As the number of customers purchasing the product through ecommerce are increasing rapidly. So all the information over the network must be secured so that private data on the network cannot access by hackers at any cost. As it is well known fact that the information on the network should only be accessed by authorized users so that customers can do blind faith on the sites related to ecommerce. In this paper, some common attacks, which are being related to ecommerce along with some security issues, is being discussed.
INTRODUCTION
Electronic commerce is consisting of the buying as well as selling of products or services over electronic systems such as the Internet. E-commerce also applies to business to business transactions, for example, between manufacturers distributors, etc. As it is a well known fact that there is continuously rise in purchasing the products with the help of ecommerce. So it is essential to exchange the secure information over the web. Customers are purchasing the products with the help of Ecommerce due to most of the characterstics of Ecommerce. The technique which ensures that the data stored in a computer or transmitted from one computer to another computer cannot access by unauthorized user is known as security.
Originally, electronic commerce meant only the facilitation of commercial transactions electronically, using technology like Electronic Funds Transfer (EFT) and Electronic Data Interchange (EDI) which were invented in the late 1970s and these technologies allows enterprises, organizations etc. to send commercial documents like purchase orders or invoices electronically. Then faster growth and acceptance of credit cards, automated teller machines (ATM) and telephone banking in the 1980s are also important forms of electronic commerce. One of the most important component of electronic commerce known as online shopping, was invented by Michael Aldrich in the UK in 1979. The first
recorded B2C was Gateshead SIS/Tesco invented in 1984. The world's first online shopper was Mrs Jane Snowball of Gateshead. Online shopping was also used extensively in the UK by auto manufacturers such as Peugeot-Talbot, General Motors, Ford and Nissan in 1980 which used the Aldrich systems and this system used the switched public telephone network in dial-up and leased line modes. There was no broadband capability. After 1990 electronic commerce additionally included enterprise resource planning systems (ERP), data mining as well as data warehousing. World Wide Web was invented by Tim Berners-Lee in 1990. But the commercial enterprise on the internet was strictly prohibited until 1991. As it is a well known fact that Internet became popular worldwide around 1994 and during that year online shopping started. After the end of year 2000, most of the European and American business enterprises offered their services through the World Wide Web. Then people started purchasing various goods through the Internet using secure protocols and electronic payment services. Then security is being needed for any online transactions so that hackers can not hack the password and then researchers continuosly hard work for designing new algorithms for security purpose.In this paper, security issues related to ecommerce are being discussed.
Attacks in Ecommerce security
Attacks like script attacks, input validation attacks, DNS attacks, Eavesdrops etc. threatens the security of ecommerce. Some security defenses like encryption, authorization, confidentiality, integrity, firewall etc. are already the part of ecommerce which secures the data being transmitted from one computer to another computer system.
In passive attack, the attacker can only monitor the network traffic. It is very simple attack and can be easily performed without difficulty in many networking environments e.g. Broadcast type networks (Ethernet and wireless network). Traffic analysis and passive eavesdropping are the examples of passive attack.
In traffic analysis attack, the wireless foot printing is done by carrying out traffic analysis. By traffic analysis, the attacker get lots of the information like protocols being used by the network, active points of the network. Attacker can use the active points as the beginning points to mount his attack.
Passive Evesdropping attack is similar to traffic analysis attack but not the exactly same. In Passive Eavesdropping attack, the attacker can access and easily read the contents of the data, which is being transmitted, from sender to receiver. If the information is in encrypted form then attacker breaks the information and read the message. In this way, an attacker can easily access the message which is being transmitted from sender to receiver.
Some important active attacks on wireless network are unauthorized access, denial of service, replay, session hijacking, man in middle attack, rogue access points etc.
In unauthorized attack, the attacker gains unauthorized access to the whole network. This attack in turn gives rise to more attacks like man in middle attack, ARP poising. In this attack, the attacker access the wireless network.
In denial of service attack, attacker just introduces interference in the form of noise and it is one of the famous attacks to bring down the system.
