Chapter2 Security and Encryption

(1)

1 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y

2.1 The E-Commerce Security Environment

Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised.

Following are the essential requirements for safe e-payments/transactions −

• Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission.

• Integrity − Information should not be altered during its transmission over the network.

• Availability − Information should be available wherever and whenever required within a time limit specified.

• Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information.

• Non-Reputability − It is the protection against the denial of order or denial of payment.

Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt.

• Encryption − Information should be encrypted and decrypted only by an authorized user.

• Auditability − Data should be recorded in such a way that it can be audited for integrity requirements.

❖ Security on the Web

• No e-commerce system can guarantee 100-percent protection for your credit card, but you're less likely to get your pocket picked online than in a real store.

• Although Internet security breaches have received a lot of press attention, most vendors and analysts argue that transactions are actually less dangerous in cyberspace than in the physical world.

• For merchants, E-commerce is actually safer than opening a store that could be looted, burned, or flooded.

• The difficulty is in getting customers to believe that E-commerce is safe for them.

Consumers don't really believe it yet, but experts say E-commerce transactions are safer than ordinary credit card purchases.

• Ever since the 1.0 versions of Netscape Navigator and Microsoft Internet Explorer, transactions can be encrypted using Secure Sockets Layer(SSL), a protocol that creates a secure connection to the server, protecting the information as it travels over the Internet.

• SSL uses public key encryption, one of the strongest encryption methods around. A way to tell that a Web site is secured by SSL is when the URL begins with https instead of http.

• Browser makers and credit card companies are promoting an additional security standard called Secure Electronic Transactions (SET). SET encodes the credit card numbers that sit on vendors' servers so that only banks and credit card companies can read the numbers.

(2)

❖ Measures to ensure Security Major security measures are following −

• Encryption − It is a very effective and practical way to safeguard the data being transmitted over the network. Sender of the information encrypts the data using a secret code and only the specified receiver can decrypt the data using the same or a different secret code.

• Cryptography − Cryptography is a means of transforming data in a way that renders it unreadable by anyone except the intended recipient.

Every modern computer system uses modern cryptographic methods to secure passwords stored and provides the trusted backbone for ecommerce.

Encryption algorithm also called a cipher

• Digital Signature − A digital signature is the electronic signature (Certificate) duly issued by the Certifying Authority that shows the authenticity of the person signing the same.

Digital signature ensures the authenticity of the information. A digital signature is an e- signature authenticated through encryption and password.

• Security Certificates − Security certificate is a unique digital id used to verify the identity of an individual website or user.

❖ Security Protocols in Internet

We will discuss here some of the popular protocols used over the internet to ensure secured online transactions.

Secure Socket Layer (SSL)

It is the most commonly used protocol and is widely used across the industry. It meets following security requirements −

• Authentication

• Encryption

• Integrity

• Non-reputability

"https://" is to be used for HTTP urls with SSL

Where as "http:/" is to be used for HTTP urls without SSL.

(3)

3 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y Secure Hypertext Transfer Protocol (SHTTP)

SHTTP extends the HTTP internet protocol with public key encryption, authentication, and digital signature over the internet. Secure HTTP supports multiple security mechanism, providing security to the end-users. SHTTP works by negotiating encryption scheme types used between the client and the server.

Secure Electronic Transaction (SET)

It is a secure protocol developed by MasterCard and Visa in collaboration. Theoretically, it is the best security protocol. It has the following components −

• Card Holder's Digital Wallet Software − Digital Wallet allows the card holder to make secure purchases online via point and click interface.

• Merchant Software − This software helps merchants to communicate with potential customers and financial institutions in a secure manner.

• Payment Gateway Server Software − Payment gateway provides automatic and standard payment process. It supports the process for merchant's certificate request.

• Certificate Authority Software − This software is used by financial institutions to issue digital certificates to card holders and merchants, and to enable them to register their account agreements for secure electronic commerce.

