SECURING YOUR STORE FRONT

What is e-commerce security?

E-Commerce security refers to the principles which guide safe electronic transactions, allowing
the buying and selling of goods and services through the Internet, but with protocols in place to
provide safety for those involved. Successful business online depends on the customers’ trust
that a company has eCommerce security basics in place.

Security is an essential part of any transaction that takes place over the internet. Customers will
lose his/her faith in e-business if its security is compromised.

E-commerce security protects your company's data and system from cyberattacks and from
access or use by cybercriminals and malicious bots. It keeps your online business secure and
protects your consumers' and business's private information.

The importance of security in e-commerce

 As an e-commerce business owner, you must ensure that all customer data is handled
safely and securely. E-commerce security can be a tricky subject, but it is your
responsibility to protect your website from being hacked and sensitive customer data
from being stolen.
 Consumers want to work with a business they can trust. When they enter their personal
information, like their credit card number or other banking details, in a form on your site,
they expect it to be well protected. If your business is compromised and customer
information is exposed, consumers are less likely to do business with you in the future.
 However, this isn't just about your customers. If your site is compromised by hackers,
you'll have to pay to fix the security breach. This can include paying for a forensic
investigation, data recovery services and credit monitoring for your customers.
 Your business must also maintain a certain level of security compliance to meet the
proper legal standards for an online business. If your company does not adhere to those
regulations – such as the Payment Card Industry Data Security Standard (PCI DSS),
 which is the standard you must follow when accepting credit card payments – you may
be fined or subject to other penalties.

Potential e-commerce security threats

With the proper safeguards in place, you can shield your business and consumers from online
threats. Here are a few common threats you should be aware of.

Phishing

Using email, text and even phone calls, hackers try to trick store owners into providing personal
information like passwords, banking information and Social Security numbers. They usually
pretend to be an organization of authority that's just "checking" or "updating" information it
already has.

Malware and ransomware

Avoid clicking on links or downloading software you're not familiar with, as these are common
doorways to malware and other device- and network-infecting software. Once your system is
infected, hackers can restrict you from accessing data within your system and may demand
money to restore your access.

SQL injection

An SQL injection is a sneaky tool attackers use to manipulate the back end of your system. This
is essentially a data breach, which means they can view private data and operate part of your
system without your knowledge.

Cross-site scripting (XSS)

This is when a hacker inputs a harmful code into your company's webpage. This tactic is used to
directly steal from your consumers, as visitors to your website are exposed to malware, phishing,
malicious bots and other tactics to steal their information.

E-skimming
When hackers infiltrate your e-commerce store through phishing, XSS or other attacks, they wait
for customers at the checkout page so they can swipe their credit card and personal information.
When attackers e-skim, they're going after all the information on your payment card processing
pages.  

 Credit Card Fraud

Credit card fraud is the most common security threat that online retailers face. It occurs when a
hacker gains unauthorized access to customers’ personal and payment information. To access
this data, the hacker may penetrate the database of an e-commerce site using malicious software
programs. At times, a hacker’s intention when stealing customers’ data is to sell it on black
markets.
 Distributed Denial of Service (DDoS) Attacks
This type of security threat aims at taking down an online retail store by sending overwhelming
requests to its servers. The attacks originate from thousands of untraceable IP addresses. When
this type of threat hits the servers, they slow down or completely shut down. An e-commerce site
can also go offline temporarily when a DDoS attack affects its servers.

 Man-in-the-middle Attacks
As hackers are becoming smarter with technology, they are devising ways of listening to the
communications made by users of an e-commerce website. Through an approach known as a
man-in-the-middle attack, these hackers maliciously trick users into connecting to a public
wireless network. They gain access to people’s devices once they are on public wireless
networks. Hackers get to see a people’s browsing history, credit card numbers, passwords and
usernames if the websites they are visiting lack strong encryptions.
 Bad Bots
Bots, either good or bad, are all over the worldwide web. Search engines such as Bing and
Google use good bots for indexing search results. On the other hand, there are hackers that use
malicious bots for gathering data such as product data, inventories and pricing data. These bots
are also capable of accessing the database of an e-commerce site and listing the logins of user
accounts.
Defining Security Principles

To understand how to manage an information security program, you must understand the basic
principles. These principles are the building blocks, or primitives, to being able to determine why
information assets need protection.

