGeneric College: Crisis Communication Plan
Generic College: Crisis Communication Plan
 

Último

Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
 
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
dipikadinghjn ( Why You Choose Us? ) Escorts
 
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
dipikadinghjn ( Why You Choose Us? ) Escorts
 
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Call Girls in Nagpur High Profile
 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
priyasharma62062
 
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
Call Girls in Nagpur High Profile
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
dipikadinghjn ( Why You Choose Us? ) Escorts
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
dipikadinghjn ( Why You Choose Us? ) Escorts
 
20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf
Adnet Communications
 
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
priyasharma62062
 

Último (20)

Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Wadgaon Sheri 6297143586 Call Hot Ind...
 
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
06_Joeri Van Speybroek_Dell_MeetupDora&Cybersecurity.pdf
 
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
VIP Independent Call Girls in Mira Bhayandar 🌹 9920725232 ( Call Me ) Mumbai ...
 
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Mumbai 🌹 9920725232 ( Call Me ) Mumbai Escorts ...
 
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
Top Rated Pune Call Girls Viman Nagar ⟟ 6297143586 ⟟ Call Me For Genuine Sex...
 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
 
The Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdfThe Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdf
 
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
Call Girls in New Ashok Nagar, (delhi) call me [9953056974] escort service 24X7
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
 
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
VIP Call Girl in Mumbai 💧 9920725232 ( Call Me ) Get A New Crush Everyday Wit...
 
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
VIP Independent Call Girls in Bandra West 🌹 9920725232 ( Call Me ) Mumbai Esc...
 
20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf
 
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
 
The Economic History of the U.S. Lecture 17.pdf
The Economic History of the U.S. Lecture 17.pdfThe Economic History of the U.S. Lecture 17.pdf
The Economic History of the U.S. Lecture 17.pdf
 
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
Solution Manual for Principles of Corporate Finance 14th Edition by Richard B...
 
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
Kharghar Blowjob Housewife Call Girls NUmber-9833754194-CBD Belapur Internati...
 
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
Vip Call US 📞 7738631006 ✅Call Girls In Sakinaka ( Mumbai )
 
The Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdfThe Economic History of the U.S. Lecture 21.pdf
The Economic History of the U.S. Lecture 21.pdf
 
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
 
The Economic History of the U.S. Lecture 25.pdf
The Economic History of the U.S. Lecture 25.pdfThe Economic History of the U.S. Lecture 25.pdf
The Economic History of the U.S. Lecture 25.pdf
 