2.2 Security Threats in E-Commerce Environment

❖ Threat to E-Commerce

E-Commerce refers to the activity of buying and selling things over the internet. Simply, it refers to the commercial transactions which are conducted online. E-commerce can be drawn on many technologies such as mobile commerce, Internet marketing, online transaction processing, electronic funds transfer, supply chain management, electronic data interchange (EDI), inventory management systems, and automated data collection systems.

E-commerce threat is occurring by using the internet for unfair means with the intention of stealing, fraud and security breach. There are various types of e-commerce threats. Some are accidental, some are purposeful, and some of them are due to human error. The most common security threats are:

1. Electronic payments system 2. E-cash

3. Credit/Debit card frauds etc.

1. Electronic payments system

With the rapid development of the computer, mobile, and network technology, e-commerce has become a routine part of human life. In e-commerce, the customer can order products at home and save time for doing other things. There is no need of visiting a store or a shop. The customer

(4)

4 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y can select different stores on the Internet in a very short time and compare the products with different characteristics such as price, color, and quality.

The electronic payment systems have a very important role in e-commerce. E-commerce organizations use electronic payment systems that refer to paperless monetary transactions. It revolutionized the business processing by reducing paperwork, transaction costs, and labour cost. E-commerce processing is user-friendly and less time consuming than manual processing.

Electronic commerce helps a business organization expand its market reach expansion. There is a certain risk with the electronic payments system.

Some of them are:

i. Risk of Fraud ii. Risk of Tax Evasion iii. Risk of Payment Conflicts

• The Risk of Fraud

An electronic payment system has a huge risk of fraud. The computing devices use an identity of the person for authorizing a payment such as passwords and security questions. These authentications are not full proof in determining the identity of a person. If the password and the answers to the security questions are matched, the system doesn't care who is on the other side. If someone has access to our password or the answers to our security question, he will gain access to our money and can steal it from us.

• The Risk of Tax Evasion

The Internal Revenue Service law requires that every business declare their financial transactions and provide paper records so that tax compliance can be verified. The problem with electronic systems is that they don't provide cleanly into this paradigm. It makes the process of tax collection very frustrating for the Internal Revenue Service. It is at the business's choice to disclose payments received or made via electronic payment systems. The IRS has no way to know that it is telling the truth or not that makes it easy to evade taxation.

• The Risk of Payment Conflicts

In electronic payment systems, the payments are handled by an automated electronic system, not by humans. The system is prone to errors when it handles large amounts of payments on a frequent basis with more than one recipients involved. It is essential to continually check our pay slip after every pay period ends in order to ensure everything makes sense. If it is a failure to do this, may result in conflicts of payment caused by technical glitches and anomalies.

2. E-cash

E-cash is a paperless cash system which facilitates the transfer of funds anonymously. E-cash is free to the user while the sellers have paid a fee for this. The e-cash fund can be either stored

(5)

5 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y on a card itself or in an account which is associated with the card. The most common examples of e-cash system are transit card, PayPal, GooglePay, Paytm, etc.

E-cash has four major components-

1. Issuers - They can be banks or a non-bank institution.

2. Customers - They are the users who spend the e-cash.

3. Merchants or Traders - They are the vendors who receive e-cash.

4. Regulators - They are related to authorities or state tax agencies.

In e-cash, we stored financial information on the computer, electronic device or on the internet which is vulnerable to the hackers. Some of the major threats related to e-cash system are-

Backdoors Attacks

It is a type of attacks which gives an attacker to unauthorized access to a system by bypasses the normal authentication mechanisms. It works in the background and hides itself from the user that makes it difficult to detect and remove.

Denial of service attacks

A denial-of-service attack (DoS attack) is a security attack in which the attacker takes action that prevents the legitimate (correct) users from accessing the electronic devices. It makes a network resource unavailable to its intended users by temporarily disrupting services of a host connected to the Internet.

(6)

6 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y Direct Access Attacks

Direct access attack is an attack in which an intruder gains physical access to the computer to perform an unauthorized activity and installing various types of software to compromise security. These types of software loaded with worms and download a huge amount of sensitive data from the target victims.

Eavesdropping

This is an unauthorized way of listening to private communication over the network. It does not interfere with the normal operations of the targeting system so that the sender and the recipient of the messages are not aware that their conversation is tracking.

