Ayesha Khalil

Online security and payment system

Q

What is E-Commerce???

Transacting or facilitating business on internet is called e-commerce, and its revolve around buying and selling

Another definition:The use of internet and web to transit the

business.Digitally refers to commercial transactions between organization and individual.

The E-commerce Security EnvironmentMost serious losses involved theft of

proprietary information or financial fraud40% reported attacks from outside the

organization38% experienced denial of service attacks94% detected virus attacks

What is cyber Crime??Cybercrime: is any illegal act committed using a computer

network especially the Internet.Cybercrime is a subset of computer crime.

Computer Crime:Stealing and using or selling of data:Company dataPersonal information in company files

The E-commerce Security Environment

Dimensions of E-commerce Security

Integrity: ability to ensure that information being displayed on a Web site or transmitted/received over the Internet has not been altered in any way by an unauthorized party

Nonrepudiation: ability to ensure that e-commerce participants do not deny (repudiate) online actions

Authenticity: ability to identify the identity of a person or entity with whom you are dealing on the Internet

Confidentiality: ability to ensure that messages and data are available only to those authorized to view them

Privacy: ability to control use of information a customer provides about himself or herself to merchant

Availability: ability to ensure that an e-commerce site continues to function as intended

Most Common Security Threats in the E- commerce Environment

• Malicious code:• Designed to breach system security and threaten digital information

VirusesWormsTrojan horsesBots, botnets

• Unwanted programs: Browser parasitesAdwareSpyware

Malicious Code (Malware)

Viruses: computer program that has ability to replicate and spread to

other files; most also deliver a “payload” of some sort (may be destructive or benign)

Worms: designed to spread from computer to computer rather than

from file to file Program that actively reproduces itself across a network

Trojan horse: appears to be benign, but then does something other than

expected (i.e., games that steal sign-ons and passwords)

BOT:Is a malware used by unauthorized person to make a

computer zombie for having access on computer

Unwanted Programme:Includes adware parasites spyware or any other

programme application which is installed on computer through internet traffic without informed consent of a particular user

Adware:Installed in a computer from social networking Purpose is to just annoying youNot perform criminal activity

Browser parasite Installed through click on some link Captured your activities and then send to unauthorized

person Transmit your activities Change your home page

Spyware: Small programs install themselves surreptitiously on computers to monitor user Web surfing activity and serve up advertising

Captured our key strokes Steal our confidential or financial information Like our

login & password

Most Common Security Threats• Phishing:

Deceptive online attempt to obtain confidential information

Social engineering, e-mail scams, spoofing legitimate Web sites

Use information to commit fraudulent acts (access checking accounts), steal identity

• Hacking and cyber vandalism:Hackers vs. crackers

Cyber vandalism: intentionally disrupting, defacing, destroying Web site

Types of hackers: white hats, black hats, grey hats

Hackers vs. CrackersHackers

hacker is not cyber criminal

know all about the operating system

they always do constructive work

Crackers A person who breaks

security onSystem intrusion

System damage Cybervandalism cracker is cyber

criminal crackers creates nothing

& destroy much

•

Hacking and Cyber vandalismHacker: Individual who intends to gain unauthorized access to computer systems Types of hackers include :

White hats Black hats Grey hats

White Hats: Professional Security Experts not perform criminal activity

Black Hats: lack hat hackers break into secure networks to destroy data

or make the network unusable for those who are authorized to use the network

Types of hackerGray Hats:A grey hat hacker is a combination of a

black hat and a white hat hacker A grey hat hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect, for example. Then they may offer to correct the defect for a fee

cont.Cracker: Used to denote hacker with criminal intent (two terms often used interchangeably)

Cyber vandalism:Intentionally disrupting, defacing or destroying a Web site

Credit Card FraudFear that credit card information will be stolen

deters online purchasesHackers target credit card files and other customer

information files on merchant servers; use stolen data to establish credit under false identity

One solution: New identity verification mechanisms

Spoofing (Pharming)Misrepresenting oneself by using fake e-mail

addresses or masquerading as someone elseOften redirects users to another Web site Threatens integrity of site; authenticity

DoS and dDoS Attacks• Denial of service (DoS) attack: Hackers flood Web site with useless traffic to

inundate and overwhelm network• Distributed denial of service (dDoS) attack: hackers use numerous computers to attack target

network from numerous launch points

Using Zombies in a Distributed Denial-of-Service Attack

malwareA generic term for malicious software

• A number of factors have contributed to the overall increase in malicious code. Among these factors, the following are paramount:Mixing data and executable instructionsIncreasingly homogenous computing environmentsUnprecedented connectivityLarger clueless user base

Other Security ThreatsSniffing: Type of eavesdropping program that monitors information

traveling over a network; enables hackers to steal proprietary information from anywhere on a network

Insider jobs: Single largest financial threat Poorly designed server and client software: Increase in

complexity of software programs has contributed to an increase is vulnerabilities that hackers can exploit

Technology Solutions

Technology SolutionsProtecting Internet communications (encryption)Securing channels of communication (SSL, S-

HTTP, VPNs)Protecting networks (firewalls)

Protecting Internet Communications: Encryption

• Encryption: The process of transforming plain text or data into cipher

text that cannot be read by anyone other than the sender and receiver

Purpose: Secure stored information and information transmission Provides: Message integrity

NonrepudiationAuthenticationConfidentiality

Symmetric Key EncryptionAlso known as secret key encryption

Both the sender and receiver use the same digital key to encrypt and decrypt message

Requires a different set of keys for each transaction

Symmetric (Private) Key Encryption

Public Key EncryptionPublic key cryptography solves symmetric key encryption problem of having to

exchange secret key Uses two mathematically related digital keys – public key

(widely disseminated) and private key (kept secret by owner)

Both keys are used to encrypt and decrypt message Once key is used to encrypt message, same key cannot be

used to decrypt message For example, sender uses recipient’s public key to encrypt

message; recipient uses his/her private key to decrypt it

A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a message. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the recipient uses his or her private key to decrypt the data and read the message.

Digital Envelopes• Addresses weaknesses of public key encryption

(computationally slow, decreases transmission speed, increases processing time) and symmetric key encryption (faster, but more secure)

• Uses symmetric key encryption to encrypt document but public key encryption to encrypt and send symmetric key

Securing Channels of Communication

• Secure Sockets Layer (SSL): Most common form of securing channels of

communication; used to establish a secure negotiated session (client-server session in which URL of requested document, along with contents, is encrypted)

• S-HTTP: Alternative method; provides a secure message-oriented

communications protocol designed for use in conjunction with HTTP

Protecting Networks: Firewalls and Proxy Servers

• Firewall: • Hardware or software filters communications

packets and prevents some packets from entering the network based on a security policy

• Proxy servers: • Software servers that handle all communications

originating from or being sent to the Internet (act as “spokesperson” or “bodyguard” for the organization)

Protecting Servers and Clients

• Operating system controls: Authentication and access control mechanisms

• Anti-virus software:• Easiest and least expensive way to prevent

threats to system integrity

KENNETH C LOUDEN

References