Security in E-Commerce
Security in E-Commerce
Security in E-Commerce
INTRODUCTION
The information technology has proved to be boon for the people and the society. It has made
deep inroads into every walk of our life. It has radically changed the way we think, we work, we
manage and we communicate with each other. The developments in the computer and
communication technology have made our lives easy and comfortable. However there are
always two sides of everything. These systems will remain vulnerable to threats from various
sources in a variety of forms. These threats need to be taken care of so as to safeguard the IT
systems in order to reap the benefits offered by this technology. In this chapter, we shall
discuss the various security threats faced by the IT systems and the means of securing these
systems from such threats.
OBJECTIVES
SECURITY ISSUES
The information technology is affected by a number of factors, which make it ineffective and
inefficient. The IT systems may be harmed by a variety of factors which can also be referred to
as threats. These threats may either be against the IT systems or using these systems. The
threats to Information technology systems can broadly be classified into the following:
The natural calamities such as Earthquake, tornadoes, hurricanes, fire, floods, etc. are
disastrous as they can damage the entire IT systems as has happened in Earthquake in
Gujarat and Floods in Andhra Pradesh. These calamities generally affect wider areas thereby
1
disabling all the electronic based systems. The equipments like ATM’s, Insurance Networks,
etc. are rendered useless without power and communication capabilities.
Apart from these the other factors responsible for affecting the working of IT systems include:
Civil Strife, Terrorism, etc. An example of this is the September 11, 2001 terrorist attack on
World Trade Twin Towers and Pentagon, when organisations had to move their equipments to
new offices and places and re-establish their communication capabilities. This has forced
Pentagon to rework its strategy to protect its equipments from the intruders both from land and
the skies.
The errors and accidents in IT systems can be attributed to a number of factors such as
People, Procedures, Software, electro-mechanical and data. The People use, run and manage
the IT systems. The errors committed (or indifference) by them in using or operating these
systems can affect the functioning of the systems. Similarly lack in following procedures
properly may also render the IT equipments useless. For example, processes of back-ups if
not completed routinely or not following up the mandatory change in user password
periodically (say a fortnight), etc. are some of the procedural errors.
Likewise software bugs may also render the systems in operational. The software bugs also
sometimes referred, as “Software Glitches” are the errors in a program(s) that causes it not to
work properly and produce the desired result. For example, in banking system, if the
transaction of withdrawal of money is updated twice due to programming error may result in
chaos. Similarly if booking data in train/air reservations are not processed or processed more
than once, for a particular city/agent code may result in under-or-over bookings. Another
example is that the letters sent to the candidates admitted in MBA programme indicting the
date of beginning of the session as 05/04/2002 while the actual date was 4 th May 2002. The
fault was the wrong date format chosen for the letters. The complex software generally face lot
of bugs and therefore needs to be tested and debugged thoroughly using multiple tools before
their actual adoption in live situations.
The IT systems are composed of a number of electro-mechanical devices. These devices are
composed of thousands of parts and a fault in any one of them may cause disruption of the
system. The Printers, Circuit Boards, SMPS, etc. are some of the equipments/components
that may cause such type of faults. The overheating, poor power quality (spikes and surges),
blackouts and brownouts, jamming of paper pickup assembly or head rod, etc. are some of the
electro-mechanical faults. These errors can be classified as ‘normal accidents’ and can
happen anytime and nothing can be done to pre-empt them.
Another source of system disruption could be ‘data’ itself. The quality of data can ruin the
performance of a system. The poor quality data generally referred to as ‘dirty data’ or ‘bad
data’ is the data that is incomplete, inaccurate, outdated, unreliable or inconsistent. The data
to be used in the system must have these characteristics for effective and efficient working of
the IT systems.
Viruses
Viruses and worms are forms of high-tech threats. Vital Information Resources Under Siege
(VIRUS) is the acronym for Computer Viruses. A virus is a ‘deviant’ program that attaches
2
itself to computer systems and destroys or corrupts data or systems or both. It is a computer
program written by an ill-intentioned Programmer. A worm is a program that copies itself
repeatedly into memory or onto floppy or hard disk until no more space remains. A list of
commonly found viruses is given in the box below.
