EMT-07 Безбедност - закани

E-commerce 2017
business. technology. society. 13th edition

Accessibility standards-compliant
Copyright © 2018, 2017, 2016 Pearson Education, Inc. All Rights Reserved
E-commerce 2017
business. technology. society.
13th edition
Chapter 5
E-commerce Security and
Payment Systems
Learning Objectives
• 5.1 Understand the scope of e-commerce crime and security problems, the key
dimensions of e-commerce security, and the tension between security and other values.
• 5.2 Identify the key security threats in the e-commerce environment.
• 5.3 Describe how technology helps secure Internet communications channels and protect
networks, servers, and clients.
• 5.4 Appreciate the importance of policies, procedures, and laws in creating security.
• 5.5 Identify the major e-commerce payment systems in use today.
• 5.6 Describe the features and functionality of electronic billing presentment and payment
systems.
Cyberwar: MAD 2.0
• Cyberspace - new battlefield
• Targets
– defence installations, nuclear facilities, public infrastructure,
banks, manufacturing firms, and communications networks.
• Primary objectives
– obtaining intellectual property (a kind of economic warfare)
– attacking the ability of other nations to function
• Mutually Assured Destruction (MAD) doctrine
Cyberwar: MAD 2.0
• MAD 2.0
– An attack by a nation against its enemy’s cyberinfrastructure might
unleash a counterattack so powerful that critical infrastructure in both
nations would be heavily damaged and shut down.
• Why has cyberwar become potentially more

devastating in the past decade?
• Stuxnet, Flame, Snake
• Is it possible to find a political solution to MAD 2.0?
The E-commerce Security Environment
• Overall size and losses of cybercrime unclear
– Reporting issues
• 2016 survey: Average total cost of data breach to

U.S. corporations was $4 million
– Hard to estimate (companies fear to report)
– $375 - $575 billion worldwide
• Low-cost web attack kits

• Online credit card fraud
• Underground economy marketplace
The E-commerce Security Environment
What Is Good E-commerce Security?
• To achieve highest degree of security
– New technologies
– Organizational policies and procedures
– Industry standards and government laws
• Other factors
– Time value of money
– Cost of security vs. potential loss
– Security often breaks at weakest link
Figure 5.1: The E-commerce Security
Environment
Dimensions of E-commerce Security
• Integrity
– ability to ensure that information being displayed on a website, or
transmitted or received over the Internet, has not been altered in
any way by an unauthorized party.
• Nonrepudiation
– ability to ensure that e-commerce participants do not deny their
online actions
• Authenticity
– ability to identify the identity of a person or entity with whom you
are dealing on the Internet
Dimensions of E-commerce Security
• Confidentiality
– ability to ensure that messages and data are available only to
those who are authorized to view them
– Privacy refers to the ability to control the use of information a
customer provides about himself or herself to an e-commerce
merchant
• Availability
– ability to ensure that an e-commerce site continues to function as
intended.
Table 5.3: Customer and Merchant
Perspectives on the Different Dimensions of
E-commerce Security
DIMENSION CUSTOMER’S PERSPECTIVE MERCHANT’S PERSPECTIVE
Integrity Has information I transmitted or Has data on the site been altered without
received been altered? authorization? Is data being received from
customers valid?
Nonrepudiation Can a party to an action with me later Can a customer deny ordering products?
deny taking the action?
Authenticity Who am I dealing with? How can I be What is the real identity of the customer?
assured that the person or entity is who
they claim to be?
Confidentiality Can someone other than the intended Are messages or confidential data accessible to
recipient read my messages? anyone other than those authorized to view
them?
Privacy Can I control the use of information What use, if any, can be made of personal data
about myself transmitted to an collected as part of an e-commerce transaction?
e-commerce merchant? Is the personal information of customers being
used in an unauthorized manner?
Availability Can I get access to the site? Is the site operational?
The Tension Between Security and
Other Values
• Ease of use
– The more security measures added, the more difficult a site is to
use, and the slower it becomes
• Public safety and criminal uses of the Internet

– Use of technology by criminals to plan crimes or threaten nation-
state
Security Threats in the E-commerce
Environment
• Three key points of vulnerability in e-commerce
environment:
– Client
– Server
– Communications pipeline (Internet communications channels)
Figure 5.2: A Typical E-commerce
Transaction
Figure 5.3: Vulnerable Points in an E-
commerce Transaction
Malicious Code
• Malware is a software program that, when spread,
is designed to infect, alter, damage, delete, or
replace data or an information system without the
owner’s knowledge or consent
• Computer systems infected by malware take
orders from the criminals and do things such as
send spam or steal the user’s stored passwords.
• Nearly one million new malware threats are
released worldwide every day
Malicious Code
• Exploits and exploit kits
– collections of exploits bundled together and rented or sold as a
commercial product
• Maladvertising
– online advertising that contains malicious code
• Drive-by downloads
– malware that comes with a downloaded file that a user requests
• Viruses
– a computer program that has the ability to replicate or make
copies of itself, becoming part of another program, and spread to
other files
– attached to an executable file (requires user action to activate)
Malicious Code
• Worms
– malware designed to spread from computer to computer exploiting a
vulnerability on the target system
• Ransomware (scareware)
– malware that prevents you from accessing your computer or files and
demands that you pay a fine
• Trojan horses
– appears to be benign, but then does something other than expected.
• Backdoors
– undocumented way of accessing a system, bypassing the normal
authentication mechanisms.
– a feature of viruses, worms, and Trojans that allows an attacker to
remotely access a compromised computer.
Malicious Code
• Bots
– automated process that interacts with other network services.
– the computer becomes a “zombie” and is able to be controlled by
an external third party
– exploit back doors opened by worms and viruses, which allows
them to access networks that have good perimeter control.
• Botnets
– collections of bot-compromised devices
– used for malicious activities such as sending spam, participating in
a DDoS attack, stealing information from computers, and storing
network traffic for later analysis
Potentially Unwanted Programs
• Applications that install themselves on a computer,
typically without the user’s informed consent
• Browser parasites
– Monitor and change user’s browser
• Adware
– Used to call pop-up ads
• Spyware
– Tracks user’s keystrokes, e-mails, IMs, etc.
Phishing
• Any deceptive, online attempt by a third party to
obtain confidential information for financial gain
• Tactics
– Social engineering
– E-mail scams
– Spear phishing
• Social engineering relies on human curiosity, greed, and

