Chapter Five

Lecture Notes
Dr. Rana Nour El-Deen
The E-commerce Security Environment

Firstly: Scope of the problem

Cybercrime is becoming a more significant problem for both -

organizations and consumers. But despite the increasing attention
being paid to cybercrimes, it is difficult to accurately estimate the
actual amount of such crime, in part because many companies are
hesitant to report it due to the fear of losing the trust of their
customers, and because even if crime is reported, it may be difficult
.to quantify the actual dollar amount of the loss

McAfee/Center for Strategic and International Studies study: Global -

economic impact of cybercrime and cyberespionage between $455
.billion to $600 billion

Reports by security product providers indicate increasing -

.cybercrime

.Online credit card fraud one of the most high-profile forms-

Criminals who steal information on the Internet do not always use -

this information themselves, but instead derive value by selling the
information to the others on the so-called underground or shadow
.economy market

Secondly: Dimensions of E-commerce security

There are six key dimensions to E-commerce security: integrity,

.nonrepudiation, authenticity, confidentiality, privacy, and availability

Integrity: the ability to ensure that information being displayed on a

website or transmitted or received over the internet has not been
.altered in any way by an unauthorized party
 Nonrepudiation: the ability to ensure that e-commerce participants
.do not deny (repudiate) their online actions

Authenticity: the ability to identify the identity of a person or entity

.with whom you are dealing on the internet

Confidentiality: the ability to ensure that messages and data are

.available only to those who are authorized to view them

Privacy: the ability to control the use of information a customer

.provides about himself or herself to an e-commerce merchant

Availability: The ability to ensure that an e-commerce site continues

.to function as intended

Merchant’s Perspective Customer’s Perspective Dimension

Has data on the site been altered without Has information I transmitted or Integrity
authorization? Is data being received from
?received been altered
?customers valid

?Can a customer deny ordering products Can a party to an action with me Nonrepudiation
?later deny taking the action

?What is the real identity of the customer Who am I dealing with? How Authenticity
can I be assured that the person
or entity is who they claim to
?be

Are messages or confidential data accessible Can someone other than the Confidentiality
to anyone other than those authorized to intended recipient read my
?view them ?messages

What use, if any, can be made of personal Can I control the use of Privacy
data collected as part of an e-commerce information about myself
transaction? Is the personal information of transmitted to an
customers being used in an unauthorized
?e-commerce merchant
?manner

?Is the site operational ?Can I get access to the site Availability
Thirdly: Malicious Code

Malicious code is designed to take advantage of software

vulnerabilities in a computer's operating system, web browser,
.applications, or other software components

:Examples

Virus: a computer program that has the ability to replicate or make -

.copies of itself, and spread to other files

Worms: Malicious code that is designed to spread from computer to -

.computer

.Malvertising: online advertising that contains malicious code -

Drive-by-download: malicious code that comes with a downloaded -

.file that a user requests

Ransomware: malicious code that prevents you from accessing your -

.computer or files and demands that you pay a fine

Trojan Horse: malicious code that looks legitimate but can take -
control of your computer. A Trojan is designed to damage, disrupt,
steal, or in general inflict some other harmful action on your data or
.network

Bot: type of malicious code that can be covertly installed on a -

computer when connected to the internet. Once installed, the bot
.responds to external commands sent by the attacker

In addition to malicious code, the e-commerce security environment

:is further challenged by

Credit Card Fraud/Theft: Theft of credit card data is one of the most -
feared occurrences on the internet. Fear that credit card information
will be stolen prevents users from making online purchases in many
.cases

Spyware: A program used to obtain information such as user's -

.keystrokes, e-mail, instant messages and so on

Phishing: Online attempt by a third party to obtain confidential -

.information for financial gain

This in addition to (Adware, Browser Parasite, Phishing, Spoofing,

.Pharming, Spam (Junk) websites, Sniffer)

