E-Commerce Security

•Pandemic Challenges: Security issues from remote work, increased phishing, and
handling higher e-commerce traffic volumes.
•Data Breaches: Persistent large-scale breaches expose sensitive user information.
•Mobile Threats: Rise in mobile malware targeting smartphones and mobile payment
users.
•Ransomware Surge: Malware creation and ransomware attacks skyrocket.
•DDoS Attacks: Capable of disrupting entire countries’ internet services.
•Cyberwarfare: Nations intensify cyberespionage and warfare efforts.
•Social Network Exploits: Hackers use social engineering to target victims.
•Hacktivist Threats: Politically motivated attacks merge with financial crimes.
•Software Vulnerabilities: Ongoing risks from bugs like EternalBlue and Heartbleed.
•Supply Chain Attacks: Target development environments, e.g., Asus malware attack.
 The E-Commerce Security Environment
• Promise vs. Threats: The internet offers a global marketplace for over 2.3 billion consumers but has also created lucrative opportunities for
cybercriminals.
• Key Vulnerabilities:
• Lack of built-in security features in the internet's design.
• Anonymity enables crimes like fraud, data theft, and site attacks.
• Cybercriminals exploit vulnerabilities at lower risks compared to physical crimes.
• Cybercrime Costs:
• Global losses from cybercrime range from $445 billion to $600 billion annually (McAfee, 2018).
• The average cost of a data breach was $3.86 million in 2020 (Ponemon Institute).
• Businesses bear direct losses, increased security costs, reputational damage, and reduced trust.
• Trends in Cyber Threats:
• Increasing DDoS attacks, phishing, malware, and ransomware.
• Rise in form hijacking and polymorphic malware, making detection harder.
• Growth in online credit card fraud and identity theft.
• Sector Impact:
• Banking reports the highest cybercrime costs (> $18 million annually).
• U.S. organizations face the highest average annual losses ($27.4 million).
 The Underground Economy Marketplace: The Value of
Stolen Information
• The shadow economy monetizes stolen data through sales on the Dark Web/Darknet. Data has a "street value"
determined by demand, supply, and freshness.
• Examples of Stolen Data Prices:
• Credit Card Information:
• CVV data: $5–$8 , Full details (Fullz): $20–$60 , Magnetic strip data (Dumps): $60–$100
• Bank Account Credentials: 0.5%–10% of value, Online Accounts (e.g., Facebook, PayPal): $10–$15
• Driver’s License: $20, Medical Info: $10–$20
• Social Security Numbers, Passports, Emails: Vary widely.
• Marketplace Structure:
• Low-level criminals: Frequent carder forums. Resellers: Intermediaries in transactions.
• Masterminds: Develop malicious tools and exploits. Marketplace Access: Requires vetting via Twitter, Tor,
VPNs, and cryptocurrency exchanges (e.g., Bitcoin).
• Conclusion:
• Cybercrime against e-commerce is dynamic and evolving.
• E-commerce managers must stay proactive with security techniques to combat rising threats.
 What is Good E-Commerce Security?
• Secure Transactions:
• In both traditional and digital commerce, the main risks include:
• Consumers: Risk of not receiving the purchased goods.
• Merchants: Risk of not getting paid (fraudulent payments, stolen credit cards).
• Common Risks in E-Commerce:
• E-commerce faces the same risks as traditional commerce:
• Theft, fraud, burglary, vandalism, etc.
• The digital environment adds complexity but doesn't eliminate these risks.
• Approach to Reducing Risks:
• Multi-layered security: Combining technologies, organizational policies, and laws.
• Technologies: Help protect transactions but are not enough on their own.
• Policies and Procedures: Ensure technologies are properly managed.
• Laws and Standards: Enforce payment mechanisms and protect property.
• Key Insights from Commercial Security History:
• Security is not absolute: Can be breached with enough resources.
• Security cost-benefit: Security should be balanced with potential losses.
• Weakest Link: Security often fails at the weakest point in the system (e.g., poor management).
• Conclusion:
• Good e-commerce security requires a combination of laws, procedures, policies, and technologies to protect
 Dimensions of E-Commerce Security
• E-commerce security focuses on six key dimensions, ensuring the integrity, privacy, and overall functionality of
online transactions:
1. Integrity:
1. Ensures that information has not been altered by unauthorized parties during transmission.
2. Example: If a bank transfer is intercepted and redirected, the integrity of the message is compromised.
2. Nonrepudiation:
1. Ensures that participants cannot deny their actions (e.g., making a purchase).
2. Example: A customer may not deny ordering items, and merchants cannot be denied valid transactions.
3. Authenticity:
1. Ensures the identity of the person or entity is verified.
2. Example: Confirming that a website operator is who they claim to be, and that customers are genuine.
4. Confidentiality:
1. Ensures that data and messages are accessible only to authorized individuals.
2. Example: Preventing unauthorized access to customer credit card details.
5. Privacy:
1. Controls the use of personal information provided by customers to merchants.
2. Example: Protecting customer data from unauthorized use, ensuring secure transactions and protection against breaches.