3. Credit/Debit card fraud (Financial frauds )

A credit card allows us to borrow money from a recipient bank to make purchases. The issuer of the credit card has the condition that the cardholder will pay back the borrowed money with an additional agreed-upon charge.

A debit card is of a plastic card which issued by the financial organization to account holder who has a savings deposit account that can be used instead of cash to make purchases. The debit card can be used only when the fund is available in the account.

Ever since the first online businesses entered the world of the internet, financial fraudsters have been giving businesses a headache. There are various kinds of financial frauds prevalent in the e-commerce industry .

a. Credit Card Fraud

It happens when a cybercriminal uses stolen credit card data to buy products on your e- commerce store. Usually, in such cases, the shipping and billing addresses vary. You can detect and curb such activities on your store by installing an AVS – Address Verification System.

Another form of credit card fraud is when the fraudster steals your personal details and identity to enable them to get a new credit card.

b. Fake Return & Refund Fraud

The bad players perform unauthorized transactions and clear the trail, causing businesses great losses. Some hackers also engage in refund frauds, where they file fake requests for returns. Some of the important threats associated with the debit/credit card are-

(7)

• ATM (Automated Teller Machine)-

It is the favorites place of the fraudster from there they can steal our card details. Some of the important techniques which the criminals opt for getting hold of our card information is:

Skimming-

It is the process of attaching a data-skimming device in the card reader of the ATM. When the customer swipes their card in the ATM card reader, the information is copied from the magnetic strip to the device. By doing this, the criminals get to know the details of the Card number, name, CVV number, expiry date of the card and other details.

Unwanted Presence-

It is a rule that not more than one user should use the ATM at a time. If we find more than one people lurking around together, the intention behind this is to overlook our card details while we were making our transaction.

Online Transaction

Online transaction can be made by the customer to do shopping and pay their bills over the internet. It is as easy as for the customer, also easy for the customer to hack into our system and steal our sensitive information. Some important ways to steal our confidential information during an online transaction are-

o By downloading software which scans our keystroke and steals our password and card details.

o By redirecting a customer to a fake website which looks like original and steals our sensitive information.

o By using public Wi-Fi 4. Phishing

Phishing is an activity in which an intruder obtained the sensitive information of a user such as password, usernames, and credit card details, often for malicious reasons, etc.

Vishing is an activity in which an intruder obtained the sensitive information of a user via sending SMS on mobiles. These SMS and Call appears to be from a reliable source, but in real they are fake. The main objective of vishing and phishing is to get the customer's PIN, account details, and passwords.

Several e-commerce shops have received reports of their customers receiving messages or emails from hackers masquerading to be the legitimate store owners. Such fraudsters present

(8)

8 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y fake copies of your website pages or another reputable website to trick the users into believing them. For example, see this image below. A seemingly harmless and authentic email from PayPal asking to provide details.

Phishing Example; Source: infosecinstitute.com

The EITest of 2017 is another good example of such malicious campaigns. If the clients fall into the trap and give them their sensitive personal information like login credentials, the hackers swiftly go ahead and con them.

5. Spamming

Some bad players can send infected links via email or social media inboxes. They can also leave these links in their comments or messages on blog posts and contact forms. Once you click on such links, they will direct you to their spam websites, where you may end up being a victim.

Mass-mailed malware infection can quickly morph into a much more serious problem says Bri an Krebs, data security expert.

Apart from lowering your website security, spamming also reduces its speed and severely affects performance.

6. DoS & DDoS Attacks

Many e-commerce websites have incurred losses due to disruptions in their website and overall sales because of DDoS (Distributed Denial of Service) attacks. Actually it happens that servers

(9)

9 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y receive a deluge of requests from many untraceable IP addresses causing it to crash and making unavailable to your store visitors .

Source: Slideshare.net

7. Malware

Hackers may design a malicious software and install on your IT and computer systems without your knowledge. These malicious programs include spyware, viruses, trojan, and ransomware.

The systems of your customers, admins, and other users might have Trojan Horses downloaded on them. These programs can easily swipe any sensitive data that might be present on the infected systems and may also infect your website.