Jerusalem – It was first seen in 1987 and now has over 250 variations or stains.
Monkey – It is a stealth boot virus that hides the hard disk from the computer when it is booted
from a floppy disk.
Michaelangelo – This virus wipes out data on March 6, the birthday of the artist.
SirCam, Red Code and Nimda are some of the commonly found internet viruses
Perverse Software: The virus programs are classified as Perverse Software. A perverse
software is a class of software that is designed to seriously affect the working of a computer.
They have the ability to clone themselves and can do unpredictable damage to information. It
is the intellectual destructive creation of a human computer programmer. There are two major
sources of Viruses:
Through Diskettes – Infected diskette from friends, service engineers, or demo kits
Through Network – E-mail, Freeware Software, Freebie games, etc. It is therefore advised
to scan these before opening or downloading them.
• The biological virus has specific coded strains while each computer virus has specific
signatures.
• Both invade and replicate only in host. The biological virus replicates in human beings
while computer virus replicates in computer programs.
• The patient or host computer both shows effects of virus through symptoms or effects.
This helps in preparation of vaccine.
3
• Take control of your computer without your knowledge i.e. alter the way the computer
operates
• Cause your computer to behave strangely, for example beep or display annoying
messages
• Hide in macros that infect and spread throughout Word and Excel documents.
• Cause serious destruction to your files. They can damage data, delete files and can
even erase or format your hard disk.
• Remain inactive until a pre-determined trigger date (for example 13th) to wreak havoc.
a. Bombs: A bomb gets triggered by an event, which is logical or time based. They are set to
go off at a certain date and time. The bomb explodes when the conditions of explosion are
fulfilled causing the damage immediately. These programs cannot infect other programs i.e.
they do not propagate. These are of two types:
Logic Bomb - These are activated by certain combination of events. e.g. a code, like if
myfile is deleted then destroy all the files, etc.
b. Trojans or Trojan Horse: Trojan horse is an illicit coding contained in a legitimate program
and causes an illegitimate action. The Trojan horse covertly places illegal, destructive
instructions in the middle of a program. A trojan may change or steal the password or may
modify records in protected files. Trojans cannot copy themselves to other software in the
same or other systems.
c. Worms: The worms are standalone programs and therefore can be detected easily. A worm
can relocate itself and does not require a host program unlike trojans. Thus a WORM program
copies itself to another machine on the network. Worms can help to sabotage systems but can
also be used for useful purpose such as testing of a network.
d. Viruses: The computer virus, a chronological successor of worm programs, is the most
dangerous perverse software, which can reproduce itself within a computer system. Computer
4
viruses can get the better of the Operating System thereby taking control of the system, which
may lead to destruction of the data and programs. A virus acts like a parasite thereby evade
early detection.
Types of Viruses
There are various ways in which the viruses can be categorized. The prominently referred
categories of viruses are:
Program viruses infect programs that we run. They attach themselves to executable files (such
as .EXE or .COM) i.e. those that actually begin a program. When the program is run, the virus
gets activated and tries to get into main memory.
Boot viruses infect boot sector and master boot records on disks. The boot sector is that part
of the system software containing instructions for starting or powering up the system. The boot
sector virus replaces the boot instructions with its own instruction code and when the system is
switched on, the virus gets loaded into main memory before the operating system or boot
instructions. Once available in memory, it can spread virus to other files used on the system.
Some viruses fall into both categories called multipartite viruses. They have ability to infect
program files, boot records and master boot records. In addition some viruses are called
stealth or polymorphic viruses. They have unique way of making detection more difficult. This
type of viruses can change form and profile just as human viruses thereby avoiding detection
even by the anti-virus software.
