Cyber Unit 2
Cyber Unit 2
Cyber Unit 2
your
doubts in class just understand as much as possible)
BE SAFE EVERYONE
eCommerce security refers to the principles which guide safe electronic transactions, allowing the buying
and selling of goods and services through the Internet, but with protocols in place to provide safety for
those involved.
Ecommerce security is a set of protocols that safely guide ecommerce transactions. Stringent security
requirements must be in place to protect companies from threats like credit card fraud, or they risk
jeopardizing revenue and customer trust, due to the inability to guarantee safe credit card processing.
· Client
· Server
· Communications channel
· malicious code
· spoiling
· sniffing
· insider jobs
Setting up an ecommerce website is now easier than ever, thanks to the multiple open source
solutions available online today. Ecommerce boom has taken the world by storm. But at the same
time, it has also become a lucrative target for hackers, spammers and other malicious actors with
lots of other ecommerce security threats.
Security issues to ecommerce are a challenge more than ever as there has been a continuing stream
of massive data breaches, together with growing attacker sophistication and a more connected
world that is expanding the surface for attack.
Have your sales seen a sudden downward spiral? It could be due to ecommerce security threats. Do
your customers complain of poor site performance? This again hints about the possibility of
ecommerce security threats on your website. Often, cyber crooks are highly stealthy and manage to
evade detection for longer times. However, in some cases, hackers tend to break something (like an
unfunctional plugin) while compromising a site which gives the attack away.
· High load on the server due to repeated requests from same IPs
· Products that you did not enlist on the store appear on the site
· Multiple users availing free shipping or products which were not intended for them
· For dynamic websites, new unknown database tables appear. Or some new database users
spring up suddenly!
· Admin accounts which you did not create appear on the dashboard
· System logs show a connection to the dashboard or C-Panel from unknown IPs
· Users complain about malicious redirects which are causing a high bounce rate
· A simple packet analysis by tools like Wireshark shows data going out to fishy domains
· Customers complain about stolen Credit Card info despite your site being PCI compliant
· Users complain about paying for an order but you did not receive the payment
· Server logs also show other attacks like brute force attempts
· Your ecommerce store is now blacklisted by Google or banned by your hosting provider.
Common Vulnerabilities
1. SQL Injection
Do you know what is the most common issue among all the popular ecommerce platforms like
Prestashop, OpenCart, Magento etc? Well, they have all been vulnerable to SQL injection at
some point in time. This particular vulnerability is so widespread that many of the plugins and
extensions are still vulnerable to it. SQLi attacks are a result of accepting unsanitized input on
ecommerce sites. As security threats to ecommerce tend to grow, SQLi attacks are now aimed
towards compromising the database. Conducting this type of attack, an attacker can:
Steal the complete database of the site containing sensitive details like transaction history or
credit card information. When large databases are now sold in the black market, the majority of
security threats to ecommerce websites are now linked to this type of attack.
Delete or edit the content of the database to avail free products, etc. This flaw essentially makes
the attacker an owner of the database of your ecommerce site.
In some security threats to ecommerce domains, the attackers can even get reverse shells, which
is then used to conduct phishing attacks to steal user credit card credentials or deface the site.
2. Cross-Site Scripting
XSS in another one of the many ecommerce security issues found on ecommerce sites. It is so
common and crucial that internet giants like Google have paid $10,000 for a single XSS discovery.
Lack of user input sanitization and filtering causes XSS, and therefore, sites using forms, search
bar or even a backend admin account can be also compromised due to XSS. Successfully
exploiting this flaw, an attacker can compromise the admin account of your ecommerce store
and create havoc. Popular ecommerce solutions like OpenCart, Prestashop etc are now found
vulnerable to XSS from time to time.
3. Zero-Day Flaws
A zero-day vulnerability is a software security flaw that is known to the software vendor but
doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by
cybercriminals.
The term “zero-day” refers to a newly discovered software vulnerability. Because the
developer has just learned of the flaw, it also means an official patch or update to fix the
issue hasn’t been released.
So, “zero-day” refers to the fact that the developers have “zero days” to fix the problem that
has just been exposed — and perhaps already exploited by hackers.
Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the
issue to protect its users.
But the software vendor may fail to release a patch before hackers manage to exploit the
security hole. That’s known as a zero-day attack.
4. Bad Bots
Malicious bots are defined as self-propagating malware that infects its host and connects back to
a central server(s). The server functions as a “command and control center” for a botnet, or a
network of compromised computers and similar devices. Malicious bots have the “worm-like
ability to self-propagate,” and can also:
· Gather passwords
· Log keystrokes
· Relay spam
· Bandwidth Choking
Bandwidth is a crucial resource for any ecommerce site, especially during peak sale hours. These
tiny little bots, high in numbers, create a spike in the user traffic. This spike can slow down things
a bit and is also considered one of the many ecommerce security threats for modern times. Slow
performance of the site can ward off potential buyers thus creating a loss in revenue.
