Security issues in E-Commerce

As the number of customers purchasing the product through ecommerce are increasing rapidly. So all the information over the network must be secured so that private data on the network cannot access by hackers at any cost. As it is well known fact that the information on the network should only be accessed by authorized users so that customers can do blind faith on the sites related to ecommerce. In this paper, some common attacks, which are being related to ecommerce along with some security issues, is being discussed.

INTRODUCTION

Electronic commerce is consisting of the buying as well as selling of products or services over electronic systems such as the Internet. E-commerce also applies to business to business transactions, for example, between manufacturers  distributors, etc. As it is a well known fact that there is continuously rise in purchasing the products with the help of ecommerce. So it is essential to exchange the secure information over the web. Customers are purchasing  the products with the help of Ecommerce due to most of the characterstics of Ecommerce.  The technique which  ensures that the data stored in a computer or transmitted  from one computer to another computer cannot access by unauthorized user is known as security.

Originally, electronic commerce meant only the facilitation of commercial transactions electronically, using technology like Electronic Funds Transfer (EFT) and Electronic Data Interchange (EDI) which were invented in the late 1970s and these technologies allows enterprises, organizations etc. to send commercial documents like purchase orders or invoices electronically. Then faster  growth and acceptance of credit cards, automated teller machines (ATM) and telephone banking in the 1980s are also important  forms of electronic commerce. One of the most important component of electronic commerce known as online shopping, was invented by Michael Aldrich in the UK in 1979. The first
recorded B2C was Gateshead SIS/Tesco invented in 1984. The world's first  online shopper was Mrs Jane Snowball of Gateshead. Online shopping was also used extensively in the UK by auto manufacturers such as Peugeot-Talbot, General Motors, Ford  and Nissan in 1980 which  used the Aldrich systems and  this  system used the switched public telephone network in dial-up and leased line modes. There was no broadband capability. After 1990 electronic commerce additionally included enterprise resource planning systems (ERP), data mining as well as data warehousing. World Wide Web was invented by Tim Berners-Lee in 1990. But the commercial enterprise on the internet was strictly prohibited until 1991. As it is a well known fact that  Internet became popular worldwide around 1994 and during that year online shopping started. After the end of year  2000, most of the  European and American business enterprises offered their services through the World Wide Web. Then people started  purchasing various goods through the Internet using secure protocols and electronic payment services. Then security is being needed for any online transactions so that hackers can not hack the password and then researchers continuosly hard work for designing new algorithms for security purpose.In this paper,  security issues related to ecommerce are being discussed.

Attacks in Ecommerce security
Attacks like script attacks, input validation attacks, DNS attacks, Eavesdrops etc. threatens the security of ecommerce. Some security defenses like encryption, authorization, confidentiality, integrity, firewall etc. are already the part of ecommerce which secures the data being transmitted from one computer to another computer system.
In passive attack, the attacker can only monitor the network traffic. It is very simple attack and can be easily performed without difficulty in many networking environments e.g. Broadcast type networks (Ethernet and wireless network). Traffic analysis and passive eavesdropping are the examples of passive attack.
In traffic analysis attack, the wireless foot printing is done by carrying out traffic analysis. By traffic analysis, the attacker get lots of the information like protocols being used by the network, active points of the network. Attacker can use the active points as the beginning points to mount his attack.
Passive Evesdropping attack is similar to traffic analysis attack but not the exactly same. In Passive Eavesdropping attack, the attacker can access and easily read the contents of the data, which is being transmitted, from sender to receiver. If the information is in encrypted form then attacker breaks the information and read the message. In this way, an attacker can easily access the message which is being transmitted from sender to receiver.
Some important active  attacks on wireless network are unauthorized access, denial of service, replay, session hijacking, man in middle attack, rogue access points etc.
In unauthorized attack, the attacker gains unauthorized access to the whole network. This attack in turn gives rise to more attacks like man in middle attack, ARP poising. In  this attack, the attacker access the wireless network.
In denial of service attack, attacker just introduces interference in the form of noise and it is one of the famous attacks to bring down the system.
Replay attack happens offline(not in real time). In this attack, attacker capture the data of the session and attacker can easily use it capture the message which is being sent by  the sender to the receiver. 
In session hijacking attack, an attacker takes control over the session. Session hijacking is being done by obtaining MAC of the active points. This attack occurs in real time.
Man in middle attack comprises the integrity of the message because they can be read and modified by the attacker. In rogue access points attack, an attacker can setup  a rogue AP to gain future access to the network . In this attack, an attacker can easily set up a fraud rough APs so that attacker can easily access the username and password of the user.

