Security Issues In E-Commerce
Introduction
E-commerce is defined as the buying and selling of products or
services over electronic systems such as the Internet and to a lesser
extent, other computer networks. It is generally regarded as the sales
and commercial function of eBusiness. There has been a massive increase
in the level of trade conducted electronically since the widespread
penetration of the Internet. A wide variety of commerce is conducted via
eCommerce, including electronic funds transfer, supply chain
management, Internet marketing, online transaction processing,
electronic data interchange (EDI), inventory management systems, and
automated data collection systems.
This massive increase in the uptake of eCommerce has led to a new generation of associated security threats, but any eCommerce system must meet four integral requirements:
a) privacy – information exchanged must be kept from unauthorized parties
b) integrity – the exchanged information must not be altered or tampered with
c) authentication – both sender and recipient must prove their identities to each other and
d) non-repudiation – proof is required that the exchanged information was indeed received
This massive increase in the uptake of eCommerce has led to a new generation of associated security threats, but any eCommerce system must meet four integral requirements:
a) privacy – information exchanged must be kept from unauthorized parties
b) integrity – the exchanged information must not be altered or tampered with
c) authentication – both sender and recipient must prove their identities to each other and
d) non-repudiation – proof is required that the exchanged information was indeed received
Privacy
Privacy has become a major concern for consumers with the rise of identity theft and impersonation, and any concern for consumers must be treated as a major concern for eCommerce providers. According to Consumer Reports Money Adviser (Perrotta, 2008), the US Attorney General has announced multiple indictments relating to a massive international security breach involving nine major retailers and more than 40 million credit- and debit-card numbers. US attorneys think that this may be the largest hacking and identity-theft case ever prosecuted by the justice department. Both EU and US legislation at both the federal and state levels mandates certain organizations to inform customers about information uses and disclosures. Such disclosures are typically accomplished through privacy policies, both online and offline.
Integrity, Authentication & Non-Repudiation
In any e-commence system the factors of data integrity, customer
& client authentication and non-repudiation are critical to the
success of any online business. Data integrity is the assurance that
data transmitted is consistent and correct, that is, it has not been
tampered or altered in any way during transmission. Authentication is a
means by which both parties in an online transaction can be confident
that they are who they say they are and non-repudiation is the idea that
no party can dispute that an actual event online took place. Proof of
data integrity is typically the easiest of these factors to successfully
accomplish. A data hash or checksum, such as MD5 or CRC, is usually
sufficient to establish that the likelihood of data being undetectably
changed is extremely low (Schlaeger and Pernul, 2005). Notwithstanding
these security measures, it is still possible to compromise data in
transit through techniques such as phishing or man-in- the-middle
attacks (Desmedt, 2005). These flaws have led to the need for the
development of strong verification and security measurements such as
digital signatures and public key infrastructures.
Technical Attacks
Technical attacks are one of the most challenging types of security
compromise an e-commerce provider must face. Perpetrators of technical
attacks, and in particular Denial-of-Service attacks, typically target
sites or services hosted on high-profile web servers such as banks,
credit card payment gateways, large online retailers and popular social
networking sites.
Non-Technical Attacks
Phishing is the criminally fraudulent process of attempting to
acquire sensitive information such as usernames, passwords and credit
card details, by masquerading as a trustworthy entity in an electronic
communication. Phishing scams generally are carried out by emailing the
victim with a ‘fraudulent’ email from what purports to be a legitimate
organization requesting sensitive information. When the victim follows
the link embedded within the email they are brought to an elaborate and
sophisticated duplicate of the legitimate organizations website.
Phishing attacks generally target bank customers, online auction sites
(such as eBay), online retailers (such as amazon) and services providers
(such as PayPal). According to community banker (Swann, 2008), in more
recent times cybercriminals have got more sophisticated in the timing of
their attacks with them posing as charities in times of natural
disaster
Social engineering is the art of manipulating people into performing actions or divulging confidential information. Social engineering techniques include pretexting (where the fraudster creates an invented scenario to get the victim to divulge information), Interactive voice recording (IVR) or phone phishing (where the fraudster gets the victim to divulge sensitive information over the phone) and baiting with Trojans horses (where the fraudster ‘baits’ the victim to load malware unto a system). Social engineering has become a serious threat to e-commerce security since it is difficult to detect and to combat as it involves ‘human’ factors which cannot be patched akin to hardware or software, albeit staff training and education can somewhat thwart the attack (Hasle et al., 2005).
Social engineering is the art of manipulating people into performing actions or divulging confidential information. Social engineering techniques include pretexting (where the fraudster creates an invented scenario to get the victim to divulge information), Interactive voice recording (IVR) or phone phishing (where the fraudster gets the victim to divulge sensitive information over the phone) and baiting with Trojans horses (where the fraudster ‘baits’ the victim to load malware unto a system). Social engineering has become a serious threat to e-commerce security since it is difficult to detect and to combat as it involves ‘human’ factors which cannot be patched akin to hardware or software, albeit staff training and education can somewhat thwart the attack (Hasle et al., 2005).
Conclusion
In conclusion the e-commerce industry faces a challenging future in
terms of the security risks it must avert. With increasing technical
knowledge, and its widespread availability on the internet, criminals
are becoming more and more sophisticated in the deceptions and attacks
they can perform. Novel attack strategies and vulnerabilities only
really become known once a perpetrator has uncovered and exploited them.
In saying this, there are multiple security strategies which any
e-commerce provider can instigate to reduce the risk of attack and
compromise significantly. Awareness of the risks and the implementation
of multi-layered security protocols, detailed and open privacy policies
and strong authentication and encryption measures will go a long way to
assure the consumer and insure the risk of compromise is kept minimal.
No comments:
Post a Comment