01116752775 - 01096578440 - 01003454170

Chapter (9) – E-Commerce Security and Fraud Protection

 It refers to protecting information and information systems from unauthorized

Information (1)access, (2)inspection, (3)use, (4)disruption, (5)modification, (6)destruction, (7)recording or
Security (8)disclosure.

EC  It refers to the strategy that prevents and detects unauthorized use of the
Security organization’s brand, identity, website, e-mail, information, or other asset.
Strategy  It attempts to defraud the organization, its customers, and employees
 It refers to the protection of information systems against:
a) Unauthorized access to information.
Information b) Unauthorized modification of information.
Assurance c) Denial of service to authorized users.
(IA)
 It also includes the measures necessary to detect, document, and counter such
threats.

Deterring  It refers to actions that will make criminals abandon the idea of attacking a specific
Measures system, such as the possibility of losing a job for insiders.
Prevention  It refers to the ways to stop unauthorized users / intruders from accessing any part of
Measures the EC system.
Detection  It refers to ways to determine whether intruders attempted to break into the EC
Measures system, and whether they were successful, and what they may have done.

Major EC security Management Concerns:

1) Fraud in EC Transactions.
2) Prevention and Detection of Malware.
3) Security Strategy and Sufficient Budget.
4) Business Continuity and Recovery.
5) Data and Privacy Protection.
6) Employees' Negligence.
7) Intrusion Detection and Prevention.
8) Data Leaks.

EC Security Problems Drivers:

1) The internet’s vulnerable design.
2) The shift to profit-induced crimes.
3) Internet underground economy.
4) The dynamic nature of EC Systems.
5) The role of insiders.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 1
Domain Name System  It translates / converts domain names to their numeric IP addresses.
(DNS)
 It refers to an address that uniquely identifies each computer connected to a
IP Address
network or the Internet.
Internet Underground  It refers to E-markets for stolen information (credit card numbers, social security
Economy numbers, bank accounts, social network IDs, passwords).
Keystroke Logging  It refers to the method of capturing and recording user keystrokes.
(Key-Logging)
 It refers to the plan that keeps the business running after a disaster occurs,
Business Continuity
where each function in the business should have a valid recovery capability
Plan
plan.
 It refers to the approach oriented toward prevention, the idea is to minimize
Disaster Avoidance
the chance of avoidable disasters (fire or human-caused threats).

EC Security Requirements:
 It refers to process of verifying / assuring the real identity / ID of an individual,
Authentication computer, computer program, or EC website through things known to / owned by
the user.
 It refers to process of determining (1)what the authenticated entity is allowed to
Authorization
access and (2)what operations it is allowed to perform.
 It refers to the assuring that the online customers or trading partners can't falsely
Non-Repudiation
deny / repudiate their purchase or transaction. (Message Digest)
Auditing  It refers to assuring the compliance with the system security levels.
Availability

 It refers to the weakness in the software, design or other mechanism that threatens
Vulnerability the (1)Confidentiality, (2)Integrity (No Unauthorized Modification), or (3)Availability [CIA
Model] of an asset.
 It refers to the probability that a vulnerability will be known and used by people
Risk / Threat
having bad intentions.
Cybercrime  It refers to intentional crimes carried out on the internet.
Cybercriminal  It refers to the person who intentionally carries out crimes over the internet.
 It refers to the estimated cost, loss, or damage that can result if a vulnerability is
Exposure
exploited.
 It refers to any intentional business activity that uses deceitful / dishonest
Fraud
practices or devices to deprive another of property or other rights.
 It refers to someone (skillful programmers) who gains legal or illegal unauthorized
Hacker
access to a computer system.
 It refers to a malicious illegal hacker (Maxwell), who may represent a serious
Cracker
problem for a company with the purpose of destruction or personal gains. [Maxwell]