Replay attack happens offline(not in real time). In this attack, attacker capture the data of the session and attacker can easily use it capture the message which is being sent by the sender to the receiver.
In session hijacking attack, an attacker takes control over the session. Session hijacking is being done by obtaining MAC of the active points. This attack occurs in real time.
Man in middle attack comprises the integrity of the message because they can be read and modified by the attacker. In rogue access points attack, an attacker can setup a rogue AP to gain future access to the network . In this attack, an attacker can easily set up a fraud rough APs so that attacker can easily access the username and password of the user.
Security issues in Ecommerce
Security has three major concepts: confidentiality, integrity, and availability. Confidentiality means authorized person can only access the protected information and that protected information is not accessable to unauthorized person. For example, if the postman reads the private mail of a person, this is a breach of privacy of that person. Integrity means data or information remains the exactly same as sent by sender to the receiver. Availability ensures that you are authorized to resources.
While security features do not guarantee a secure system, because hackers can design a new techniques to hack the system so it is very much necessary to build a secure system. There are four catagories for a secure systems and these categories are Authentication, Authorization, Encryption, Auditing. As hackers try their best to hack the message on the network so security of the message over the network is required so that the message over the network can not be accessed by the hackers. Companies pursue every legal route to protect the information of their customers. Some precautions must be taken so that the message over the network cannot be accessed by the hackers. Personal firewalls must be installed in the computer system of clients. All the confidential information must be stored in the encrypted form . An information can be converted in to its encrypted form using encryption algorithms. Encryption of the streams can be done by using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the Web site. Appropriate password policies, firewalls, routine external security audits etc. must be used for the purpose of security. We can use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site. There are so many techniques to secure the system from the attack of hackers.
Secure Socket Layer (SSL) : Secure Socket Layer (SSL) is very important protocol which encrypts data between the shoppers’ computer and the site's server. The information flowing back and forth between the shopper's computer and the site's server is encrypted so that a hacker sniffing the network cannot read the contents of the message which is being transmitted between client and server through the network.The SSL certificate is issued to the server by a certificate authority authorized by the government.
Personal firewalls : When a computer system is connected to a network then the possibility of attack increases to the large extent. A personal firewall helps protect the computer by limiting the types of traffic initiated by and directed to the computer which is connected to the network. Beside it, an intruder can also scan the hard drive to detect any previously stored passwords.
Server firewall: Server firewall ensures that a request being done by client can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. Generally, a common technique has to setup a demilitarized zone (DMZ) which uses two firewalls. The outer firewall has open ports that allow ingoing and outgoing hyper type text protocol requests. It allows the client browser to communicate with the server. A second firewall is heavily fortified, and only requests from trusted servers. Both firewalls use intrusion detection software which is being used to detect any unauthorized access attempts. The second technique which is being used is a honey pot server. As it is a well known fact that a honey pot is a resource placed in the DMZ to confuse the hacker into thinking that hacker has penetrated the inner wall of demilitarized zone (DMZ). These servers are closely monitored, and any access by an attacker is detected in the minium possible time. Example of honeypot is a fake payment server.
Education: People must be educated and must have the knowledge about possible fishing schemes as well as other social engineering attacks.
Policies of password: A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the following table.
Policy
|
Value
|
Maximum lifetime of passwords
|
180 days
|
Consecutive unsuccessful login delay
|
10 seconds
|
Matching user ID and password
|
No, both are different
|
Maximum occurrence of consecutive characters
|
3 characters
|
Maximum instances of any character
|
4 instances
|
Account lockout threshold
|
6 attempts
|
Minimum number of alphabetic characters
|
1 alphabetic character
|
Minimum number of numeric characters
|
1 numeric character
|
Minimum length of password
|
6 characters
|
Reuse user's previous password
|
No, both are different
|
These policies Ensure that passwords must be sufficiently strong enough so that the password cannot be easily guessed by hackers.