Malware is classified into different types, such as:

• Adware (advertising-supported software) – unwanted advertisements that may harm the user’s device. Adware can affect the overall performance of your device as it consumes a lot of RAM.

• Trojan horse – unusual behavior, such as unexpected changes to computer settings, may indicate that a Trojan has been downloaded into the system. Typically, it is disguised as an email attachment or a free-to-download file.

• Fileless malware – uses legitimate programs to infect a computer. It does not rely on files and leaves no footprint, making it challenging to detect and remove.

• Ransomware – prevents users from accessing their system or personal files. To regain access, they must fulfill the demands and pay a ransom.

• Rootkits – designed to remain undetected from antivirus software or other eCommerce security tools so that it can watch and access a victim’s computer.

(10)

10 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y 8. Exploitation of Known Vulnerabilities

Attackers are on the lookout for certain vulnerabilities that might be existing in your e- commerce store.

Often an e-commerce store is vulnerable to SQL injection (SQLi) and Cross-site Scripting (XSS). Let’s take a quick look at these vulnerabilities:

a. SQL Injection

It is a malicious technique where a hacker attacks your query submission forms to be able to access your backend database. They corrupt your database with an infectious code, collect data, and later wipe out the trail.

b. Cross-Site Scripting (XSS)

The attackers can plant a malicious JavaScript snippet on your e-commerce store to target your online visitors and customers. Such codes can access your customers’ cookies and compute. You can implement the Content Security Policy (CSP) to prevent such attacks.

9. Bots

Some attackers develop special bots that can scrape your website to get information about inventory and prices. Such hackers, usually your competitors, can then use the data to lower or modify the prices in their websites in an attempt to lower your sales and revenue.

1 Bad bots classification;

Source: bizreport.com

10. Brute force

The online environment also has players who can use brute force to attack your admin panel and crack your password. These fraudulent programs connect to your website and try out

(11)

11 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y thousands of combinations in an attempt to obtain you site’s passwords. Always ensure to use strong, complex passwords that are hard to guess. Additionally, always change your passwords frequently.

11. Man in The Middle (MITM)

A hacker may listen in on the communication taking place between your e-commerce store and a user. Walgreens Pharmacy Store experienced such an incident. If the user is connected to a vulnerable Wi-Fi or network, such attackers can take advantage of that.

Source: Netsparker

12. e-Skimming

E-skimming involves infecting a website’s checkout pages with malicious software. The intention is to steal the clients’ personal and payment details.

(12)

2.3 E-commerce security solutions that can ease your life

1. HTTPS and SSL certificates

HTTPS protocols not only keep your users’ sensitive data secure but also boost your website rankings on Google search page. They do so by securing data transfer between the servers and the users’ devices. Therefore, they prevent any interception.

Do you know that some browsers will block visitors’ access to your website if such protocols are not in place? You should also have an updated SSL certificate from your host.

2. Anti-malware and Anti-virus software

An Anti-Malware is a software program that detects, removes, and prevents infectious software (malware) from infecting the computer and IT systems. Since malware is the umbrella term for all kinds of infections including worms, viruses, Trojans, etc getting an efficient Anti-Malware would do the trick.

On the other hand, Anti-Virus is a software that was meant to keep viruses at bay. Although a lot of Anti-virus software evolved to prevent infection from other malware as well. Securing your PC and other complementary systems with an Anti-Virus keeps a check on these infections.

3. Securing the Admin Panel and Server

Always use complex passwords that are difficult to figure out, and make it a habit of changing them frequently. It is also good to restrict user access and define user roles. Every user should perform only up to their roles on the admin panel. Furthermore, make the panel to send you notifications whenever a foreign IP tries to access it.

4. Securing Payment Gateway

Avoid storing the credit card information of your clients on your database. Instead, let a third party such as PayPal and Stripe handle the payment transactions away from your website. This ensures better safety for your customers’ personal and financial data.

5. Deploying Firewall

Effective firewalls keep away fishy networks, XSS, SQL injection, and other cyber-attacks that are continuing to hit headlines. They also help in regulating traffic to and from your online store, to ensure passage of only trusted traffic.