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 2
Technical Attack Methods:
Malware  It refers to the generic term for malicious software.
(Malicious Software)
 It refers to a piece of software code that inserts itself into a host, in order to
Virus propagate / spread.
 It requires that its host program be run to activate it.
 It refers to a software program that runs independently, where it is capable of
Worm propagating /spread a complete working version of itself onto another function.
 It consumes the resources of its host in order to maintain itself.
Macro-Virus  It refers to a macro virus or worm is executed when the application object that
(Macro Worm) contains the macro is opened or a particular procedure is executed.
 It refers to the program that appears to have a useful function but contains a
Trojan Horse
hidden function that presents a security risk.
 It refers to a trojan that comes to life when computer owners visit one online
Banking Trojan
banking or e-commerce site.
Denial-of-Service  It refers to an attack on a website in which an attacker uses specialized software
(DoS) to send a flood of data packets to the target computer with the aim of overloading its
Attack resources.
 It refers to creating a rogue copy of a popular website that shows contents similar
Page
to the original. Once there, an unsuspecting user is redirected to malicious
Hijacking
websites.
 It refers to a huge number (hundreds of thousands) of hijacked internet computers that
Bot-Net have been set up to forward traffic, spam and viruses, to other computers on the
Internet.
Malvertising  It refers to the use of online advertising to spread malware.
 It refers to the fraud that involves (1)stealing an identity of a person then (2)using
Identity Theft that identity by someone pretending to be someone else in order to steal money or
get other benefits.
 It refers to the crimeware technique to steal identities, which involves acquiring
sensitive information (usernames, passwords, and credit-card details).

Phishing

 It refers to small programs that install themselves on computers to monitor user

Web surfing activity.
Zombies
 It refers to computers infected with malware that are under the control of a
spammer, hacker, or other criminal.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 3
Non - Technical Methods:
Spam  It refers to the electronic equivalent of junk mail.
 It refers to a subset of spam that involves nearly identical messages sent to
E-mail Spam
numerous recipients by e-mail.
 It refers to the software that gathers user information over an Internet connection
Spyware
without the user’s knowledge.
Search Engine  It refers to the pages created deliberately to trick the search engine into offering
Spam inappropriate, redundant, or poor-quality search results.
 It refers to the page that uses techniques that deliberately subvert a search
Spam Site
engine’s algorithms to artificially inflate the page’s rankings.
Splog  It refers to the site created solely for marketing purposes.
(Spam Blog)
 It refers to the security incident in which sensitive, protected, or confidential data is
Data Breach
copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.
 It refers to when an employee exploits his position, relations, and information about
Social the company.
Engineering  It is a nontechnical attack that uses some ruse to trick users into revealing
information or performing an action that compromises a computer or network.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 4
 Information Assurance Model and Defense Strategy

 It refers to that 3 security concepts are most important to information on the Internet:
 It refers to the assurance of data privacy and accuracy.
Confidentiality  It involves keeping private or sensitive information from being
CIA disclosed to unauthorized individuals, entities, or processes.
Security  It refers to the assurance that stored data has not been modified
Triad without authorization.
Integrity
(CIA Triad)  It involves assuring that the message sent is the same message
as that which was received.
 It refers to the assurance that access to data service is timely,
Availability
available, reliable, and restricted to authorized users.

Vulnerability  It refers to the process of (1)identifying, (2)quantifying, and (3)prioritizing the

Assessment vulnerabilities in a system.
 It refers to the method of evaluating the security of a computer system or a
Penetration Test
network by simulating an attack from a malicious source. (Pen Test)
 It refers to all the policies, procedures, documents, standards, hardware,
EC
software, training, and personnel that work together to protect e-commerce related
Security Programs
information and other assets.
 It refers to monitoring and detection of security events on a computer or
Computer Security
computer network, and the execution of proper responses to those events.
Incident
 The primary purpose of incident management is the development of a well
Management
understood and predictable response to damaging events and computer intrusions.

EC Systems Defense Side:

 It involves the following levels:
1) Defending access to computing systems, data flow, and EC transactions.
2) Defending EC networks.
3) General, administrative, and application controls.
4) Protection against social engineering and fraud.
5) Disaster preparation, business continuity, and risk management.
6) Implementing enterprise-wide security programs.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 5
 Defense (1): Access Control, Encryption, and PKI:
Access  It refers to the mechanisms that determine who can legitimately use a network
Control resource.
Biometric  It refers to an automated method for verifying the identity of a person based on
Control physical or behavioral characteristics.
Biometric  It refers to the authentication systems that identify a person by measurement of a
Systems biological characteristic (fingerprints, iris (eye) patterns, facial features, or voice).
 It refers to the process of scrambling (encrypting) a message in such a way that it is
Encryption difficult, expensive, or time-consuming for an unauthorized person to unscramble
(decrypt) it.
Plain - Text  It refers to the unencrypted message in human-readable form.
 It refers to the plaintext message after it has been encrypted into a machine-
Cipher - Text
readable form.
Encryption  It refers to the mathematical formula used to encrypt and decrypt messages.
Algorithm
Caesar  It refers to one of the most easy and most famous encryption systems, which uses
Ciphering the substitution of a letter by another one further in the alphabet.
Key  It refers to the secret code used to encrypt and decrypt a message.
(Key Value)
Public Key  It refers to the encryption code that is publicly available to anyone.
Private Key  It refers to encryption code that is known only to its owner.
 It refers to the large number of possible key values (keys) created by the algorithm to
Key Space
use when transforming the message.
 It refers to the encryption system that uses the same key to encrypt and decrypt the
message.