CIA: Information Security's Fundamental Principles

 The CIA Triad is actually a security model that has been developed to help people think
about various parts of IT security.
 The CIA triad has three goals: confidentiality, integrity and availability, which are basic
factors in information security. Information security protects valuable information from
unauthorized access, modification and distribution. The CIA triad guides information
security efforts to ensure success.
 The CIA triad comprises all the principles on which every security program is based.
Depending on the nature of the information assets, some of the principles might have
varying degrees of importance in your environment.

Remembering that information is the most important of your organization's assets (second to
human lives, of course),
The first principles ask what is being protected, why, and how do we control access?

The fundamental goal of your information security program is to answer these questions by
determining the confidentiality of the information, how can you maintain the data's integrity,
and in what manner its availability is governed. These three principles make up the CIA triad.

Confidentiality

Confidentiality determines the secrecy of the information asset. Determining confidentiality is

not a matter of determining whether information is secret or not. When considering
confidentiality, managers determine the level of access in terms of how and where the data can
be accessed. For information to be useful to the organization, it can be classified by a degree of
confidentiality.

To prevent attackers from gaining access to critical data, a user who might be allowed access to
confidential data might not be allowed to access the service from an external access port. The
level of confidentiality determines the level of availability that is controlled through various
access control mechanisms.

Cryptography is the study of how to scramble, or encrypt, information to prevent everyone but
the intended recipient from being able to read it. Encryption implements cryptography by using
mathematical formulas to scramble and unscramble the data. These formulas use an external
piece of private data called a key to lock and unlock the data.

Integrity

With data being the primary information asset, integrity provides the assurance that the data is
accurate and reliable. Without integrity, the cost of collecting and maintaining the data cannot be
justified. Therefore, policies and procedures should support ensuring that data can be trusted.

Availability

Availability is the ability of the users to access an information asset. Information is of no use if it
cannot be accessed. Systems should have sufficient capacity to satisfy user requests for access,
and network architects should consider capacity as part of availability. Policies can be written to
enforce this by specifying that procedures be created to prevent denial-of-service (DoS) attacks.

Privacy

Privacy relates to all elements of the CIA triad. It considers which information can be shared
with others (confidentiality), how that information can be accessed safely (integrity), and how it
can be accessed (availability).

Identification and Authentication

 Information security is the process of managing the access to resources. To allow a user,
a program, or any other entity to gain access to the organization's information resources,
you must identify them and verify that the entity is who they claim to be. The most
common way to do this is through the process of identification and authentication.
 The process of identification and authentication is usually a two-step process, although it
can involve more than two steps. Identification provides the resource with some type of
identifier of who is trying to gain access. Identifiers can be any public or private
information that is tied directly to the entity. To identify users, the common practice is to
assign the user a username.

Understand the Principle of Authentication

Authentication is a matter of what the entity knows, what they might have, or who the entity is.
For strong authentication, use at least two of these principles.

The second part of the process is to authenticate the claimed identity. The following are the three
general types of authentication:

 What the entities know, such as a personal identification number (PIN) or password
 What the entities have, such as an access card, a smart card, or a token generator
 Who or what the entity is, which is usually identified through biometrics
Passwords

Of these methods, passwords and PINs are the most common forms of authentication. Although
passwords become the most important part of the process, they also represent the weakest link.
As a security manager, you must manage the process in such a way to minimize the weakness in
the process.

Users typically create passwords that are easily guessed. Common words or the names of
spouses and children leave the password open to dictionary or social engineering attacks. To
prevent these attacks, some organizations use a password generator to create passwords that
cannot be cracked using typical attacks. The problem is that these passwords are usually not that
memorable, which causes the users to write them down, leaving them open to another type of
social engineering attack in which another user finds the documented password.

Password management involves trying to create a balance between creating passwords that
cannot be guessed and passwords users don't need to write down. Policies can mandate several
strategies that can be effective in mitigating some of these problems. Following are some of the
methods management should use when mitigating these problems:

