Security Issues in ECommerce
Security Issues in ECommerce
Security Issues in ECommerce
E-commerce is defined as the buying and selling of products or services over electronic systems such as the Internet
A wide variety of commerce is conducted via E-Commerce, including electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems
Introduction (Cont. )
Massive increase in the uptake of eCommerce has led to a
new generation of associated security threats, but any eCommerce system must meet four integral requirements :
privacy information exchanged must be kept from
unauthorized parties integrity the exchanged information must not be altered or tampered with authentication both sender and recipient must prove their identities to each other non-repudiation proof is required that the exchanged information was indeed received
Privacy
rise of identity theft and impersonation, and any concern for consumers must be treated as a major concern for eCommerce providers Privacy now forms an integral part of any e-commerce strategy and investment in privacy protection has been shown to increase consumers spend, trustworthiness and loyalty
maintain data integrity Key development for widespread growth of E-Commerce is the introduction of Digital Signature An electronic signature may be defined as
any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with the intent to authenticate a writing
on-paper signature, asymmetric key cryptology must have been employed in its production Digital Signatures using public-key cryptography and hash functions are the generally accepted means of providing
Technical Attacks
Denial of Service (DoS) Attacks consist of overwhelming a server, a network or a website in order to paralyze its normal activity A major difficulty in thwarting these attacks is to trace the source of the attack, as they often use incorrect or spoofed IP source addresses to disguise the true origin of the attack
Unusually slow network performance Unavailability of a particular web site Inability to access any web site Dramatic increase in the number of spam emails received
Teardrop Attack
A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized, payloads to the target machine A bug in the TCP/IP fragmentation re-assembly code of various operating systems causes the fragments to be improperly handled, crashing them as a result of this
Social Engineering
Social engineering is the art of manipulating people into performing actions or divulging confidential information Social engineering techniques include pretexting, Interactive voice recording (IVR) or phone phishing and baiting with Trojans horses