Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Ecommerce Security

advertisement 
Assignment (internet and computer security)
Birja Regmi (09290446)
Online Application Security: Ecommerce Security
Introduction:
Online Application providers in the Business-to-Consumer and Business-to Business
segments represent an extremely large emerging market. Within these markets there
are several numbers rising number of fraud attacks, combined with an increase in
regulation and the emergence of mobile platforms, have driven the need for strong
authentication. In order to remain competitive and to provide customers with ample
protection strong authentication is proving to be an important component to the
application providers.
The e-commerce business is all about making money and then finding ways to make
more money. It is a well know fact that it's hard to make more money, when
consumers don't feel safe executing a transaction on the Web site. That's where SSL
(Secure Socket Layer) comes into play. Understanding how SSL affects e-commerce
business can also potentially help the companies to unlock more money from the
customer.
Ecommerce Security Issues:
E-commerce systems are based upon internet use, which provides open and easy
communications on a global basis. However, because the internet is unregulated,
unmanaged and uncontrolled, it poses a wide range of risks and threats to the systems
operating on it.
The use of the internet means that your internal IT and e-commerce systems are
potentially accessible by anyone, irrespective of their location.
Threats from hackers and the risks to business
Some of the more common threats that hackers poses to e-commerce systems are
mentioned below.

Carrying out denial-of-service (DoS) attacks that stop access to authorised users of a
website, so that the site is forced to offer a reduced level of service or, in some cases,
ceases operation completely
1
Assignment (internet and computer security)

Birja Regmi (09290446)
Gaining access to sensitive data such as price lists, catalogues and valuable
intellectual property, and altering, destroying or copying it

Altering the website, and damaging image of the particular sites or directing
customers to another site

Gaining access to financial information about
business companies or and their
customers, with a view to perpetrating fraud