Symptoms of Viruses
5
A large number of software is available to fight the virus-menace. These are available on
various platforms and in various versions such as for DOS, Windows 98, Windows-NT and
Professional or Enterprise edition. These are referred to as ‘Anti-Virus Software’. Anti-virus
software safeguards the computer by scanning the computer’s hard disk, diskettes, and main
memory to detect viruses. This software gets loaded in the computer memory at the time of
booting of the system and keeps a vigil on information coming from diskettes or through the
network. Whenever the user accesses any infected diskette or file, the software issues a
warning. These software need to be updated regularly so as to protect the systems from new
viruses. This is possible through the Live Updates from the Internet for the anti-virus software,
which updates the virus definitions. Some of the popular anti-virus software is: Norton Anti-
Virus, McAfee, Protector Plus, Panda Security, etc. A detailed and up-to-date material is
available on the World Wide Web at http://www.symantec.com and http://www.mcafee.com.
Computer Criminals
According to studies, the people who perpetrate the computer crime, about 80% of them are
employees and the rest are outsiders. The outsiders may comprise of hackers, crackers and
professional computer criminals. The number of such people is increasing steadily due to the
increasing penetration of networks (Internet in particular), which enables a person to access
the organizational network.
Employees Employees by virtue of having the knowledge and access to the organizational
systems pose a greater threat to the computers and communication systems.
Dishonest and disgruntled employees can play havoc with the system. According to
criminal justice Professor David Carter, of Michigan State University, who conducted a
survey on computer crime in a number of companies, found that “Seventy five to 80%
of everything happens from inside”. According to him, most common frauds involved
credit cards, telecommunications, unauthorized access to confidential files and
unlawful copying of copyrighted or licensed software.
Employees may also use information technology for personal gains by stealing and selling
hardware or information to outside persons. For example, an employee sells the
students’ database in the college from the computer department to private coaching
institutes. Similarly, a Computer Operator in the computer lab of a college physically
damaged Software CDs by scratching them, damaged the ports in the network hub so
that the students do not disturb him frequently.
Hackers and Crackers Hackers are people who gain unauthorized access to the IT systems
for the challenge. They are the people involved in healthy exploration According to
computer security experts, the hackers .are serving a very useful public purpose as by
hacking the corporate or organizations IT systems they are exposing the weaknesses of
the systems. The hackers thus enable an organization to plug the loopholes in their
systems. Some organizations even encourage and sponsor hackers so as to use their
feedback to continuously protect their IT systems from unauthorized access. For example
in late 1995, Netscape launched its Bugs-Bounty program offering a cash reward to the
first hacker to identify a significant security flaw in its latest web browser software.
Crackers are the people who also gain unauthorized access to the IT systems but for the sole
purpose of carrying out malicious activity. The distinction between a cracker and a hacker is
waning fast as the hackers these days also show malicious intent. Crackers break into
information technology systems (either computer systems or communication systems)
6
deliberately to perform malafide actions such as destroy data, obtain financial data, pirate
software or cause any other damage.
The IT systems are thus faced with threat to their security both from hackers and crackers.
The hacking has become more commonplace with the spread of Internet and its use by the
corporate by having websites. This has assumed serious ramifications for the sites conducting
e-commerce through the Internet. For example in India, in March 2002, a 16 year school
dropout from Pondicherry was booked for bombarding a UK based web hosting company with
thousands of junk e-mails as a result of which the company was unable to conduct any
business. Thanks to the IT Act, under which the boy was booked by the Cyber crime cell.1
Spamming is the junk or unsolicited e-mail. Unlike postal mail where the entire cost is borne by
the marketer, in case of junk e-mail or spam, people have to pay money for this privilege of
receiving this spam. According to an informal survey of several major ISPs, most said that
over 30% of the e-mail reaching their users was spam. This forces the ISPs to invest heavily in
more powerful hardware and extra bandwidth and keep more staff to handle spam complaints.
According to one of the surveys in 2000, 30.2% of the spam on the net today is sent by
ChooseYourMail.com. A mail is considered not a spam if it includes option to unsubscribe it.