E-commerce Security

  • 1. E-COMMERCE SEC. 1 Running Head: E-COMMERCE SEC. E-commerce Security Lindsey Landolfi Towson University Network Security Professor Charles Pak July 2011 1
  • 2. E-COMMERCE SEC. 2 E-commerce or commerce done via electronic means has become an increasingly popular method of shopping; its prevalence will become mainstream for much of society as electronic forms of payment become preferred over physical cash or checks. The convenience and speed of e-commerce must be accompanied by the required security and protection of the transactions and payments. Every new opportunity for a retailer also becomes a new opportunity for an attacker; as more money is exchanged over electronic means it will attract more attackers hoping to reap a profit. This document will provide an overview of the risks presented by e-commerce, how proper network security will mitigate these risks, and provide real world examples of how technology and policies failed to protect the consumer. As technology has progressed so has the way consumers use that technology when making purchases. Stores have begun transitioning from the traditional brick-and-mortar, physical, stores to having an online presence. Some companies have started without the presence of a brick-and-mortar store, offering a shopping experience available exclusively online. As retailers begin making these transitions, consumers have abandoned physical currency in favor of electronic payment means. Several electronic payment systems are currently in widespread use. Credit and debit cards are the most prevalent form of electronic currency and have been in use for several years. Online wallets such as PayPal that allow you to pay directly from an online account or charge a credit card have also become popular. A new payment technology still in its infancy is Near Field Communications (NFC) for mobile phones. NFC devices will allow a consumer to hold their mobile phone over a reader to process the payment, allowing the consumer to stop carrying cash or credit cards altogether. While these new payment methods allow for unprecedented convenience to the consumer to pay for services and goods, for a network security person they present new challenges and 2
  • 3. E-COMMERCE SEC. 3 threats. The industry has established standard security compliance requirements to protect networks, customer data, and brand reputation. The Payment Card Industry Data Security Standard (PCI DSS) requires annual compliance validation for organizations conducting e- commerce. See appendix, figure 1 for PCIDSS control objectives and requirements. Many of the same security tools used to protect a computer network may also be employed to defend the networks that process payment transactions. Firewalls may be used to prevent systems holding or processing transactions from accessing any system other than those necessary to carry out its function. Firewalls should be configured to allow systems to only access other systems directly necessary to complete the transaction. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) may be used to detect or stop an attack in progress should an attacker get through the firewall, mitigating any damage or compromise of data the attacker may attempt. IDS and IPS should be deployed behind the firewall and should monitor traffic in multiple locations. In this way, the IPS/IDS is capable of reporting if any one part of the network should become compromised. Encryption may be employed to render any stored data indecipherable to an attacker, but care must be taken to use strong encryption algorithms and keys. Encryption keys should be carefully protected and only accessible to those who require access. Finally policies must be in place that will direct employees on how to properly maintain a secure environment. An employee training program that educates employees to recognize an attack and common attack methodologies should be standard. Additionally, it would prove beneficial to require refresher classes to be held yearly. Employees should also have easy access to a technical security team to report any suspicious activity, files, or e-mails. No one of these tools individually will be a "magic bullet" and successfully prevent or mitigate an attack, but if properly combined together into a comprehensive security plan and 3
  • 4. E-COMMERCE SEC. 4 defense they may be used to avert an attacker towards an easier target. When not implemented properly, security tools may leave the company at risk for an information breach. Data breaches may lead to lawsuits, loss of consumer trust, loss of revenue, and make the victim target for future attacks. One example of how incorrectly implemented technology failed to provide sufficient security was in the case of the TJ Maxx payment processing center in 2005. TJ Maxx, a discount store, utilized Wi-Fi networks in its stores to connect the Point Of Sale (POS) systems to a central server for the retail location. This central server was responsible for forwarding requests for credit card authorizations to TJ Maxx's central payment processing center. The payment processing center would then contact the customer's bank, obtain authorization, and return the payment authorization to the POS server and register. While this system was sucessful at accomplishing the goal of processing sales transactions, it lacked a number of important safeguards and contained several security vulnerabilities. While TJ Maxx never revealed the technical details of