 Password generators—These are usually third-party products that can be used to create
passwords out of random characters. Some products can be used to create memorable
passwords using permutations of random or chosen words or phrases.
 Password checkers—These are tools that check the passwords for their probability of
being guessed. They are designed to perform typical dictionary attacks, and they use
information on the system in an attempt to guess the password using social engineering.
These checkers also use common permutations of these attacks, anticipating what a user
might try. For example, users commonly use 0s in the place of the letter o. The strength
of the password is determined by how many attempts the tool makes to guess the
password.
 Limiting login attempts—These can prevent attackers from trying to log in to systems
or prevent networks from using exhaustive attacks. By setting a threshold for login
 failures, the user account can be locked. Some systems can lock accounts for a period of
time, whereas others require administrator intervention.
 Challenge-Response—These are also called cognitive passwords. They use random
questions that the user would provide the answer to in advance or use a shared secret.
When the user logs in, the system picks a random question that must be answered
successfully to gain access. This is commonly used on voice response systems (for
example, social security number, account number, ZIP code, and so on) and requires the
answer to more than one challenge.
 Token devices—These are a form of one-time password authentication that satisfies the
"what you have" scenario. Token devices come in two forms: synchronous and
asynchronous. A synchronous token is time-based and generates a value that is used in
authentication. The token value is valid for a set period of time before it changes and is
based on a secret key held by both the token (usually a sealed device) and the server
providing authentication services.
 PKI -Using public key or asynchronous encryption technologies requires the use of a
public key infrastructure (PKI) to manage the process.
 Cryptographic keys—These combine the concepts of "something you have" and
"something you know." Using public key cryptography, the user has a private key (or
digital signature) that is used to sign a common hash value that is sent to the
authentication server. The server can then use the known public key for the user to
decrypt the hash. To strengthen the authentication process, the user is asked to enter a
PIN or passphrase that is also added to the hash to strengthen the authentication process.

Nonrepudiation

Nonrepudiation is the ability to ensure that the originator of a communication or message is the
true sender by guaranteeing authenticity of his digital signature. Digital signatures are used not
only to ensure that a message has been electronically signed by the person who purported to sign
the document, but also to ensure that a person cannot later deny that he furnished the signature.

Understanding Nonrepudiation
Nonrepudiation is the ability to ensure the authenticity of a message by verifying it using the
message's digital signature. Remember, digital signatures require a certificate to generate the
signature and a PKI to save the public key for when the message is verified.

Regardless of how your organization tries to implement nonrepudiation, there will be some risk
based on the trust of the information used for validation. Biometric verification can help in the
process, but that means you must trust the certification process.

Accountability and Auditing

With the user authenticated to the system and network, most administrators use the various audit
capabilities to track all system events. Systems and security administrators can use the audit
records to

 Produce usage reports

 Detect intrusions or attacks
 Keep a record of system activity for performance tuning
 Create evidence for disciplinary actions or law enforcement

Keystroke Monitoring

Keystroke monitoring is a type of audit that monitors what a user types. It watches how the user
types individual words, commands, or other common tasks and creates a profile of that user's
characteristics. The keystroke monitor can then detect whether someone other than the profiled
user tries to use the system.

Magic Lantern

The FBI has been looking at new ways of doing covert investigation of criminals on the Internet.
One tool they use is called Magic Lantern. As a follow-up to the Carnivore program, the FBI
covertly installs Magic Lantern on a targeted computer system to trap keystroke and mouse
information. Magic Lantern has been used to break the encryption of a suspected criminal. As
this is written, that case has yet to come to trial, but the constitutionality of the FBI using Magic
Lantern will be a central question.

Protecting Audit Data

There will come a time when your organization has to handle an incident. This incident can
come from within your organization's network or from the Internet. The only way you will have
to figure out how the incident occurred is through log analysis. However, the analysis of the logs
can be only as successful as the integrity of the data.

Documentation

When I talk to organizations about the condition of their security documentation, most admit that
it is not up-to-date. Others say that it is too accessible because it details the controls and settings
of various devices. In either case, documentation can become a weak link in the security chain.
By not keeping up with documentation, there could be no explanation of how the controls are
configured to satisfy policies, which would make their replacement in an emergency situation
difficult.

Five security tips to help you protect your e-commerce site.

The e-commerce industry is one of the most lucrative targets for cybercriminals, which is why
it's critical for online retailers to be aware of the risks and take the right steps to secure their sites.
Check out these five best security practices to safeguard your online store, prevent e-commerce
fraud and retain the confidentiality of your customer data.

1. Choose a secure e-commerce platform.

As they say, get the basics right and the rest will fall into place. The first step to build a secure e-
commerce website is to use a secure platform. There are so many open-source and proprietary e-
commerce platforms available that choosing the best one for you can be difficult. No matter
which platform you decide to use, though, ensure that it has extensive security measures in place
and maintains PCI compliance. Run PCI scans on your server to validate whether you are
compliant or not.
2. Implement SSL certificates.