Professional Computer Criminals This is another category of people who pose threat to the
IT Systems. They use the IT Systems for illegal purposes. The IT equipments have been used
by these professional criminals for activities such as: hawala racket (money laundering system
for illegal activities in other countries), drug trafficking rackets, transfer funds, forge
documents, and for terrorism acts. For example, several cases have been registered for
printing of forged currency, educational degrees, drafts, immigration papers, driving licenses,
etc.
The IT crimes are becoming more and more sophisticated, as are the people responsible for
preventing them. It is due to this reason that an exclusive Cyber Crime Cell has been setup by
the Central Bureau of Investigation (CBI), agency that is responsible for controlling such
crimes in India. They are regularly training their personnel to handle
Like a gun, a knife or a car is used by intruders/thieves for committing a crime, the IT
equipments may also be used by certain people to commit an illegal act. Crimes such as using
a computer to siphon off money from bank accounts, or manipulating electricity bills, etc. are
some of the examples where IT systems assists in committing a crime.
This threat covers the crimes committed against the information technology equipments such
as Computers, Communication, etc. The crimes may include theft of:
• hardware
• software
• data and information
• services
7
The theft of hardware can range from shoplifting an accessory in a computer store to stealing
a laptop or a notebook computer from a car or cables in a communication system. Theft of
computers and communication cables has become a serious issue especially in educational
institutions. In such cases the thieves (generally computer knowledgeable) do not take away
peripheral devices, which are difficult to carry but take away the easy to carry items such as
CPU, Memory, Hard Disks, etc. For example in Delhi University alone several cases have
been reported on theft of Hard Disks and Memory. Theft of communication cables is quite
commonplace in India.
The theft of software can also range from physically stealing the floppy diskettes or CD’s of
software to copying the software for illegal purposes. In India, the copying of expensive and
commonly used software is very high. The non-affordable copyrighted software such as MS-
Office, Windows 98/NT, AutoCAD, SPSS, MS PhotoShop are available in the grey (unofficial)
market for as low as Rs. 200 for a CD. In this activity that is normally referred to as “Software
Piracy”, the companies acquire a legal copy of the software and the make multiple copies of it
for selling them to users at a very low price. In some countries especially the Asia and Latin
America, 90% of the micro-computer software is illegal or pirated. NASSCOM is a body, which
is responsible for curbing the Software Piracy in India.
The theft of data and information may include stealing or accessing confidential corporate
data, credit card numbers, stealing of personal records data, etc. For example, the increasing
use of Smart Cards or other forms of Cybercash will lead to easy money laundering which is a
financial crime. Smart Card is a memory chip that can be stored/filled with equivalent amount
of cash (currency data) that can be carried in pocket without being noticed. The
stealing/copying the business data/information from systems of competitors is a crime.
Similarly financial transactions over the Internet are not considered safe due to the chances of
credit card numbers being stolen over the net, which can later be used for illicit purposes.
The theft of computer time and services is another crime against IT systems. The theft of
computer time is quite common. The employees using the computer of their employer for
playing games, taking printouts, Internet access for personal gains, etc. are common instances
of such theft. The theft of Internet Login name and password of someone else is another
category of crime in this category. The piracy of cable connection for multiple usages is also a
crime against the IT systems.
Security is a system of protecting information technology against various threats such as:
natural disasters, system failure, unauthorized access and its misuse. Since security involves
cost and cost is a major component of any system therefore higher security requires higher
cost. The organizations or individuals therefore will have to decide how much security is
required for their IT system and correspondingly allocate funds for the same. Although no
system is fully secure but certain safeguard mechanism has to be built so as to ensure an
acceptable level of security. Some of the prominent and commonly used security methods are:
8
Identification and Access
The first step to achieve security is to ensure that only legitimate persons are allowed access
to the system. The computer rooms are generally locked, sealed and guarded by security
personnel. These security personnel need to verify the identity of each user before letting them
in. Reliable user authentication is becoming an increasingly important task in the web-enabled
world. The consequences of an insecure authentication system in an enterprise can be
catastrophic. For this purpose security systems generally make use of three techniques. The
authentication is achieved by finding out:
• What the user have – Some of the identification tools are Employee Identity cards,
Credit cards, Election ID cards, Passport, Badges, Keys, etc. However these tools
have a drawback that they can be duplicated, forged, lost, stolen or counterfeited.
