Lesson 7 E-Commerce Security and Fraud Protection
Lesson 7 E-Commerce Security and Fraud Protection
Lesson 7 E-Commerce Security and Fraud Protection
Learning Objectives
iv. Explain the different types of threats and Attacks; both Technical and Non-technical
Information Security: Information security refers to a variety of activities and methods that protect
information systems, data, and procedures from any action designed to destroy, modify, or degrade the
systems and their operations. Protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Fraud: Any business activity that uses deceitful practices or devices to deprive another of property
or other rights.
Phishing: A crime ware technique to steal the identity of a target company to get the identities of its
customers.
Social engineering: A type of nontechnical attack that uses some ruse to trick users into revealing
information or performing an action that compromises a computer or network e.g. Using social
engineering to hack Facebook.
Cracker: A malicious hacker, who may represent a serious problem for a corporation.
Strong EC security makes online shopping inconvenient and demanding on customers. The EC
industry does not want to enforce safeguards that would discourage online commerce.
A second reason is the lack of cooperation from credit card issuers and foreign ISPs. There are
insufficient incentives for credit card issuers to share leads on criminal activity with each other or
law enforcement. It is much cheaper to block a stolen card and move on than to invest time and
money in a prosecution with an uncertain outcome.
A fourth reason arises from IS design and security architecture issues. It is well known that
preventing vulnerability during the EC design and pre-implementation stage is far less expensive
than mitigating problems later. The IS staff needs to plan security from the design stage because
simple mistakes, such as not Ensuring that all traffic into and out of network pass through a
firewall, are often to blamed for letting in hackers.
The success and security of EC depends on the confidentiality integrity and availability of information
and the business Web site.
Confidentiality is the assurance of data privacy and accuracy the data or transmitted message is
encrypted so that it is readable only by the person for whom it is intended. Depending on the
strength of the encryption method, intruders or eavesdroppers might not be able to break the
encryption to read the data or text. The confidentiality function prevents unauthorized disclosure
of information to unauthorized individuals, entities, or processes.
Integrity is the assurance that data is accurate or that a message has not been altered. It means that
stored data has not been modified without authorization; a message that was sent is the same
message that was received. The integrity function detects and prevents the unauthorized creation,
modification, or deletion of data or messages.
Availability is the assurance that access to data, the Web site, or other EC data service is timely
available, reliable, and restricted to authorized users.
Although the basic security concepts important to information on the Internet are confidentiality integrity
and availability concepts relating to the people (users) are authentication, authorization, and
nonrepudiation.
Confidentiality, integrity availability authentication, authorization, and nonrepudiation are all assurance
processes.
Authentication is a process to verify (assure) the real identity of an entity which could be an
individual, computer, computer program, or EC Web site. For transmissions, authentication
verifies that the sender of the message is who the person or organization claims to be.
Authorization is the process of determining what the authenticated entity is allowed to access and
what operations it is allowed to perform. Authorization of an entity occurs after authentication.
Nonrepudiation is closely associated with authentication is, which is assurance that online
customers or trading partners cannot falsely deny (repudiate) their purchase, transaction, and so
on. For EC and other electronic transactions, including cash machines or ATMs, all parties in a
transaction must be confident that the transaction is secure; the parties are who they say they are.
Generally there are two typed of attacks nontechnical and technical although most attacks involve a
combination of the two types;
Nontechnical attacks are those in which a perpetrator uses some form of deception or persuasion to
trick people into revealing information or performing actions that can compromise the security of a
network.
Technical attacks are attacks perpetrated using software and systems knowledge or expertise. The
time-to-exploitation of today’s most sophisticated spyware and worms has shrunk from months to
days. Time-to-exploitation is the elapsed time between when a vulnerability is discovered and the time
it is exploited.
Denial of service (DOS) attack: Is an attack on a website in which an attacker uses specialized
software to send a flood of data packets to the target computer with the aim of overloading its
resources.
Server and Web Page Hijacking: Web servers and Web pages can be hijacked and configured to
control or redirect unsuspecting users to scam or phishing sites. This technique uses server redirects.