gullibility in order to trick people into taking an action that
will result in the downloading of malware
• Used for identity fraud and theft
Hacking, Cybervandalism, and Hacktivism
• Hacking
– Hackers vs. crackers
– White hats, black hats, grey hats
– Tiger teams
– Goals: cybervandalism, data breaches
• Cybervandalism:
– Disrupting, defacing, destroying website
• Hacktivism
– Cybervandalism for political purposes
Data Breaches
• When organizations lose control over corporate
information to outsiders
• Nine mega-breaches in 2015
• Leading causes
– Hacking
– Employee error/negligence
– Accidental e-mail/Internet exposure
– Insider theft
Insight on Society: The Ashley Madison
Data Breach
• Class Discussion
– What organizational and technological failures led to the data
breach at Ashley Madison?
– What technical solutions are available to combat data breaches?
– Have you or anyone you know experienced a data breach?
Credit Card Fraud/Theft
• Stolen credit card incidences about 0.8% of all
online card transactions
• Hacking and looting of corporate servers is
primary cause
• Central security issue: establishing customer
identity
– E-signatures
– Multi-factor authentication
– Fingerprint identification
Identity Fraud/Theft
• Unauthorized use of another person’s personal
data for illegal financial benefit
– Social security number
– Driver’s license
– Credit card numbers
– Usernames/passwords
• 2015: 13 million U.S. consumers suffered identity

fraud
Spoofing, Pharming, and Spam (Junk)
Websites
• Spoofing
– Attempting to hide true identity by using someone else’s e-mail or
IP address
• Pharming
– Automatically redirecting a web link to a different address, to
benefit the hacker
• Spam (junk) websites

– Offer collection of advertisements for other sites, which may
contain malicious code
Sniffing and Man-in-the-Middle Attacks
• Sniffer
– Eavesdropping program monitoring networks
– Can identify network trouble spots
– Can be used by criminals to steal proprietary information
• E-mail wiretaps
– Recording e-mails at the mail server level
• Man-in-the-middle attack
– Attacker intercepts and changes communication between two
parties who believe they are communicating directly
Denial of Service (DoS) and Distributed
Denial of Service (DDoS) Attacks
• Denial of service (DoS) attack
– Flooding website with pings and page requests
– Overwhelm and can shut down site’s web servers
– Often accompanied by blackmail attempts
– Botnets
• Distributed Denial of Service (DDoS) attack

– Uses hundreds or thousands of computers to attack target network
– Can use devices from Internet of Things, mobile devices
Insider Attacks
• Largest threat to business institutions come from
insider embezzlement
• Employee access to privileged information
• Poor security procedures
• Insiders more likely to be source of cyberattacks
than outsiders
• 1% of employees are responsible for 75% of cloud-related
enterprise security risk
– sending out plain-text passwords, sharing files, using risky
applications, accidentally downloading malware or clicking phishing
links
Poorly Designed Software
• Increase in complexity of and demand for software
has led to increase in flaws and vulnerabilities
• SQL injection attacks
• Zero-day vulnerability
• Heartbleed bug
Social Network Security Issues
• Social networks an environment for:
– Viruses, site takeovers, identity fraud, malware-loaded apps, click
hijacking, phishing, spam
• Manual sharing scams

– Sharing of files that link to malicious sites
• Fake offerings, fake Like buttons, and fake apps
Mobile Platform Security Issues
• Little public awareness of mobile device
vulnerabilities
• 2015 survey: 3 million apps of 10 million are
malware
• Vishing
• Smishing
• SMS spoofing
• Madware
Insight on Technology: Think Your
Smartphone Is Secure?
• Class Discussion
– Which mobile operating system do you think is more
secure – Apple’s iOS or Google’s Android?
– What steps, if any, do you take to make your
smartphone more secure?
– What qualities of apps make them a vulnerable security
point in smartphone use?
Cloud Security Issues
• DDoS attacks
• Infrastructure scanning
• Lower-tech phishing attacks yield passwords and
access
• Use of cloud storage to connect linked accounts
• Lack of encryption and strong security procedures
Internet of Things Security Issues
• Challenging environment to protect
• Vast quantity of interconnected links
• Near identical devices with long service lives
• Many devices have no upgrade features
• Little visibility into workings, data, or security

EMT-07 Безбедност - закани

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EMT-07 Безбедност - закани

Uploaded by

Copyright:

Available Formats

E-commerce 2017

business. technology. society. 13th edition

• 5.2 Identify the key security threats in the e-commerce environment.

• 5.5 Identify the major e-commerce payment systems in use today.

• Mutually Assured Destruction (MAD) doctrine

• Why has cyberwar become potentially more

• 2016 survey: Average total cost of data breach to

• Low-cost web attack kits

• Public safety and criminal uses of the Internet

• Social engineering relies on human curiosity, greed, and

• 2015: 13 million U.S. consumers suffered identity

• Spam (junk) websites

• Distributed Denial of Service (DDoS) attack

• Manual sharing scams

• Fake offerings, fake Like buttons, and fake apps

You might also like