6. Availability:
1. Ensures that e-commerce sites are accessible and functioning as intended.
 The Tension Between Security and Other Values
• Can There Be Too Much Security?
• Yes, security is not always an unmitigated good.
• Security creates overhead and expense, affecting business operations.
• It can also provide criminals new opportunities to hide their intentions.
• Security vs. Ease of Use
• More security measures often result in lower ease of use and slower website performance.
• Example: Physical shops behind locked gates discourage customers from entering, similar to e-commerce
sites becoming harder to use with added security.
• Trade-off:
• Too much security may harm profitability.
• Too little security can lead to business risks.
• Balancing Security with User Preferences
• McKinsey Report: Consumers purchased 10-20% more when authentication was easy.
• IBM Study: Over 50% of users prefer enhanced security, even at the cost of additional steps to access
accounts (IBM Security, 2018).
 Public Safety and the Criminal Uses of the Internet
• The Tension Between Privacy and Public Safety
• Anonymity vs. Safety: The need for individuals to act anonymously vs. the government’s need to maintain public safety.
• Historical Context:
• U.S. began tapping telegraph wires during the Civil War to catch conspirators.
• Early telephone wiretaps in the 1890s for criminal investigations.
• Criminal and Terrorist Uses of the Internet
• Criminal Activities:
• Drug cartels and organized crime groups use voice, fax, and encrypted email to facilitate illegal activities.
• Cybercrime forums (e.g., Shadowcrew, Carderplanet) facilitate the sale of stolen information like credit card data.
• Terrorist Activities:
• The Internet and mobile platforms are convenient for terrorist communication.
• Government Surveillance and Controversy
• Increased Surveillance:
• U.S. government enhanced surveillance to combat terrorism through the Internet.
• NSA's access to major Internet company servers raised concerns about privacy.
• Edward Snowden: Revealed classified NSA documents showing surveillance on emails, chats, and browsing histories without
court approval.
• Shift in Strategy:
• From mass surveillance to targeted surveillance using predictive algorithms to focus efforts.
• Balancing Privacy and Public Safety
• Ongoing Debate: The struggle to maintain a balance between public safety and privacy rights remains a thorny issue.
 Security Threats in the E-Commerce Environment

• Key Points of Vulnerability:- Client: The device used by the consumer (e.g., computer, smartphone). ,
• Server: The e-commerce platform hosting the website.,
• Communications Pipeline: The network or Internet through which data is transmitted.
Common and Damaging Security Threats
1. Malicious Code (Malware):
1. Includes viruses, worms, ransomware, Trojan horses, and bots., 2. Designed to damage or exploit systems, steal information, or disrupt operations.
2. Potentially Unwanted Programs (PUPs):Programs that may cause harm or annoy users, often bundled with other software.
3. Phishing: Fraudulent attempts to obtain sensitive information (e.g., passwords, credit card numbers) by disguising as a trustworthy entity.
4. Hacking and Cybervandalism: Unauthorized access to systems and networks to steal data or cause damage.
5. Data Breaches: Unauthorized access to sensitive customer or business data.
6. Credit Card Fraud/Theft: Stealing credit card details for unauthorized purchases.
7. Spoofing: Pretending to be someone else, such as using a fake email or website.
8. Pharming: Redirecting users to fake websites that look legitimate to steal information.
9. Spam (Junk Websites/Link Farms): Unsolicited and often harmful email or website links used to promote unrelated content or phishing
attempts.
10.Identity Fraud: Stealing someone’s identity to access financial resources or commit crimes.
11.Denial of Service (DoS) and Distributed DoS (DDoS) Attacks: Overloading a website or server with excessive traffic to render it unavailable.
12.Sniffing: Intercepting network traffic to capture sensitive information, such as passwords or credit card numbers.
13.Insider Attacks: Employees or trusted individuals exploiting their access to systems or data for malicious purposes.
14.Poorly Designed Server and Client Software: Vulnerabilities in software that can be exploited by attackers.
15.Social Network Security Issues: Weaknesses in social media platforms that can lead to identity theft, scams, or data breaches.
16.Mobile Platform Security Issues: Vulnerabilities in mobile apps or devices that can be exploited to steal personal information.
 Security Threats in E-Commerce
• malicious code (malware) includes a variety of threats such as viruses, worms, Trojan
horses, and bots.
• exploit kit collection of exploits bundled together and rented or sold as a commercial
product.
• malvertising online advertising that contains malicious code
• drive-by download malware that comes with a downloaded file that a user requests.
• virus a computer program that has the ability to replicate or make copies of itself,
and spread to other files.
• worm malware that is designed to spread from computer to computer.
• ransomware malware that prevents you from accessing your computer or files and
demands that you pay a fine.
• Trojan horse appears to be benign, but then does something other than expected.