how the attack progressed I was able to draw some conclusions based on news reports and the way the hackers were able to extract the confidential data. TJ Maxx's Wi-Fi "was using a security protocol know as Wired Equivalent Privacy (WEP)" (Berg, Freeman, Schneider, 2008) at some of its retail sites. Even a properly configured WEP is relatively easy to crack; WEP weakness is evident in the authentication sequence due to the lack of key management. WEP encryption is so insubstantial that "researchers at Darmstadt Technical University in Germany have demonstrated that a WEP key can be broken in less than a minute." (Berg, Freeman, Schneider, 2008) This use of weak encryption allowed the attacker to easily break the encryption cipher, join the retail location's wireless network, and access the machines processing payment transactions. There have been reports that some POS system 4
  • 5. E-COMMERCE SEC. 5 passwords were "set to blank" (Goodwin, 2008), or employees "posted the password and username on a post-it note" (Goodwin, 2008) to the computer for easy access. TJ Maxx's retail locations did not use firewalls between the POS server and the payment processing center, nor did it include IDS or IPS systems at either the POS server or the payment processing center. They did not conform to the PCI standards for data retention policy by deleting data after a short time after the transaction was processed. See appendix, figure 2 for a comparison between data retained by TJ Maxx and the PCI retention standards. Finally, they did not have or did not enforce policies on secure network practices. This lack of comprehensive security allowed the attacker to war-drive to find the retail store's wireless network and gain entry to the retail location's local network. Wardriving software uses radio signals to locate and collect information on Wi-Fi network sources using weak or no encryption. Once inside the retail location's wireless network the attacker was able to gain entry to the payment processing center where he installed a packet sniffing program that collected confidential data that was exchanged between the POS and central server. Stolen information included private data such as credit and debit card numbers, Personal Identification Numbers (PINs), social security numbers, and driver's license numbers. This information was then periodically uploaded to servers "leased in Latvia and Ukraine" (Zetter, 2010). This process continued over the course of 18 months prior to detection, and the attacker was able to siphon off about 80 gigabytes worth of data. While any one of these issues alone may have allowed an attacker to gain entry to the network, when combined they allowed the attacker unprecedented access to millions of credit and debit card numbers, social security numbers, and bank account numbers. These issues could have been avoided with the proper application of security technology and adherence to security policies. 5
  • 6. E-COMMERCE SEC. 6 The retail Wi-Fi networks should have required configurations with a strong encryption such as Wi-Fi Protected Access 2 (WPA2) or been physical connections such as Ethernet. Using a directional antennae and reduced signal strengths which limit the ability for the wireless signal to leave the building would have required the hacker to gain close physical proximity making it more difficult to access the Wi-Fi network and possibly deterring an attacker who desires to remain anonymous. Firewalls should have been deployed at both the POS server and the payment center that limited communication between the cashing terminals, in turn blocking any other systems from accessing one another. An IDS or IPS deployed at the POS server and the payment processing center could have alerted administrators of the attack in progress or that confidential data was leaving the facility and being sent to outside countries that the servers should never communicate with. While TJ Maxx claims that some transaction data was being deleted after a short time, some vital data was still being archived. Confidential data that had served its purpose and was no longer needed should have been deleted or if stored should have employed strong encryption to prevent access. Passwords to access systems that process confidential data should have used higher complexity requirements such as the Microsoft’s passfilt.dll file criterion, in order to lower the risk of a security breach. Finally TJ Maxx did not have, or did not enforce a security policy with guidelines on protecting systems that processed confidential data, policies guiding proper password selection and protection of passwords, policies on performing log analysis, or policies specifying communication guidelines to the outside world from machines that processed confidential data. Much of the research I found concentrates on what technology TJ Maxx did not have deployed, but without policies stating what how the technology should act and enforcements to ensure humans are configuring the technology correctly it will not provide proper protection. 6