Therefore security personnel not always depend on these identification tools.
• What the user know - This method of identification makes use of certain codes such
as Password, User ID, Personal Identification number or any other code word, and
digital signatures. A password is a special code or set of characters that is required to
access a system. For example to enter into high security zones, passwords or code
words are used, to log onto the Internet what we need to provide is the user password.
Similarly PIN (Personal Identification Number) is the security code number to establish
the identity of a person to be allowed access to the system for example while using an
ATM, a user is required to enter his PIN to gain access to the account. The limitation
of these is that User ID are shared, there are many passwords and they can be easily
guessed or stolen or forgotten. To minimize this weakness, experts recommend that
passwords should at least be of eight characters and mix the letters, numbers and
punctuation marks. It should not be somebody’s name, birthday or address. Another
problem is that today a user has to remember a number of such passwords thereby
overloading the memory of users.
• What you know and what you have – This method makes use of a combination of
the above two identifications. Examples of this mechanism are ATM Cards, PIN, etc. But the
cards are shared while PIN is a weak link due to writing of PIN on the card.
• Who the user is – One of the emerging and efficient techniques for user
authentication is biometrics. This relies on the physical traits of the person and has the
advantage that they can’t be forged or faked easily. The examples are Fingerprints,
Face, Voice Print, Iris, the lips and the face etc. Biometrics is the science of measuring
individual body characteristics. It authenticates the identity of a living person based on
a biological key. For example, while applying for a driving license the person has to
give his thumb impression, which is recorded with other personal details. A biometric
system is a pattern recognition system that established the authenticity of a specific
9
physiological or behavioural characteristic possessed by a user. The Biometrics is
used in security devices especially in high security systems.
Encryption of Data
The cryptography has been used since ancient times to scramble messages to maintain their
confidentiality. The message or data is scrambled at the sending station and it is de-scrambled
at the destination station in accordance with pre-specified logic.
Encryption or enciphering is the process of modifying data so that it is not usable until the
changes are undone. PGP (Pretty Good Privacy) is a computer program for encryption of
computer messages. There are four elements in an encryption system:
• Secret Key encryption - uses same key for encryption and decryption and the recipient
should have a copy of the key. It was created by IBM and uses a key length of 56 bits
• Public Key encryption – it uses two keys that are related namely the Public Key that is
freely circulated and the Private key that is kept a closely guarded secret by the owner.
It is comparatively slow.
Encryption is highly useful for organizations those are concerned with trade secrets, military
information or other sensitive data. However, the other side of the coin is that it also creates a
bottleneck for controlling agencies to decipher these messages that are used for carrying out
illegal activities such as terrorism, pornography material, money laundering, etc.
For confidential communication over public networks it was found that cryptography alone is
not adequate. Concealing the very fact that a communication has taken place provides an
additional layer of security. Steganography is a technique, which perform this process of
concealing the existence of a secret communication. These techniques are normally referred
as Information hiding methodologies.
The software and the data are one of the most important resources of an organization and
therefore needs to be protected from illegal or unauthorized access or against accidental
destruction or loss. This requires following security procedures to be adopted by the
organizations to safeguard the above resources:
Access Control – There should be restricted access to critical files. Sometimes the
organizations even keep a system log that records all the access and attempted accesses to
important data files or software.
10
Audit Control – The system should have an audit trail facility. This will help trace any operation
to its origin i.e. input to processing and to output.
Human Control – Since human beings involved in a system pose the greatest risk, numerous
precautions are taken to minimize this risk such as: screening of employees before selection,
frequent redistribution of functions and working shifts, restricted access to employees in areas
where critical functions are being performed, setting up automated input, output and
processing controls, etc.