This exploit allows any Web master (including criminals) to have his or her own virtual pages rank
for pages belonging to another Web master. It involves creating a rogue copy of a popular website that
shows contents similar to the original to a Web crawler; once there, an unsuspecting user is redirected
to malicious websites. When effectively employed, this technique will allow the offending Web master
(the hijacker‖) to displace the pages of the target or victim Web site in the Search Engine Results Pages
(SERPS).This causes search engine traffic to the target Web site to vanish or redirects traffic to any
other page of choice.
Botnets: This is a huge number of hijacked internet computers that have been setup to forward traffic,
including spam and viruses, to other computers on the internet.
Malicious Code: Viruses, Worms, and Trojan Horses: Sometimes referred to as malware (for
malicious software), malicious code is classified by how it propagates (spreads). A virus is a piece of
• E-mail spam: A subset of spam that involves nearly identical messages sent to numerous
recipients by e-mail.
• Spyware: Software that gathers user information over an Internet connection without the
user’s knowledge.
Data breach: A security incident in which sensitive, protected, or confidential data is copied,
transmitted, viewed, stolen, or used by an individual unauthorized to do so.
Search engine spam: Pages created deliberately to trick the search engine into offering
inappropriate, redundant, or poor-quality search results.
Spam site: Page that uses techniques that deliberately subvert a search engine’s algorithms to
artificially inflate the page’s rankings.
Splog: Short for spam blog, a site created solely for marketing purposes.
Most organizations rely on multiple technologies to secure their networks. These technologies can be
divided into two major groups: those designed to secure communications across the network and those
designed to protect the servers and clients on the network.
Three security concepts important to information on the Internet: confidentiality, integrity, and
availability
• Confidentiality: Assurance of data privacy and accuracy; keeping private or sensitive information
from being disclosed to unauthorized individuals, entities, or processes.
• Integrity: Assurance that stored data has not been modified without authorization; a message that was
sent is the same message as that which was received.
• Availability: Assurance that access to data, the website, or other EC data service is timely, available,
reliable, and restricted to authorized users.
• Penetration test (pen test): A method of evaluating the security of a computer system or a network
by simulating an attack from a malicious source, (e.g., a cracker).
• Authentication: A process to verify (assure) the real identity of an entity which could be an
individual, computer, computer program, or EC Web site. For transmissions, authentication
verifies that the sender of the message is who the person or organization claims to be.
• Authorization: The process of determining what the authenticated entity is allowed to access and
what operations it is allowed to perform. Authorization of an entity occurs after authentication.
• Computer security incident management: The monitoring and detection of security events on a
computer or computer network, and the execution of proper responses to those events. The primary
purpose of incident management is the development of a well understood and predictable response
to damaging events and computer intrusions.
Access control are mechanism that determines who can legitimately use a network resource
Virtual private network (VPN): A network that uses the public Internet to carry
information but remains at private by using encryption to scramble the communications,
authentication to ensure that information has not been tampered with, and access control
to verify the identity of anyone using the network.
Honeypot: Production system (e.g., firewalls, routers, Web servers, database servers) that
looks like it does real work, but which acts as a decoy and is watched to study how network
intrusions occur.
Controls established to protect the system regardless of the specific application; for example, protecting
hardware and controlling access to the data center are independent of the specific application.
Physical Controls
Administrative Controls
Intelligent agents: Software applications that have some degree of reactivity, autonomy, and
adaptability—as is needed in unpredictable attack situations; an agent is able to adapt itself based on
changes occurring in its environment.
2. What sorts of precautions should online shoppers use to secure their transactions?.
3. What are digital signatures and how can they be used to secure E-commerce transactions?
SSL/TLS Protocols: These protocols encrypt data transmitted between the user's browser and
the e-commerce server, ensuring that sensitive information such as credit card details and
personal data are protected from interception.
HTTPS: Websites should use HTTPS instead of HTTP. The 'S' stands for secure, indicating
that SSL/TLS encryption is in place. This can be verified by the presence of a padlock icon in the
browser’s address bar.
2. Payment Card Industry Data Security Standard (PCI DSS) Compliance
Standards for Payment Security
PCI DSS Compliance: Businesses that handle credit card information must comply with PCI
DSS, a set of security standards designed to ensure that all companies that accept, process, store,
or transmit credit card information maintain a secure environment.