(13)

13 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y 6. Educating Your Staff and Clients

Ensure your employees and customers get the latest knowledge concerning handling user data and how to engage with your website securely. Expunge former employees’ details and revoke all their access to your systems.

7. Additional security implementations

• Always scan your websites and other online resources for malware .

• Back up your data. Most e-commerce stores also use multi-layer security to boost their data protection.

• Update your systems frequently and employ effective e-commerce security plugins.

• Lastly, get a dedicated security platform that is secure from frequent cyber-attacks.

You can read more about the security steps you need to take for your e-commerce store.

Astra Solutions to E-commerce Security Threats

Astra is among the leading providers of security solutions that enable e-commerce to enjoy uninterrupted business.

Our tested and proven web application firewall keeps away Bad Bots, Spam, SQL injections, XSS, and many other cyber threats. It works in real-time, ensuring your website is secure 24 hours per day, seven days every week. The firewall is intelligent enough to detect any unusual and malicious intent. It does so by monitoring the traffic patterns of everything that gets out and into your e-commerce store.

(14)

How does the Astra Firewall work?

We can also help you get rid of malware, malicious redirects, pharma attacks, and other similar threats with a record turnaround time. You can employ our intelligent malware scanner to detect any malware yourself and track changes in your files daily. We log any change in your codes for you to review and stay updated. Our machine learning intelligence powers all the scanning to ensure we don’t miss anything.

We understand that a bug in your code can cause your e-commerce to experience security threats. Therefore, we provide high-quality website security audits to uncover every possible vulnerability in your online resources.

Related Blog – Astra’s Sample Penetration Testing Report

2.4 Policies

Security policy for E-commerce:

The security policy may cover issues like:

• What service types (e.g., web, FTP, SMTP) users may have access to?

• What classes of information exist within the organization and which should be encrypted before being transmitted?

• What client data does the organization hold.

• How sensitive is it? How is it to be protected?

• What class of employees may have remote access to the corporate network?

• Roles and responsibilities of managers and employees in implementing the security policy. How security breaches are to be responded to?

The security policy should also consider physical aspects of network security. For example,

• Who has access to the corporate server?

(15)

• Is it in a locked environment or kept in an open office?

• What is the procedure for determining who should be given access? The security policy regulates the activities of employees just as much as it defines how IT infrastructure will be configured. The policy should include details on how it is to be enforced

• How individual responsibilities are determined?

For it to be effective, the policy needs regular testing and review to judge the security measures.

The review process needs to take into account any changes in technology or business practices which may have an influence upon security.

Lastly, the policy itself needs to be regarded as a living document which will be updated at set intervals to reflect the evolving ways in which the business, customers and technology interact.

➢ Security Standards:

There are various standards pertaining to the security aspects of enterprises. Some of them are

• ISO 17799 (Information technology – Code of practice for information security management).

• (ISO/IEC 2000).

• SSE-CMM (Systems security engineering – Capability maturity model).

• (SSE-CMM 2003).

• COBIT (Control objectives for information and related technology).

• (COBIT 2000).

• ISO 17799 provides detailed guidelines on how a management framework for enterprise security should be implemented. It conceives ten security domains. Under each domain there are certain security objectives to be fulfilled.

• Each objective can be attained by a number of controls. The controls may prescribe management measures like guidelines and procedures, or some security infrastructure in the form of tools and techniques. It details various methods that can be followed by enterprises to meet security needs for e-commerce. It talks about the need for security policies, security infrastructure, and continuous testing in the same manner as has been detailed above .

• The main objective of the COBIT is the development of clear policies and good practices for security and control in IT for worldwide endorsement by commercial, governmental and professional organizations. The SSE-CMM is a process reference model. It is focused upon the requirements for implementing security in a system or series of related systems that are in the Information Technology Security domain.

• A list of 15 must-have information security policies that you can check your own list of policies against to ensure you’re on the path towards security .