Using viruses to corrupt our business data
SECURITY ASSESSMENT and ASCERTAINMENT
It is truly a great thing that the world of corporate undertakings or business as we say it can
be done online. It is an enormous benefit which the platform of Internet has made this
possible. However, as the convenience of shopping online increases so does the risk of doing
the business increases along with it. There are few things that are really important in this
regard. So, for any e-commerce site there are three specific things that the concerned ecommercial site needs to address. The first issue is with authentication; since for e-com site
transactions are going to take place online and for that there are many critical information
that are necessary to be disclosed. It is necessary to know that the interaction is taking place
with the intended one. The fact of confidentiality is also important as information that is
going to flow through the internet must be reliable of its integrity. Last but by no means on
the list is non-repudiation. This is perhaps the most specific to the needs of e-commercial
site as trading is going to take place online. It is important for the fact that the customer of the
good cannot deny from the fact of placing the order of the good. It is even important in
different case as there are going to be some transactions that are going to take place without
credit card or “payment first fact”.
Hence, in order to ascertain the above mentioned rules for e-commerce site several measures
should be undertaken. The need can be addressed by defining the various level of security.
Separate locations have to be secured by implementing various security functions in various
levels. This fact will ultimately provide the feel of security to the customer involved in etransactions and the entire e-business architecture of the e-commerce site.
2
Assignment (internet and computer security)
Birja Regmi (09290446)
Security Solutions to make ecommerce site secure:
There are various security undertakings that take place in e-commerce site. They are as
follows:
Encryption
This is something that the e-commerce site can never do without. This is basically for hiding
of the information from the customer to the server and from server to the user. 128 bit
encryption has been used to ascertain that the information being transmitted form the server
to the user or vice versa is not known to the other parties other then the two of involved
parties.
Digital Signatures
The e-mail that the e-com site sends shall contain digital signature signifying that the mail is
form the trusted source. The online receipts, the new arrivals information and the e-newsletter
that will be sent to the customers by the e-commerce site should be digitally signed as this
would ensure the customer of the e-com site’s authenticity.
Digital Certificates
It is the means by which the e-commerce site presents itself to its customer in a reliable way.
That is the server where the e-commercial site is hosted, shall need to authenticate to the
client and it would do this by presenting to the client with the certificate that is digitally
signed by the Certificate Authority. VeriSign has been trusted with and is be used on the
hosting web server of the e-commerce site. This is necessary as customers would feel reliable
disclosing their critical information to the e-commerce site.
Use of Cryptography
The use of cryptography is critical for e-commerce site to ascertain security as the
architecture of the site would need to make use of it. This would involve use of various
servers like Web Server, Database Server. Also, while authenticating between server client
and server this could be make use of to access data without the need of password.
Asymmetric cryptography should be used, which uses two keys namely public key to encrypt
and private key to decrypt. This would be used when servers authenticate themselves to each
other while accessing resources. So, Web Server accessing the Database Server shall make
use of asymmetric encryption to authenticate itself.
3
Assignment (internet and computer security)
Birja Regmi (09290446)
Anti-Virus Implementation
The antivirus programs are something that perhaps none of the host system can do without.
The antivirus program installed in each and every server system would ensure that it is secure
and free of malicious programs. This fact would mean that server is working normally at all
times and definitely reduces the probability of disclosure of information.
IDS integrated Firewall Implementation
Firewalls are definitely the major security need a network. But there are few things that the
firewalls are unable to do which can probably be done by IDS integrated to it. So, the firewall
should be placed just in the internal network after the Cisco router. The Firewall integrated
with proper IDS and updated signature database would mean that the servers are much more
secured.
Use of Cisco Router
Cisco router has been preferred over to other routers due to its vast coverage area in terms of
applicability. This would be placed in the De-Militarized Zone (DMZ) in the internal network
connecting it to the external network. This has been done so that there is no unauthorised
access to the internal network and the attacks like Denial of Service (DoS) are checked.
Being a router, it would manage the routing and importantly interlink the various mirror
servers at geographically different locations. Rules for access control shall be configured on
the router that shall regulate the flow of data.
Proper Log Reporting
Despite the adoption all the different types of security measures, it is inevitable that there
would be few breaches or holes in security that is present. So, such holes can be reviewed
with the help of logs that are generated by the various servers and services running in the
network. The information as number of attacks attempted or unauthorised access attempts
would be kept track of with the help of logs. Even the use of software in this case shall be
useful to generate reports out of logs that the servers like web, database or application create.
Default Ports Changing
One of the ways of keeping the track of the security assessment would be to change the
default ports that are assigned for specific services. This can be done according to our
specific necessity. In this way, intruders trying to break web access to the specific link or
4
Assignment (internet and computer security)
Birja Regmi (09290446)
page can be minimized. This can be achieved changing of ports adds that extra bit of security
to it.
Proper Monitoring and Analysis
It is no substitute to any other security measures that we might adopt for an e-com site. It is
essential to determine who and what is making the attempt to gain access to our system and
get to the critical servers. Proper monitoring would help to analyse us who is interacting with
servers and what for is he/she interacting. The implementation of simple analysis software
has been preferred which shall monitor the system logs and the network wrong happenings.
This shall be installed at all critical servers to know about the possible security breach
attempts and track the associated hackers.
Updating the Software Patches
It is essential that the programs that are involved in the e-commerce site are kept updated
once in a while. Especially, those portions of the e-commerce site that are related to its
building are more crucial. The software as Apache with TomCat, mysql and other
applications along with some protocols shall be updated in an attempt to keep the system free
of holes in security and bugs. This would definitely mean a better performance for the entire
e-com architecture.
Host Monitoring
For an e-commerce site it is necessary to know about the functions that are accessed on the ecom site and the frequency with which they are accessed. It is the duty of the
network/security administrator to keep information relating to login attempts (especially the
failure ones) and origin of the user (remote location). This would be helpful in determining
the security of the e-com site as well.
Implementing Authentication Protocols
These categories of protocols are mostly beneficial in defining the level of access for
different layer of resources. This would mean that the chances of disclosing or leaking the
information to the unauthorised third party are reduced. Authentication Protocols like TLS
(Transport Layer Security) and SSL (Secure Socket Layer) are the authentication protocols
that have been used.
5
Assignment (internet and computer security)
Birja Regmi (09290446)
VeriSign: The Major Role in Defining Security
It is inevitable that the e-com site features SSL as said above and in order for its
implementation we shall depend on VeriSign for the SSL certificate. This has been used at
the web server as discussed previously. This is so as it is necessary for the transactions to be
secured that take place through the public network of Internet. So, the VeriSign has been
relied on due to its below mentioned features:
 It is a well known name in the industry and has a good reputation as the digital
security agency.
 It provides the SSL certificate that even the site users would be able to see.
 The sort of dual layer of security is ascertained for the e-com site as through the
SSL certificate and VeriSign seal of security.
 It acquires one of the strongest encryption.
 The mark that is trusted by lot in the internet.
 It facilitates with the Digital Signatures.
 Protection of the identity from the theft by the use of PKI (Public Key
Infrastructure) and Digitized IDs for mail security.
 It makes the user feel more secured while disclosing their critical information as it
shares long history in this field.
Hence, the above mentioned features means that the use of VeriSign as the digital security
partner would mean that there are more visitors to the site and more registered user making
purchase; as a result the revenue generated by the e-commerce site is significantly increased.
6
Assignment (internet and computer security)
Birja Regmi (09290446)
How secure transaction is done on ecommerce sites:
Sensitive information has to be protected through at least three transactions:

Credit card details supplied by the customer, either to the merchant or payment
gateway should be handled by the server's SSL and the merchant/server's digital
certificates.