CONCLUSION
As security is very necessary for all sites because without security, hackers will easily attack on the confidential information on the network and customers will never transfer any confidential data from one computers to another computer. Now a days, new encrypted and decrypted algorithms are being designed by researchers so that confidential information on the network can be secured to the large extent and researchers are continuously applying their best to design more secured powerful tools so that the message over the network can not access by unauthorized users. In this paper, some common attacks which are being related to ecommerce along with some security issues are being discussed.
REFERENCES
• A.Colley, “Phishing scam ‘most devious ever’”, ZDNet Australia, 3 March 2004.
• Anonymous (2003), “Web Defacement Statistics”, Security News Portal, 2 April 2003, (http://www.securitynewsportal.com/cgi-bin/cgiscript/csNews/csNews.cgi?database=JanY.dbid=67), referenced July 7, 2004.
• Anonymous (2004) “About @Stake WebProxy, the Interactive Application Security Testing Tool”, @Stake, Inc., (http://www.atstake.com/products/webproxy/), referenced July 9, 2004.
• Anonymous (2004) “Financial Services”, Teros Corporation, Internal Sales Training Document, Updated April 7, 2004, www.teros.com.
• B.McWilliams, “Stealing MS Passport’s Wallet”, Wired News, 2 November 2001.
• CSI (2002) “2002 Computer Security Institute (CSI) Computer Crime and Security Survey” (conducted with the participation of the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad), Computer Security Institute, 7 April 2002, (http://www.gocsi.com/press/20020407.jhtml?_requestid=280129), referenced July 6, 2004.
• D.Charrau, S.M.Furnell and P.S.Dowland, “PassImages : An alternative method of user authentication”, Proceedings of 4th Annual ISOneWorld Conference and Convention, Las Vegas, USA, 30 March – 1 April 2005.
• D.Katsabas, S.M.Furnell and P.S.Dowland, “Using Human Computer
• Dekker, M. (1997). The Frolich/Kent Encyclopedia of Telecommunications vol 15. New York. P231.
• Dekker, M. (1997). The Frolich/Kent Encyclopedia of Telecommunications vol 15. New York. P231. AOL/NCSA, AOL/NCSA Online Safety Study. America Online and
• Federal Trade Commission, “How Not to Get Hooked by a 'Phishing'
• Interaction principles to promote usable security”, Proceedings of the Fifth International Network Conference (INC 2005), Samos, Greece, 5-7 July 2005, pp235-242.
• J.Johnston, J.H.P.Eloff and L.Labuschagne, “Security and human computer interfaces”, Computers & Security, vol. 22, no. 8, pp675-684.
• La Trobe Credit Union, “Direct Link Internet banking – Introducing the
• McCullough, J. (2005) Beyond the Firewall: Using a Layered Security Strategy to Address Internal Security Threats, Accessed June 10, 2005 at http://wp.bitpipe.com/resource/org_978461805_612/surfcontrol.pdf
• Morrison, Michael C. 2001 July 13. E-Commerce Trends. Accessed May 12, 2005, at http://www.niacc.cc.ia.us/admin/academic/scroll/trends.html
• National Cyber Security Alliance. October 2004. http://www.staysafeonline.info/news/safety_study_v04.pdf
• new Factor2TM authentication safeguard”,http://www.latrobeunicredit.com.au/directlink.html (accessed 3 June
• S.M.Furnell, “Using security: easier said than done?”, Computer Fraud & Security,. pp. 6-10, April 2004.
• Scam”, FTC Consumer Alert, July 2003.
• Turban, E., King, D., Lee, J., Warkentin, M., Chung, H. (2002). Electronic Commerce: A Managerial Perspective 2002. New Jersey:Prentice Hall.
• Zinkewiez, Phil, 2000, February 19. Insurance Advocate. Hacker Attackers Raise Troubling questions on eCommerce Security, Developments. Retrieved July 19, 2003 from Business Source Premier. [1] Anonymous (2003) Special Report, 2003, April 17. Computing. Security: Smart Moves to earn Consumer Confidence. Retrieved July 19, 2003 from Lexis Nexis.