Symmetric
(Private)
Key Encryption

N.B.: Data Encrypted Standard (DES), which refers to the standard symmetric
encryption algorithm used by US government agencies until October 2000.
Asymmetric  It refers to the encryption system that uses a pair of matched keys including a
(Public) public key to encrypt a message and a private key to decrypt it, or vice versa.
Key Encryption
Public Key  It refers to the scheme for securing e-payments using public key encryption. (PKI)
Infrastructure
 It refers to the mathematical computation applied to a message, using a private key,
Hash Function
to encrypt the message.
Message Digest  It refers to the summary of a message converted into a string of digits after the hash
(MD) has been applied.
 It refers to the combination of the encrypted original message and the digital
Digital Envelope
signature, using the recipient’s public key.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 6
 Defense (2): Securing E-Commerce Networks:
Packet  It refers to the segment of data sent from one computer to another on a network.
Firewall  It refers to the single point between two or more networks where all traffic must
(Choke Point) pass, where a device authenticates, controls, and logs all traffic.
 It refers to the network node designed to protect an individual user’s desktop
Personal
system from the public network by monitoring all the traffic that passes through the
Firewall
computer’s network interface card.
 It refers to the network that uses the public Internet to carry information but
Virtual remains private by using:
Private Network a) Encryption to scramble the communications.
(VPN) b) Authentication.
c) Access control.
 It refers to the method used to ensure confidentiality and integrity of data
transmitted over the Internet by:
Protocol
a) Encrypting data packets.
Tunneling
b) Sending them in packets across the Internet.
c) Decrypting them at the destination address.
Intrusion Detection  It refers to a special software that can (1)monitor activity across a network,
System (IDS) (2watch for suspicious activity, and (3)take automated action based on what it sees.

 It refers to the production system (Firewalls, Routers, Web Servers, and Database Servers)
Honey-Pot that looks like it does real work, but that acts as a decoy / trap and is watched to
study how network intrusions occur.
Honey-Net  It refers to a network of honeypots.

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 7
Defense (3): General, Application and Internal Controls:
 It refers to the controls established to protect the system regardless of the specific
General
application.
Control
 It involves protecting hardware and controlling access to the data center.
Application  It refers to the controls that are intended to protect specific applications.
Controls
 It refers to the software applications that have some degree of reactivity, autonomy,
Intelligent
and adaptability based on changes occurring in its environment.
Agents
 It is needed in unpredictable attack situations.
 It refers to the law that makes it a crime to send commercial e-mail messages with
false or misleading message headers or misleading subject lines.
CAN-SPAM
 Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-
SPAM).

Certificate  It refers to third parties that issue digital certificates. (CAs)

Authorities
Digital Signature  It refers to validating the sender and time stamping of a transaction so it can't
(Digital Certificate) be later claimed that the transaction was unauthorized or invalid.

N.B.: Cloud Computing Prevents DoS Attacks.

N.B.: SSL refers to Secure Socket Layer.

CSI Computer Crime  It refers to the annual security survey of the US corporations and
& government agencies conducted by the Computer Security Institute (CSI).
Security Survey

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 8
Enterprise-Wide Security Programs:
Acceptable Use Policy  It refers to the policy that informs users of their responsibilities when
(AUP) using company networks, wireless devices, and consumer data.
 It refers to an exercise that determines the following:
a) Impact of losing the support of an EC resource.
Business Impact Analysis
b) Escalation of that loss over time.
(BIA)
c) Minimum resources needed to recover.
d) Priorities of the recovery of processes and supporting system.
 It refers to the care that a company is reasonably expected to take
Standard of Due Care
based on the risks affecting its EC business and online transactions.
Computing Technology  It refers to the non-profit trade group providing information security
Industry Association research and best practices.
(CompTIA)

Mr. Ahmed Galal – E-Commerce – Business - AMT – Intensive (1) – December 2019 9