  • 7. E-COMMERCE SEC. 7 A second case that illustrates the problems of lacking proper policies is that of RSA and its SecurID tokens. RSA SecurID tokens are used to authenticate a user based on the ‘something you have’ principle. The ‘something you have’ human authorization approach requires a tangible object such as a hardware token or an i.d. card. The second aspect of RSA SecurID’s two-factor authentication is the ‘something you know’ approach, such as password. RSA is “the only solution that automatically changes your password every 60 seconds.” (RSA SecurID, 2011) The tokens generate a random number based on the current time and a seed value set at the factory. So long as the seed value and algorithm to generate the random number are kept secret, it is impossible for an attacker to calculate the current or next random number in a sequence. The security offered by SecurIDs led many large corporations and the US Government to use RSA technology to secure their own networks and Virtual Private Networks (VPN). As a company specializing in security products, RSA was an industry leader in maintaining a secure local network including defensive countermeasures such as firewalls, IDS/IPS, secure passwords, and encryption. RSA fell victim to an Advanced Persistent Threat (APT) in 2011; an ATP typically progresses through different phases each customized to achieve the maximum effect. RSA's network initially came under a social engineering attack when low level employees received "two different phishing emails over a two day period" (Rivner, 2011) containing Excel spreadsheet attachments harboring malicious code. The employees did not have the necessary security training to advise them not to open the attachments or to forward them to a security department for examination. When the infected attachments were opened a Trojan was executed that began an escalation of privilege until the attacker was able to access accounts of individuals with credential to access to the database containing the seeds used for initializing the SecurID tokens. See appendix, figure 3 for a visual of the various stages of the ATP attack 7
  • 8. E-COMMERCE SEC. 8 strategy on RSA. Additionally, the algorithm used to generate the random number from the seed was also compromised rendering the SecurID tokens vulnerable. Shortly after the RSA attack, "several large defense contractors" (Diodati, 2011) were attacked and had confidential data removed from their systems. RSA utilized the latest in security technology enabling the company's Computer Incident Response Team to detect and stop the attack quickly, but not quickly enough to stop the attackers from obtaining confidential data. In RSA's case it was not a lack of technology but instead a lack of policy on training employees to recognize threats and procedures for non-technical employees to confirm or report those threats that lead to the data breach. A policy defining the amount of training employees receive, what types of threats they should be trained to watch for, and ways for non-technical employees to report suspicious e-mails could have prevented the initial attack. Companies must be prepared for the transition to cyberspace. New e-commerce opportunities for online retailers will also bring new opportunities for cybercrime and cybercriminals. For companies offering e-commerce these case examples should be used to understand the risks of placing networks open to the internet. If companies are not properly prepared for the internet threats of tomorrow they will lose money, reputation and consumer confidence. For retailers that wish to thrive in this new environment a proper network defense, strongly enforced security policies, and proper training will allow companies to defend against new attacks that will be attracted when money changes hands on the internet. Security it not simply technology, it is the human implementation, enforcement, and management of that technology supported by security policy which enables strong defense. 8
  • 9. E-COMMERCE SEC. 9 References Berg, G., Freeman, M., & Schneider, K. (2008, August). Analyzing the TJ Maxx data security fiasco. The CPA Journal, 34-39. Retrieved from http://www.nysscpa.org/cpajournal/2008/808/essentials/p34.htm Diodati, M. (2011, June 2). The seed and the damage done: RSA SecurID [Web log post]. Retrieved from Gartner: http://blogs.gartner.com/mark-diodati/2011/06/02/ the-seed-and-the-damage-done-rsa-securid/ Goodin, D. (2008, May 27). TJX employee fired for exposing shoddy security. The Register. Retrieved from http://www.securityfocus.com/news/11520 Rivner, U. (2011, April 1). Anatomy of an attack [Web log post]. Retrieved from RSA: http://blogs.rsa.com/rivner/anatomy-of-an-attack/ RSA SecurID. (2011). Securing your future with two-factor authentication. Retrieved from EMC Corporation website: http://www.rsa.com/node.aspx?id=1156 Zetter, K. (2010, March 25). TJX Hacker Gets 20 Years in Prison [Web log post]. Retrieved from WIRED threat level: privacy, crime and security online: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/ 9
  • 10. E-COMMERCE SEC. 10 Appendix Figure 1: Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives and Requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security PCI Security Standards Council 10
  • 11. E-COMMERCE SEC. 11 Figure 2: Suspected TJX Data Retention Practice Compared with PCI Standards Data Retained by PCI Retention Data Item TJX Standards Primary Account Number Cardholder Data (PAN) Yes Yes Cardholder Name * Yes Yes Service Code* Yes Yes Expiration Date* Yes Yes Sensitive Full Magnetic Stripe Yes No Authentication Data† CVC2/CVV2/CID Yes No PIN/PIN Block Yes No * Must be protected if stored in conjunction with PAN. † Sensitive authentication data must not be stored after authorization (even if encrypted). (Berg, Freeman, Schneider, 2008) Figure 3: The Various Stages of the ATP Attack Strategy on RSA (Rivner, 2011) 11