1. Acceptable Encryption and Key Management Policy 2. Acceptable Use Policy

3. Clean Desk Policy

4. Data Breach Response Policy 5. Disaster Recovery Plan Policy 6. Personnel Security Policy

(16)

16 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y 7. Data Backup Policy

8. User Identification, Authentication, and Authorization Policy 9. Incident Response Policy

10. End User Encryption Key Protection Policy 11. Risk Assessment Standards and Procedures 12. Remote Access Policy

13. Secure Systems Management Policy 14. Monitoring and Logging Policy 15. Change Management Policy

2.5 Procedures and Laws

Procedures related to E-Commerce Security Step 1: Promote Good Password Hygene

While passwords are experiencing competition from technologies such as facial recognition and multifactor authentication (MFA), they're still the standard access keys to most software.

We need passwords for every service or website we log onto , so, for many users, it just seems easier to use the same password for multiple services. The problem with this approach is that, once the reused usernames and passwords have been taken by hackers, they can be applied to various services, leading to fraud.

Step 2: Use HTTPS

HyperText Transfer Protocol Secure (HTTPS) is the online protocol for secure communications over the internet and one of the easiest ways to help secure your e-commerce website from fraud. Designated by a closed green lock icon on the browser address bar, HTTPS websites are deemed authentic and secure because they're certified.

Step 3: Choose a Secure E-Commerce Platform

E-commerce platforms are usually picked for their storefront-building convenience, range of design, and functionality, but security features need to be top of mind .One Should look for e- commerce solutions that provide encrypted payment gateways, SSL certificates, and solid authentication protocols for sellers and buyers.

Step 4: Don't Store Sensitive User Data

Customer's personal data and privacy are of paramount importance and we're seeing major technology companies such as Apple and Google rally around their focus on keeping users' data private and safe. Consumer privacy is even more critical in e-commerce. Businesses need customer data to improve their communications and product offerings as well as make it easy to return purchases. The danger is that website hacking, phishing, and other cyberattacks target this user data. The first rule is to only collect data that's useful for the purposes of fulfilling the transaction. Businesses should avoid the tempation of collecting more customer data than is absolutely necessary. This avoids inconveniencing your customers and the possibility of losing that data in a breach or a hack.

The above rule applies specifically to customer credit card information. There's no need to store them on online servers, which can be a violation of the Payment Card Industry Data Security Standard(Opens in a new window) (PCI DSS), which serves to enforce consumer data protection in the payment card industry.

Cybercriminals and hackers can't steal what isn't there, so keeping the valuable personal and financial information of your users should be kept secure and off of online servers. If you have

(17)

17 | P a g e B H A G W A N M A H A V I R U N I V E R S I T Y to store certain data, then make sure it's protected in a safe, online storage repository that observes best practices when it comes to keeping information safe.

Step 5: Employ Your Own Website Monitor

While most e-commerce website hosting services will have some kind of monitoring tool set available to their customers as part of the basic package, that's no reason to ignore more robust third-party website monitoring tools. You want to look into these options because tools like those offered by LogicMonitor and New Relic have much deeper management features that'll not only help keep your website running more reliably, but also more securely.

Step 6: Maintain a Security-Focused Mindset

E-commerce security is never a one-and-done deal. Threats and hacking methodologies evolve at an alarming rate, and maintaining an awareness and a security-focused mindset is the necessary preventive method.

E-Business Laws

Following are the laws and regulations you need to familiarize yourself.

• Forming a Business Entity

• Paying Taxes

• Choosing a Payment Gateway

• Using Trademarks, Patents, and Copyrights

• Understanding Shipping Restrictions

• Determining Inventory Size

• Understanding Age Restrictions

• Obtaining Business Insurance

• Licenses and Permits

• Following PCI Compliance

• Following FTC Compliance References :

• https://www.tutorialspoint.com/e_commerce/e_commerce_security.htm

• Top 10 E-commerce Security Threats & Their Detailed Solution

• E-commerce policies - Authorised Apple Reseller in India - iSense Apple Store

• Developing An E-commerce Security Plan - Digital Conqueror

• 11 Ecommerce Laws You Need to Know to Grow Your Online Business

• How to Secure Your E-Commerce Website: 6 Basic Steps | PCMag