Secure Storage: PCI DSS mandates secure storage of payment information, including
encryption, masking, and secure deletion of cardholder data.
3. Multi-Factor Authentication (MFA)
Additional Verification
MFA Implementation: MFA adds an extra layer of security by requiring users to provide two
or more verification factors to authenticate their identity. This could include something they
know (password), something they have (smartphone), or something they are (biometric
verification).
Preventing Unauthorized Access: MFA helps prevent unauthorized access even if the user’s
password is compromised.
Payment Gateways: Use reputable payment gateways (e.g., PayPal, Stripe, Square) that
provide secure and encrypted transaction processing.
Tokenization: Some payment gateways use tokenization, which replaces sensitive payment
information with a unique identifier or token that cannot be used outside of the specific
transaction context.
5. Data Encryption
Protecting Sensitive Data
Encryption at Rest: Encrypt sensitive data stored on servers to protect it from unauthorized
access or theft.
End-to-End Encryption: Ensure that data is encrypted during transmission and storage to
prevent unauthorized access at any stage.
6. Secure Authentication and Authorization
User Access Control
Role-Based Access Control (RBAC): Implement RBAC to ensure that users only have access
to the resources and information necessary for their role.
7. Regular Security Audits and Vulnerability Assessments
Proactive Security Management
Security Audits: Conduct regular security audits to identify and address vulnerabilities in the
e-commerce platform.
Penetration Testing: Perform penetration testing to simulate attacks and evaluate the security
of the system.
8. Secure Coding Practices
Developing Secure Applications
Input Validation: Implement input validation to prevent injection attacks, such as SQL
injection and cross-site scripting (XSS).
Code Review: Regularly review and update code to fix security vulnerabilities and follow
best practices for secure coding.
9. Firewalls and Intrusion Detection Systems
Firewalls: Use firewalls to protect the e-commerce infrastructure from unauthorized access
and malicious traffic.
Regular Backups: Perform regular backups of critical data to ensure it can be restored in case
of data loss or a security incident.
Disaster Recovery Plan: Develop and test a disaster recovery plan to ensure the business can
quickly resume operations after a security breach.
11. Privacy Policies and User Education
Building Trust and Awareness
Clear Privacy Policies: Provide clear and comprehensive privacy policies that inform users
how their data is collected, used, and protected.
User Education: Educate customers about safe online practices, such as recognizing phishing
attempts, creating strong passwords, and safeguarding their personal information.
12. Monitoring and Logging
Activity Tracking
Logging: Maintain detailed logs of transactions and access to sensitive data to help detect and
investigate security incidents.
13. Anti-Malware and Anti-Fraud Measures
Protecting Against Threats
Anti-Malware Software: Install and regularly update anti-malware software to protect against
viruses, spyware, and other malicious software.
Fraud Detection Systems: Implement systems that use machine learning and analytics to
detect and prevent fraudulent transactions in real time.
By adhering to these security requirements, e-commerce businesses can significantly reduce the
risks associated with online transactions, protect sensitive data, and build trust with their
Online shopping has become an integral part of modern consumer behavior, but it also
presents various security risks. To safeguard their transactions, online shoppers should take
several precautions. Here are some key measures to enhance security:
1. Use Secure Websites
HTTPS Protocol
Look for HTTPS: Ensure that the website uses HTTPS instead of HTTP. The 'S' stands
for secure and indicates that the site uses encryption to protect data.
Check the Padlock Icon: Verify the presence of a padlock icon in the address bar, which
signifies a secure connection.
Complex Passwords: Use strong passwords that combine letters, numbers, and special
characters.
Unique Passwords: Avoid using the same password across multiple sites. Each account
should have a unique password.
Password Managers: Utilize password managers to securely store and manage
passwords.
2FA: Enable two-factor authentication on online shopping accounts. This adds an extra
layer of security by requiring a second form of verification, such as a code sent to your
phone.
Authentication Apps: Use authentication apps like Google Authenticator or Authy for
generating verification codes.
Credit Cards: Prefer credit cards over debit cards, as they offer better fraud protection.
Secure Payment Services: Use reputable payment services like PayPal, Apple Pay, or
Google Wallet, which provide an additional layer of security.
Virtual Credit Cards: Consider using virtual credit cards, which generate a temporary
card number for each transaction.