Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by hamo nice

Topic 7 Security of E-Commerce

advertisement 
E-Commerce
Security and Fraud
Prepared by:
Dr.Resala AlAdraj
What Is EC Security?
Computer security
• In general refers to the protection of data, networks, computer
programs, computer power, and other elements of computerized
information systems.
•It is a very broad field due to the many methods of attack as well as the
many modes of defense.
•The attacks on and defenses for computers can affect individuals,
organizations, countries, or the entire Web. Computer security aims to
prevent, or at least minimize, the attacks.
Cont..
We classify computer security into two categories:
• generic topics, relating to any information system (e.g., encryption),
and
• EC-related issues , such as buyers’ protection. Attacks on EC
websites, identify theft of both individuals and organizations, and a
large variety of fraud schemes, such as phishing, are described in this
chapter.
Basic E-commerce Security Issues And
Landscap
• The Threats, Attacks, and Attackers Information systems, including
EC, are vulnerable to both unintentional and intentional threats
Unintentional Threats
Unintentional threats fall into three major categories: human error,
environmental hazards ,and malfunctions in the computer system:
1. Human Error
•Human errors can occur in the design of the hardware, software, or
information systems.
•It can also occur in programming (e.g., forgetting to factor in leap
year), testing, data collection, data entry, authorization, and
instructions.
•Errors can occur because of negligence, outdated security procedures
or inadequate employee training, or because passwords are not
changed or are shared with others.
.
2.
Environmental Hazards
oThese include natural disasters and other environmental
conditions outside of human control(e.g., Acts of God, large
scale acts of nature and accidents such as earthquakes,
severe storms, hurricanes, blizzards, or sand storms), floods,
power failures or strong fluctuations, fires (the most common
hazard), explosions, radio active fallout, and water-cooling
system failures.
oComputer resources also can be damaged by side effects
such as smoke and water. Damages during wars or property
vandalism are a special kind often Environmental hazards
3. Malfunctions in the Computer System
•Defects can be the result of poor manufacturing, defective
materials, memory leaks, and out dated or poorly
maintained networks.
•Unintentional malfunctions can also happen for other
causes, ranging from lack of user experience to inadequate
testing.
• For example, in March 2012, a computer glitch (related to
United Airlines switching over to the computer system used
by Continental Airlines after their merger) over-loaded United
Airlines’ phone lines and caused flight delays, causing
frustration for customers, and the problem continutes.
Intentional attacks are committed by cybercriminals. Types
of intentional attacks include theft of data; inappropriate
use of data (e.g., changing it or presenting it for fraudulent
Intentional
Attacks and Crimes
purposes); theft of laptops and other devices and
equipment and/or computer programs to steal data;
vandalism or sabotage directed toward the computer or its
information system; damaging computer resources; losses
from malware attacks; creating and distributing viruses; and
causing monetary losses due to Internet fraud.
Cont…
• The Criminals and Methods
Intentional crimes carried out using computers and the Internet are
called cybercrimes , which are done by:
• cybercriminals (criminals for short) that includes hackers and
crackers
Cont..
• Hackers and crackers.
A hacker describes someone who gains unauthorized access to a
computer system.
A cracker , (also known as a“black hat” hacker ), is a malicious
hacker with extensive computer experience who may be more
damaging.
•Any part of an information system can be attacked.
• PCs,
tablets,
smartphones
easily be stolen
The
Targets
oforthe
Attacks incan
Vulnerable
Areasor attacked
by viruses and/or malware.
•Users can become victims of a variety of fraudulent actions.
Databases can be attacked by unauthorized intruders, and
data are very vulnerable in many places in a computerized
system.
•Vulnerability creates opportunities for attackers to damage
information systems.
EC Security Requirements
1-Authentication.
Authentication is a process used to verify (assure) the real identity of
an EC entity, which could be an individual, software agent, computer
program, or EC website.
Cont…
2-Authorization is the provision of permission to an authenticated
person to access systems and perform certain operations in those
specific systems.
3-Auditing.
When a person or program accesses a website or queries a database,
various pieces of information are recorded or logged into a file.
Cont..
4- Availability.
Assuring that systems and information are available to the user
when needed and that the site continues to function.
Appropriate hardware, soft-ware, and procedures ensure
availability.
5-Nonrepudiation Closely associated with authentication
which is the assurance that online customers or trading
partners will not be able to falsely deny (repudiate) their
purchase, transaction, sale, or other obligation.
Nonrepudiation involves several assurances, including
providing proof of delivery from the sender and proof of
sender and recipient identities and the identity of the delivery
company.
EC Defense Programs and Strategy
• An EC security strategy consists of multiple layers of defense that
includes several methods.
• This defense aims to deter, prevent, and detect unauthorized entry
into an organization’s computer and information systems
Cont…
• Deterrent methods are countermeasures that make criminals
abandon their idea of attacking a specific system (e.g., a possible
deterrent is a realistic expectation of being caught and punished)
Security defense methods
1-Prevention measures
Help stop unauthorized people from accessing the EC system (e.g., by
using authentication devices and firewalls or by using:
a. Intrusion prevention:
which is, according to TechTarget “a preemptive approach to network
security used to identify potential threats and respond to them
swiftly”).
Cont..
b. Detection measures
•Help find security breaches in computer systems.
•Usually this means to find out whether intruders are attempting (or
have attempted) to break into the EC sys-tem, whether they were
successful, whether they are still damaging the system, and what
damage they may have done
Security defense strategy
1-Information Assurance
Making sure that a customer is safe and secure while shopping online
is a crucial part of improving the online buyer’s experience.
Information assurance is measures taken to protect information
systems and their processes against all risks. In other words assure the
systems’ availability when needed. The assurance includes all tools
and defense methods
Cont…
2-Possible Punishment
•A part of the defense is to deter criminals by punishing them heavily if
they are caught.
• Judges now are giving more and harsher punishments than a decade
ago.
Defense Methods and Technologies
3- Recovery is especially critical in cases of a disaster or a
major attack, and it must be speedy.
•Organizations need to continue their business until the
information systems are fully restored, and they need to
restore them fast.
•This is accomplished by activating business continuity and
disaster recovery plans.
E-commerce Security Strategy
Reference
Turban, E., King, D., Lee, J.K., Liang, T.-P., Turban, D.C (2015).
Electronic Commerce: A Managerial Perspective. 8th edition.
Springer International Publishing: Switzerland.
Related documents
Managing Threats in a Changing World
Managing Threats in a Changing World
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
– Security JDiBrief Scenario based risk assessment for critical infrastructures:
Download
advertisement