Often a way for viruses or other malicious code to be introduced into a computer
system
Security Threats in E-Commerce
• backdoor feature of viruses, worms, and Trojans that allows an
attacker to remotely access a compromised computer.
• bot type of malicious code that can be covertly installed on a
computer when connected to the Internet. Once installed, the bot
responds to external commands sent by the attacker.
• botnet collection of captured bot computers.
Security Threats in E-Commerce
• potentially unwanted program (PUP) program that installs itself on a
computer, typically without the user’s informed consent.
• adware a PUP that serves pop-up ads to your computer.
• browser parasite a program that can monitor and change the
settings of a user’s browser cryptojacking installs a browser parasite
that sucks up a computer’s processing power to mine cryptocurrency
without the user’s knowledge or consent.
• spyware a program used to obtain information such as a user’s
keystrokes, e-mail, instant messages, and so on
 Security Threats in E-Commerce
• social engineering exploitation of human fallibility and gullibility to
distribute malware.
• phishing any deceptive, online attempt by a third party to obtain
confidential information for financial gain.
• BEC (business e-mail compromise) phishing variation of Nigerian letter
scam in which an attacker poses as a high-level employee of a
company and requests that another employee transfer funds to a
fraudulent account.
Security Threats in E-Commerce
• hacker an individual who intends to gain unauthorized access to a
computer system.
• cracker within the hacking community, a term typically used to
denote a hacker with criminal intent.
• cybervandalism intentionally disrupting, defacing, or even destroying
a site.
• hacktivism cybervandalism and data theft for political purposes.
Security Threats in E-Commerce
• data breach occurs when an organization loses control over corporate
information, including the personal information of customers and
employees, to outsiders.
• credential stuffing brute force attack which hackers launch via
botnets and automated tools using known user name and password
combinations obtained from data breaches.
• CREDIT CARD FRAUD/THEFT
• identity fraud involves the unauthorized use of another person’s
personal data for illegal financial benefit
Security Threats in E-Commerce
• spoofing involves attempting to hide a true identity by using someone else’s e-
mail or IP address.
• pharming automatically redirecting a web link to an address different from the
intended one, with the site masquerading as the intended destination.
• spam (junk) websites also referred to as link farms; promise to offer products or
services, but in fact are just collections of advertisements
• sniffer a type of eavesdropping program that monitors information traveling over
a network.
• man-in-the-middle (MitM) attack attack in which the attacker is able to intercept
communications between two parties who believe they are directly
communicating with one another, when in fact the attacker is controlling the
communications
 Security Threats in E-Commerce
• Denial of Service (DoS) attack flooding a website with useless traffic to inundate
and overwhelm the network
• Distributed Denial of Service (DDoS) attack using numerous computers to attack
the target network from numerous launch points.
• INSIDER ATTACKS
• SQL injection attack takes advantage of poorly coded web application software
that fails to properly validate or filter data entered by a user on a web page
• zero-day vulnerability software vulnerability that has been previously
unreported and for which no patch yet exists
• Heartbleed bug flaw in OpenSSL encryption system that allowed hackers to
decrypt an SSL session and discover user names, passwords, and other user data
 Security Issues(Cybersecurity Challenges)
• Social Networking Issues
• Threats: Viruses, identity fraud, phishing, malware, spam.
• Scams: Fake apps, fake events, malicious links, manual sharing scams.
• Example: 2020 Twitter hack targeting prominent accounts for Bitcoin scams.
• Mobile Platform Issues
• Threats: Rogue apps, Wi-Fi vulnerabilities, malware, ransomware.
• Attacks: Vishing, smishing, SMS spoofing, adware (Madware).
• Example: Banking malware in apps like Currency Converter on Google Play.
• Cloud Security Issues
• Threats: DDoS attacks, data breaches, hybrid network vulnerabilities.
• Challenges: Safeguarding sensitive data in public cloud environments.
• Example: Dyn DDoS attack disrupting cloud services in the U.S.
• Key Takeaway:
• Vigilance and robust security measures are critical to mitigating risks in social networks, mobile
 Internet of Things (IoT) Security Issues

• Key Challenges
• Scale of Devices: Vast interconnected networks increase vulnerability.
• Uniform Devices: Identical characteristics magnify the impact of security flaws.
• Longevity: Devices often outlive their manufacturers, leaving them unsupported.
• Upgrade Limitations: Many devices lack upgrade options, creating persistent risks.
• User Visibility: Limited insight into device operations and security alerts.
• Embedded Devices: Unnoticed devices can sustain undetected breaches.
• Notable Incidents
• Hacked Jeep Cherokee: Remote control over brakes and steering.
• Medical Devices: Vulnerable hospital systems and equipment.
• Mirai Botnet Attack: 500,000 IoT devices used in a massive DDoS attack.
• IoTroop Botnet: Rapid recruitment of IoT devices with destructive potential.
• Takeaway:
• IoT security demands innovative tools and proactive strategies to address unprecedented
vulnerabilities across diverse, interconnected devices.