· Blocking Cart
Checkout cart is one of the key elements for any ecommerce store. Malicious bots target carts by
adding multiple products to the cart from multiple IPs. However, the capacity of the cart is then
limited. Hence, the buyers see the product as ‘Out of Stock’. The prime aim of these bots is to
exhaust the web resources for a particular product. Therefore, malicious bots successfully
prevent potential customers from buying a particular product. This situation can be more
frustrating with issues for the end users during flash sales, etc. These frustrated users may never
return to the site because of these security threats. Bad bots can also mess up with the analytics
of the website. Thereby, pointing the site owners in the wrong direction to increase sales and
qualifying as one of many ecommerce security threats.
· Ecommerce Scalping
This is another type of ecommerce security threat posed by bad bots. Malicious bots target
products in bulk from a particular store and later resell them for a higher price. For instance,
movie tickets, limited edition merchandise, etc. At times, bad bots may also conduct fraudulent
transactions on your site from stolen credit cards. The legitimate owners of the cards may then
ask for a refund. This can create a poor merchant reputation and in some scenarios, the
merchant is then barred from accepting cards.
· Content Scraping
As security threats to ecommerce websites persist, these bad bots can also steal product data
from your ecommerce store. This data can be then used to give an edge to the competitors. They
can use this data to lower their prices as compared to your product, thereby affecting your sales.
Moreover, the bots will also make the site slow while scraping the data.
5. Malware
A malware is a malicious program and one of the more common security threats to ecommerce
websites. This is then designed to infect and spread on the ecommerce sites. Most of them aim
to skimming credit card data while others encrypt drives and ask for ransom. Malware infections
on ecommerce sites are on a rise. Researchers have recently uncovered a malware which had
infected around 7,339 online stores within six months. This malware dubbed as MagentoCore,
was specifically designed to target Magento stores.
Moreover, attackers can uncover such ecommerce security threats in bulk using tools like Shodan
which are specifically designed to crawl the internet for sites vulnerable to such attacks.
Similarly, Magecart malware campaign is compromising a large number of ecommerce sites.
Magecart is an umbrella term to define malware campaigns and security issues that occur when
they are now run by multiple hackers. Multiple malware signatures are present on the internet,
specifically customized to target your particular ecommerce software solution. Moreover, these
ecommerce security threats are evolving every day as cybercriminals find new methods to hide
their malware from detection.
It is a thumb rule that the longer an ecommerce store stays online, the more potential customers
it can attract. However, the competitors, at times, hire cyber crooks to get the site offline. As a
result, the end users can no longer access the site and the revenues are then hit hard. These
types of ecommerce security threats, where the attackers increase traffic thus blocking out
legitimate users are DDOS attacks.
These security threats to ecommerce websites are on the rise during peak hours or days like
Black Friday. With some studies showing a whopping increase of around 70% in DDOS attacks
compared with other days in November. Also, an increase of around 109% in DDOS attacks was
witnessed on Cyber Monday. Therefore, it is the need of the hour for the ecommerce sites to
build and manage their defense mechanism to protect themselves from large scale DDOS attacks
in the future.
VIRTUAL ORGANIZATION
Definition:
It is the ICT that coordinates the activities, combines the workers’ skills and
resources with an objective to achieve the common goal set by a virtual
organisation. Managers in these organisations coordinate and control
external relations with the help of computer network links. The virtual form
of organisation is increasing in India also. Nike, Reebok, Puma, Dell
Computers, HLL, etc., are the prominent companies working virtually.
While considering the issue of flexibility, organisations may have several
options like flexi-time, part-time work, job-sharing, and home-based
working. Here, one of the most important issues involved is attaining
flexibility to respond to changes – both internal and external – is
determining the extent of control or the amount of autonomy the virtual
organisations will impose on their members.
Characteristics:
1. Flat organisation
2. Dynamic
3. Informal communication
4. Power flexibility
7. Goal orientation
8. Customer orientation
9. Home-work
Depending on the degree or spectrum of virtuality, virtual organisations can be classified into
three broad types as follows:
1. Telecommuters
2. Outsourcing employees/competencies
3. Completely virtual
Telecommuters:
These companies have employees who work from their homes. They interact with the workplace
via personal computers connected with a modem to the phone lines. Examples of companies
using some form of telecommuting are Dow Chemicals, Xerox, Coherent Technologies Inc., etc.
Outsourcing Employees/Competencies:
These companies are characterised by the outsourcing of all/most core competencies. Areas for
outsourcing include marketing and sales, human resources, finance, research and development,
engineering, manufacturing, information system, etc. In such case, virtual organisation does its
own on one or two core areas of competence but with excellence. For example, Nike performs in
product design and marketing very well and relies on outsources for information technology as a
means for maintaining inter-organisational coordination.