Ethics is a branch of philosophy that deals with what is considered to be right and wrong.
There are many ways in which ethics can be defined such as Moral Codes or Standard code
of conduct of a Particular Profession or agreement among people to do the right and to avoid
wrong. In today’s complex environment, a clear definition of ‘right’ and ‘wrong’ is not always
possible and similarly what is illegal and what is unethical is not always clear. A code of ethics
is a collection of principles intended as a guide for members of an organization. The
Computer Ethics Institute in Washington, DC, has proposed the following ten commandments
of computer ethics:
11
• Privacy Issues – Collection, Storage and dissemination of information about
individuals.
• Accuracy Issues – Authenticity, Fidelity and Accuracy of information collected and
processed.
• Property Issues – Ownership and value of information (Intellectual Property)
• Accessibility Issues – Right to access information and payment of fees to access it.
In most countries around the world, the writers, artists, sculptors, designers, programmers
have a right to their own work. Intellectual property consists of the products of the human mind
and copyright laws generally protect such work or property.
When we find things in places like a book, journal, or on the web, that are of interest to us, we
have a tendency to either get a photocopy of the same, or print them or save them on our disk.
In most cases this is legal and ethical. But when we decide to use a part of it in our report or
presentation. This raises two dangerous situations: Copyright violation and Plagiarism.
A copyright is the exclusive legal right that prohibits copying of intellectual property without the
permission of the copyright holder. Almost any material in print or electronic form is
copyrighted such as: books, articles, art, music, drawing, movies, and computer software, etc.
Unlike patent (which needs to be registered), a copyright is automatic and lasts a minimum of
50 years. The problem of copyright has been compounded with digitization, as copying has
been made easier.
Other copyright related matters are: Software Piracy and Plagiarism. Piracy is theft or
unauthorized distribution or use. Software piracy is the unauthorized copying of copyrighted
software. Network piracy is the use of electronic networks for the unauthorized distribution of
copyrighted materials in digitized form. Plagiarism is the representation of someone else’s
work as our own. An author can avoid the charge of plagiarism by citing the source of the text
or graphics and does not claim it to be his own.
E-SECURITY
The increasing use of Internet has also increased the cyber crime considerably. Hacking of the
accounts, decoding of password, selling of secret database, breaking the firewalls, etc. restrict
the e-business activities. The e-business customers are not fully aware about the actions that
can be taken in case of deceit through e-business. The next section provides you a detailed
coverage of the IT Act 2000 enacted by the Govt. of India to simplify such situations. Some of
the important concepts introduced in the IT Act 2000 are:
• Electronic Record
• Secure electronic record
• Digital Signatures
• Digital Certifications
12
References
1. What do you understand by ‘Ethics’? What does code of ethics generally contain?
2. What are firewalls? How can they protect IT systems.
3. What is software piracy?
4. List the major sources of threats to the IT systems.
5. What is perverse software? Name some important types of perverse software.
6. What is a computer virus? What is the source of viruses? How do they spread?
7. How can we detect (symptoms) that there is a virus in a computer system?
8. Distinguish between ‘hackers’ and ‘crackers’.
9. What is ‘spamming’?
10. List and explain the commonly used methods for securing the IT systems.
11. What is data encryption? How is it useful to ensure security of data?
12. List the elements of data encryption.
13. Distinguish between ‘Copyright violation’ and ‘Plagiarism’.
14. What is ‘Steganography’?
1. Software piracy is one of the major problems being faced by the software industry
worldwide. NASSCOM is the body that is actively working in this area to protect the
interests of the software organizations. Prepare a report on:
• Software Piracy in India vis-à-vis other countries
• Role of govt. in curbing piracy and Policies in this regard
• Mechanisms to protect a software (built into software)
• Steps initiated to control software piracy.
3. Visit some sites on the Internet for computer security. Identify them
and find the various solutions offered by them. Find what are the different means of
network security offered by them.
13