SSL Stands for secure sockets layer. Protocol for web browsers and servers that allows for the
authentication, encryption and decryption of data sent over the Internet.

SSL is the de facto standard for securing online transactions. The SSL certificate authenticates
the identity of users and encrypts data both on the store and in transit. SSL is essential to
establish secure connectivity between the end-user systems and your e-commerce website.

3. Consider two-factor authentication.

Stolen or compromised user credentials are a common cause of web security breaches. There are
multiple 'phishing' ways to steal or guess valid user credentials and compromise the security of
your online store. That is where the need for a proven user authentication mechanism arises; it's a
foundation for securing your online store from hacking attempts.

4. Use a virtual private network.

When you are dealing with customer data, and financial transactions in particular, you need to be
extremely careful on public networks. Data transferred over public networks is vulnerable to
interception by malicious users. A VPN service is useful in such a situation. It gives you an
encrypted connection to a secure offsite server, which prevents a third party from inserting itself
between you and the server.

5. Educate your customers and employees.

Users need education on the laws and policies that affect customer data. Educate your clients as
well as your workforce on your information security practices. Let them know how you protect
customers' credit card information and what they should do on their end to keep the financial
information secure. Highlight your organization's best practices for data security, and tell them
not to disclose sensitive data over email, text or chat communication.

E-COMMERCE SECURITY TOOLS

 Digital certificates: An attachment to an electronic message used for security purposes. The
most common use of a digital certificate is to verify that a user sending a message is who he or
she claims to be, and to provide the receiver with the means to encode a reply.

Encryption : Encryption is the most effective way to achieve data security. To read an encrypted
file, you must have access to a secret key or password that enables you to decrypt it.
Unencrypted data is called plain text ;encrypted data is referred to as cipher text.

Firewall: Firewalls can be either hardware or software but the ideal firewall configuration will
consist of both. In addition to limiting access to your computer and network, a firewall is also
useful for allowing remote access to a private network through secure authentication certificates
and logins.

Digital signature: A digital certificate, an electronic document that contains the digital signature
of the certificate-issuing authority, binds together a public key with an identity and can be used
to verify a public key belongs to a particular person or entity.

Biometric scanner: In computer security, biometrics refers to authentication techniques that rely
on measurable physical characteristics that can be automatically checked. There are several types
of biometric identification schemes: face: the analysis of facial characteristics

Password: A password is a word or string of characters used for user authentication to prove
identity or access approval to gain access to a resource, which should be kept secret from those
not allowed access. The use of passwords is known to be ancient

Purpose of Securities

It seems you cannot go a day without hearing about someone or some group hacking a website or
stealing credit card and other sensitive data from ecommerce sites. -the electronic system that
supports ecommerce is susceptible to abuse and failure in many ways which have to be dealt
seriously

 Disruption of device: it may result in major losses of the business or inconvenience to the
customer
  illegal intrusion in customer data: the acts leads to loss of customer confidence stemming
from illegal intrusions into customer files or company business dishonesty , human
mistakes or net work failure.
 Fraud: the act results in direct financial loss funds might transferred from one account
another, or records might simply be destroyed.
 Theft: theft of confidential, proprietary, technological or marketing information
belonging to firm/customer. An intruder may disclose information to a third party,
resulting in damage

Security Policies

Security policies are a formal set of rules which is issued by an organization to ensure that the
user who are authorized to access company technology and information assets comply with rules
and guidelines related to the security of information.

Need of Security policies-

 It increases efficiency.
 It upholds discipline and accountability
 It can make or break a business deal
 It helps to educate employees on security literacy

We use security policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies to suit our specific
environment. There are some important cybersecurity policies recommendations describe below-

 Virus and Spyware Protection policy

 Firewall Policy
 Intrusion Prevention policy
 Live-Update policy
 Application and Device Control
 Exceptions policy
 Host Integrity policy
BASIC WAYS TO PROTECT YOURSELF

• Always use https while navigating through your admin area (if you have SSL installed
on your server.

• If you want (and have the option), consider deleting all the customer credit card details
after purchases.

• Sign up with a managed firewall service (www.able- commerce.com) – these services

usually come with an icon that you can put in your store and they have been known to
boost sales.