Completely Virtual:
These companies metaphorically described as companies without walls that are tightly linked to a large
network of suppliers, distributors, retailers and customers as well as to strategic and joint venture
partners. Atlanta Committee for the Olympic Games (ACOG) in 1996 and the development efforts of the
PC by the IBM are the examples of completely virtual organisations.
https://securionpay.com/blog/e-payment-system/
https://www.tutorialspoint.com/e_commerce/e_commerce_payment_systems.htm
https://www.tutorialspoint.com/e_commerce/e_commerce_security.htm
Physical Security
https://searchsecurity.techtarget.com/definition/physical-security
https://www.w3schools.in/ethical-hacking/physical-security/
BIO-METRICS -->
Biometrics is the technical term for body measurements and calculations. It refers to metrics related to
human characteristics . Biometrics authentication (or realistic authentication) is used in computer science
as a form of identification and access control. It is also used to identify individuals in groups that are
under surveillance.
Biometric identifiers are the distinctive, measurable characteristics used to label and describe individuals.
Biometric identifiers are often categorized as physiological versus behavioral characteristics.
Physiological characteristics are related to the shape of the body. Examples include, but are not limited to
fingerprint, palm veins, face recognition, DNA, palm print, hand geometry, iris recognition, retina and
odour/scent. Behavioral characteristics are related to the pattern of behavior of a person, including but not
limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics to
describe the latter class of biometrics.
More traditional means of access control include token-based identification systems, such as a driver's
license or passport, and knowledge-based identification systems, such as a password or personal
identification number. Since biometric identifiers are unique to individuals, they are more reliable in
verifying identity than token and knowledge-based methods; however, the collection of biometric
identifiers raises privacy concerns about the ultimate use of this information.
Biometric Access Control is a system that holds the door for intruders and prevents them from accessing
the resources by verifying them as unauthorized persons on the basis of biometrics authentication. In
Biometric Access Control system, biometric authentication refers to the recognition of human beings by
their physical uniqueness.
Biometric Access Control system works on substantiation. Biometric Access Control system scans the
person and matches his/her biometric data with the previously stored information in the database before
he/she can access the secured zone or resources. If the compared information matches, the Biometric
Access Control system allows the person to access the resources. Today, Biometric Access Control system
is considered to be the best and one of the most secured authentication systems amongst the other access
control devices.
https://www.tutorialspoint.com/biometrics/biometrics_quick_guide.htm
http://www.m2sys.com/blog/biometric-hardware/5-factors-consider-choosing-best-biometric-modality/
Design Issues in Biometric Systems
1. The Effect of Biometric on System Performance: The signature biometrics system is extensively
used in every verification area but it is not attainable for users with highly inconsistent signatures.
Besides, there often exist people whose signatures are very simple and can be forged easily. It degrades
the performance of the biometric system. Similarly, the facial recognition system may be confusing in
distinguishing duplicate twins.
2. Biometrics is not private- Biometrics seems to be secure on the surface, but that doesn't necessarily
make it more secure than passwords. A password is integrally a secret because only you have the
authority to know it. Although the hackers can acquire it by brute force attacks or phishing, but in general,
people can't access it. On the other hand, biometrics is innately public. You reveal your eyes, ears
whenever you look at things. With fingerprint recognition, you leave your fingerprints everywhere you
go. With the invention of so many gadgets, someone can anytime record your voice without your
acknowledgment. Fundamentally, there's easy access to all these identifiers. Even a hacker can easily
rupture any of those databases to leak and steal your biometric identification.
4. The Need for 'Liveness' Detection in Capturing Devices- As with the growing cases of signature
forgery, several researchers developed signature databases for testing and reporting of skilled forgery
detection. There are also research efforts to automatically synthesize forged handwritten specimens to
overcome the limitation of naive forgers in producing positive forgery samples.
5. Biometrics can be hacked - If a hacker has managed to click or arrange the picture of an individual's
finger, ear or eye, they could easily gain the access of their accounts. While Apple's Touch ID was broadly
recognized as a biometric advancement, but the famous hacker Jan Krissler was able to hack the
technology just a day after the iPhone was released. Likewise, researchers from the Chaos Computer Club
generated fake fingers to unlock iPhones.
6. Biometrics hacks may have greater consequences- Biometric reveals the part of an individual's
identity, if it gets stolen, then it can be used to falsify legal documents, passports, or criminal records,
which can do more damage than a stolen credit card pin or number. Unlike passwords, credit cards, or
other documents, you can't replace physical identifiers. If someone has managed to get the photos of your
iris, you can't get another eye.
Interoperability Issues
https://www.aware.com/blog-biometric-data-interoperability-challenges/
https://www.bayometric.com/interoperability-guidelines-in-biometric-fingerprinting/