Fourthly: Developing an E-commerce security plan

The following figure illustrates the key steps in developing a solid

:security plan

Step 1: Risk assessment

.An assessment of the risks and points of vulnerability

Step 2: Security Plan

Prioritizing the information risks, identifying acceptable risk targets,
.and identifying the mechanisms for achieving these targets

Step 3: Implementation Plan

.The action steps you will take to achieve the security plan goals

Step 4: Security Organization

Educates and trains users, keeps management aware of security

threats and breakdowns and maintains the tools chosen to
.implement security

Step 5: Security Audit

Involves the routine review of access logs (identifying how outsiders

are using the site as well as how insiders are accessing the site's
.assets)

:Fifthly: E-commerce payment systems

A) Online Credit card payment

.Credit and debit cards are primary online payment methods-

Credit cards expand the user's purchasing power and raise the -
standards of living, in addition that credit cards provide a convenient
.payment method for purchases

:Limitations of online credit card payment-

Security: online credit card payment systems offer poor security. -

Neither the merchant nor the consumer can be fully authenticated. The
merchant could be a criminal organization designed to collect credit card
numbers, and the consumer could be a thief using stolen or fraudulent
cards. Moreover, the risk facing merchant is high as consumers may
repudiate charges or transactions even though the good have been
.shipped

Adminstrative and transaction costs: the administrative costs of -

setting up an online credit card system and becoming authorized to
accept credit cards are high. Moreover, the transaction costs for
merchants are also significant (roughly 3% of the purchase plus
.transaction fees)

Social equity: credit cards are not very democratic, as so many -

people and banned from getting credit cards due to their jobs or their
.low incomes

:B) Alternative payment systems

The limitations of the online credit card system have opened the way for
.the development of a number of alternative online payment systems

Online stored value system: which permits consumers to make instant, *

online payments to merchants and other individuals based on value
.stored in an online account

Example: PayPal Company enables individuals and businesses to make

.and receive payments up to a specified limit

Another example, is pay with Amazon which is targeting consumers

who have concerns about entrusting their credit card information to
unfamiliar online retailers. Consumers can purchase goods and services
at non-Amazon accounts, without having to reenter their payment
.information at the merchant's sites

Mobile payment systems: mobile payments involve any type of *

payment using a mobile device, including bill pay, online purchases, in
store purchases, and P2P payments. Mobile wallets are smartphone
apps that store debit cards, reward coupons, invoices, and vouchers that
.might be found in a traditional wallet

Example: Apple Pay, Samsung Pay, Al Ahli Phone Cash

Electronic Billing Presentment and Payment (EBPP): forms of online *
payment system for monthly bills. EBPP services allow consumers to
view bills electronically using either their desktop PC or mobile device
and pay them through electronic funds transfers from bank or credit
.card accounts

:Blockchain*

A blockchain is essentially a massive digital ledger that records financial -

transactions. It can also be used to securely keep important and valuable
.records, protecting them from alteration, theft or abuse

A blockchain is a system in which a record of transactions made in -

bitcoin or another cryptocurrency are maintained across several computers
.that are linked in a peer-to-peer network

Blockchain enables organizations to create and verify transactions nearly -

.instantaneously using a distributed P2P database (distributed ledger)

:The following figure illustrate how a blockchain works

:Benefits of Blockchain

Reduces costs of verifying users, validating transactions, and risks of -

storing and processing transaction information

Transactions cannot be altered retroactively and therefore are more -

.secure

Regarding the supply chain management, where supply chains participants -

are not known or trusted, blockchain technology can add trust,
.transparency, and traceability

Blockchain is the technology that enables the existence of -

.cryptocurrency, aiming to creat a purely digital medium of exchange

Bitcoin is the name of the best-known cryptocurrency, and it is worth

:mentioning that there are some limitations directed to Bitcoin such as

.Value of Bitcoins have widely fluctuated-

.Major issues with theft and fraud-

Some governments have banned Bitcoin, although it is gaining -

- .acceptance in the U.S