•Choose a shopping cart that can blacklist (block) IP addresses and users.

If you are new to the Internet or a regular shopper online, the following guidelines
should apply.

1. Find out the cost of delivery before placing your order and how long the delivery will
take. Most shopping sites use couriers to deliver the goods and when delivering overseas
can become quite expensive.

2. If you are bidding on E-bay check out the buyers and sellers feedback. This should
become standard before you ever place a bid.

3. Always read the FAQ section if you are new to the site. 4. lf someone demands cash
for a payment, ‘say no‘. Use your credit card to make your payment; this will protect you
against fraud. Credit card companies refund accounts where fraudulent activity transpires.

5. Don’t be afraid to ask the seller lots of questions, some sites provide you the option to
contact the seller.

6. Check, and read in full the terms and conditions, and the privacy policy of the site.

7. If you are unsure about a site. try doing a search with Google or any of the other search
engines. You may find comments posted about the shopping site from other customers.
 .

Security protocol
In the today most e-business, many protocols are widely used such as Secure Socket Layers
(SSL) and Secure Electronic Transactions (SET). So, we would like to explore about these
protocols. We will discuss the various methods that are used in the e-commerce such as Digital
certificates, Digital signatures, Secure Socket Layer (SSL), Secure Electronic Transactions
(SET).
1. Digital Signatures and Certificates

Digital signatures meet the need for authentication and integrity. A plain text message is run
through a hash function and so given a value: the message digest. This digest, the hash function
and the plain text encrypted with the recipient's public key is sent to the recipient. The recipient
decodes the message with their private key, and runs the message through the supplied hash
function to that the message digest value remains unchanged (message has not been tampered
with). Very often, the message is also time stamped by a third-party agency, which provides non-
repudiation. In addition, digital certificate is also used for security purposes. The most common
use of a digital certificate is to verify that a user sending a message is who he or she claims to be,
and to provide the receiver with the means to encode a reply. An individual wishing to send an
encrypted message applies for a digital certificate from a Certificate Authority (CA). The CA
issues an encrypted digital certificate containing the applicant's public key and a variety of other
identification information. The CA makes its own public key readily available through print
publicity or perhaps on the Internet. The recipient of an encrypted message uses the CA's public
key to decode the digital certificate attached to the message, verifies it as issued by the CA and
then obtains the sender's public key and identification information held within the certificate.
With this information, the recipient can send an encrypted reply. The most widely used standard
for digital certificates is X.509.
2. Secure Socket Layers (SSL)
The Secure Socket Layer (SSL) was developed by Netscape to provide secure communication
between Web servers and clients. Information sent over the Internet commonly uses the set of
rules called TCP/IP (Transmission Control Protocol / Internet Protocol). The information is
broken into packets, numbered sequentially, and an error control attached. Individual packets are
sent by different routes. TCP/IP reassembles them in order and resubmits any packet showing
errors. SSL uses PKI and digital certificates to ensure privacy and authentication. The procedure
is something like this: the client sends a message to the server, which replies with a digital
certificate. Using PKI, server and client negotiate to create session keys, which are symmetrical
secret keys specially created for that particular transmission. Once the session keys are agreed,
communication continues with these session keys and the digital certificates.
3. Secure Electronic Transactions (SET)
The SET Secure Electronic Transaction TM protocol is an open industry standard developed for
the secure transmission of payment information over the Internet and other electronic networks.
SET uses a system of locks and keys along with certified account IDs for both consumers and
merchants. Then, through a unique process of "encrypting “or scrambling the information
exchanged between the shopper and the online store, SET ensures a payment process that is
convenient, private and most of all secure.
Advantages of SET are:
• Establishes industry standards to keep your order and payment information confidential.
• Increases integrity for all transmitted data through encryption.
• Provides authentication that a cardholder is a legitimate user of a branded payment card
account. • Provides authentication that a merchant can accept branded payment card transactions
through its relationship with an acquiring financial institution.

CONCLUSION

The e-commerce has changed the relative importance of time, but as the pillars of
indicator of the country’s economic state that the importance of time should not be
ignored.

The e-commerce is not a kind of new industry, but it is creating a new economic model.
Most of people agree that the e-commerce indeed to be important and significant for
economic society in the future, but actually that is a bit of clueless feeling at the
beginning, this problem is exactly prove the e-commerce is a sort of incorporeal
revolution.