Credit card details passed to the bank for processing this should be handled by the
complex security measures of the payment gateway.

Lastly, order and customer details supplied to the merchant, either directly or from
the payment gateway/credit card processing company should also be handled by SSL,
server security, digital certificates (and payment gateway sometimes).
Practical Consequences
1. The merchant is always responsible for security of the Internet-connected PC where
customer details are handled. Virus protection and a firewall are the minimum
requirement. To be absolutely safe, store sensitive information and customer details
on zip-disks, a physically separate PC or with a commercial file storage service.
Always keep multiple back-ups of essential information, and ensure they are stored
safely off-site.
2. Where customers order by email, information should be encrypted with PGP or
similar software. Or payment should be made by specially encrypted checks and
ordering software’s.
3. Where credit cards are taken online and processed later, it's the merchant's
responsibility to check the security of the hosting company's web server. Use a
reputable company and demand detailed replies to your queries.
4. Where credit cards are taken online and processed in real time, four situations may
arise that are described below
7
Assignment (internet and computer security)

Birja Regmi (09290446)
Use of service bureau Sensitive information is handled entirely by the service bureau,
which is responsible for its security. Other customer and order details are main
responsibility as described above.

Possessing an ecommerce merchant account but use the digital certificate supplied by the
hosting company. A cheap option acceptable for smallish transactions with SMEs.
Checking out the hosting and company terms and conditions applying to the digital
certificate.

Possessing an ecommerce merchant account and obtain your own digital certificates
(costing some hundreds of dollars). Check out the hosting company, and enter into a
dialogue with the certification authority: they will certainly probe your credentials.

Possessing a merchant account, and run the business from your own server. You need
trained IT staff to maintain all aspects of security — firewalls, Kerberos, SSL, and a
digital certificate for the server (costing thousands or tens of thousands of dollars).
How practically security measures are applied in Ecommerce sites??
Security is a challenging concern for every IT based organizations today when it comes to an
e-business based organization; the security factor becomes even more important. Since the ebusiness based companies fully rely on the internet as all of its transactions and workings are
internet-based, there are always great chances of threats and intrusions from third party
hackers and unauthorized people spread wide in the internet. As example amazon.co.uk is
taken and studies for this report. In this site security has been a major concern and the site
puts the best effort to maintain the overall security of its network and system. One of the most
effective security measures that amazon.co.uk has adopted is the use of SSL (Secure Socket
Layer) which is provided by the third party VeriSign. Since all the transactions take place in
the open internet, the SSL has been implemented at web servers for secure transaction
between the customer and the site. The reason why VeriSign has been chosen for this is
because of a wide range of features and advantages it offers.
1. When a customer purchases any goods from amazon.co.uk the third party
authentication and payment services VeriSign and PayPal provides an interface for
providing credit card details which validates the authentication of the details provided.
The third party service VeriSign guarantees the security of the information that
8
Assignment (internet and computer security)
Birja Regmi (09290446)
customer enters in credit card details. Since this session is in SSL (HTTPS), such
information is encrypted and not disclosed to any unauthorized person. By using
digital certificates in web server, SSL encryption, Implementation of double
signatures, public key cryptography between services, access control list(ACL)
Amazon.co.uk has securely implemented online transaction system.
Fig: Secure Login Using https
Secured Payment Service (PayPal)
All ecommerce sites require the involvement of transaction processing between the site
and the customer. This processing of transaction needs to be secure by all means in the
open internet. The customer and the site cannot be directly connected for payment
purposes because of the trust factor. A third party payment gateway becomes essential
for processing the payment transaction. In the ecommerce site, PayPal is used as the
payment gateway for processing payment transaction. This payment gateway provides a
secure and reliable channel for processing payment transaction between the ecommerce
9
Assignment (internet and computer security)
Birja Regmi (09290446)
site amazon.co.uk and the customer’s account. Some of its best features are listed
below:
 PayPal can easily be integrated with PAY FLOW which is already integrated
with many shopping carts.
 It accepts both credit and debit cards along with the customer’s account in the
ecommerce site.
 It has the provision of their famous Fraud Protection System and Chargeback
Protection System into the transaction it processes.
 It provides 128-bit SSL encryption for better security such that customers can
rely on it and do not hesitate to disclose their credit card details.
Fig: Secure PayPal Login
 It is completely free with no merchant account fee, annual fees or registration
fees.
 It can be used with multiple customers at once such that customers do not have
to wait for transaction to be completed.
 The use of https also makes the site more secure.
10
Assignment (internet and computer security)
Birja Regmi (09290446)
Fig:
Pay Flow Diagram
Following are the steps involved in the working of Pay Flow Pro:
 First of all, the user makes the purchase in the ecommerce site by clicking “Buy
Now”.
 The buy function directs the transaction data to the Pay Flow Pro Gateway
Client.
 The Pay Flow processing cycle starts when the gateway client sends the
transaction data through SSL encrypted channel. Then PayPal redirects the
transactional data to concerned bank or financial institution where the
transactional data receives a token for processing.
11
Assignment (internet and computer security)
Birja Regmi (09290446)
 The concerned bank or institution either authorizes or declines the transaction
request depending upon customer’s balance in the credit card or authenticity of
credit card details and thus notifies to the PayPal Pay Flow.
 Finally, PayPal sends a confirmation whether or not to process the transaction
and once the user confirms, the transaction is carried out where the
corresponding balance is transferred from customer’s account to the ecommerce
site’s account.
 This whole process takes no more than three seconds.
Fig: Steps involved in Online Payment Processing
12
Assignment (internet and computer security)
Birja Regmi (09290446)
Conclusion:
By looking at the overall report, different measures should be taken for making a secure
online system in ecommerce sites. Although there are many issues that pose a threat to Ecommerce businesses, by enforcing a strong security policy, security can be ascertained.
Security issues such as Identity theft, Credit-card fraud, DoS attacks, viruses, etc that pose a
threat to E-Commerce business, must be adequately minimized so as to ascertain a secure
environment for customers as well as online business sites as a whole. To achieve this goal,
use of security measures such as digital certificates, digital signatures, higher-bit encryption
systems and services that provide these facilities such as Verisign, C.A., Paypal, etc must be
implemented. Also, secure authentication and logon policies should be implemented for
client’s security. Hence, by securing online transactions, maintaining confidentiality and
privacy and securing the overall E-commerce business site, merchants as well as consumers
can trade in a secure platform.
13
Assignment (internet and computer security)
Birja Regmi (09290446)
REFRENCES:

Reynolds, J. (2009). The complete E-Commerce Book Design, Build & Maintain a
Successful Web-Based Business. 2nd edition; CMP Books

Upu
(2010)
ecommerce
security
[online]
Available
http://www.upu.int/security/en/e-commerce_security_en.pdf
[Accessed
from
11th
Feb
2010]

Garci, A. Horowitz, B. (2006) The Potential of Underinvestment in Internet Security
Implications
for
Regulator
Policy
[online]
Available
from
http://weis2006.econinfosec.org/docs/24.pdf [Accessed 10th Feb 2010]

Ecommerce (2010) Security Issue s [online] Available from http://www.ecommercedigest.com/ecommerce-security-issues.html [Accessed 11th Feb 2010]

Amazon (2010) [online] Available from https://www.amazon.co.uk/gp/sign-in.html
[Accessed 11th Feb 2010]

Verisign (2010) Information on Security Services [Online] Available from
http://www.verisign.com [Accessed 01th Feb 2010]

Paypal(2010)Information
on
Payment
Services
[Online]
Available
from
https://www.paypal.com/np/cgi-bin/webscr?cmd=p/gen/about-outside[Accessed 01th
Feb 2010]

Card-Media (2008) WorldPay E-Commerce Security Information [Online] Available
from http://www.card-media.co.uk/security.htm [Accessed 09th Feb 2010]

Vark, J.V. (1997) E-Commerce and the Security Myth
[Online] Available from
http://www.mactech.com/articles/mactech/Vol.13/13.11/eCommerceandSecurity/inde
x.html [Accessed 29th Jan 2010]
14
Related documents
INTERNET AND E-COMMERCE
INTERNET AND E-COMMERCE
Questions from lecture 5-12.. 1- Define the following: Responsibility
Questions from lecture 5-12.. 1- Define the following: Responsibility
e- Commerce - Background
e- Commerce - Background
Charles Schwab The Major Drivers of the New Economy
Charles Schwab The Major Drivers of the New Economy
Lecture Two
Lecture Two
2 - E-Business
2 - E-Business
Social Media Marketing, Ecommerce and the Opportunities for Africa
Social Media Marketing, Ecommerce and the Opportunities for Africa
Tutorial 3
Tutorial 3
COMMISSION ON HIGHER EDUCATION
COMMISSION ON HIGHER EDUCATION
Download
advertisement