Security  issues in  Ecommerce
Security has three major concepts: confidentiality, integrity, and availability. Confidentiality means authorized person can only access the protected information and that protected information is not accessable to unauthorized person. For example, if the postman reads the private  mail of a person, this is a breach of privacy of that person. Integrity means data or information remains the exactly same as sent by sender to the receiver. Availability ensures that you  are authorized to resources.
While security features do not guarantee a secure system, because hackers can design a new techniques to hack the system   so it is very much  necessary to build a secure system. There are four catagories for a secure systems and these categories are Authentication, Authorization, Encryption, Auditing. As hackers try their best to hack the message on the network so security of the message over the network is required so that the message over the network can not be accessed by the hackers. Companies pursue every legal route to protect  the information of their customers. Some precautions must be taken so that the message over the network cannot be accessed  by the hackers. Personal firewalls must be installed  in the computer system of clients. All the confidential information must be stored in the encrypted form . An information can be converted in to its encrypted form using encryption algorithms. Encryption of  the streams can be done by using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the  Web site. Appropriate password policies, firewalls,  routine external security audits  etc. must be used for the purpose of security. We can use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site. There are so many techniques to secure the system from the attack of hackers.

Secure Socket Layer (SSL) : Secure Socket Layer (SSL) is very important  protocol which encrypts data between the shoppers’ computer and the site's server. The information flowing back and forth between the shopper's computer and the site's server is encrypted so that a hacker sniffing the network cannot read the contents of the message which is being transmitted between client and server through the network.The SSL certificate is issued to the server by a certificate authority authorized by the government.
Personal firewalls : When a computer system is connected to a network then the possibility of attack increases to the large extent. A personal firewall helps protect the computer by limiting the types of traffic initiated by and directed to the computer which is connected to the network. Beside it, an  intruder can also scan the hard drive to detect any previously stored passwords.
Server firewall: Server firewall ensures that a request being done by client can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. Generally, a common technique has  to setup a demilitarized zone (DMZ) which uses two firewalls. The outer firewall has open ports that allow ingoing and outgoing hyper type text protocol requests. It  allows the client browser to communicate with the server. A second firewall is heavily fortified, and only requests from trusted servers. Both firewalls use intrusion detection software which is being used to detect any unauthorized access attempts. The second  technique  which is being used is a honey pot server. As it is a well known fact that a honey pot is a resource placed in the DMZ to confuse the hacker into thinking that hacker  has penetrated the inner wall of demilitarized zone (DMZ). These servers are closely monitored, and any access by an attacker is detected in the minium possible time. Example of honeypot is  a fake payment server.
Education: People must be  educated  and must have the knowledge about possible fishing schemes as well as other social engineering attacks.
Policies of password: A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the following  table.

Policy

Value

Maximum lifetime of passwords

 

180 days

Consecutive unsuccessful login delay

10 seconds

Matching user ID and password

No, both are different 

Maximum occurrence of consecutive characters

3 characters

Maximum instances of any character

4 instances

Account lockout threshold

6 attempts

Minimum number of alphabetic characters

1 alphabetic character

Minimum number of numeric characters

1 numeric character

Minimum length of password

6 characters

Reuse user's previous password

No, both are different 


These policies Ensure that passwords must be  sufficiently strong enough so that the password cannot be easily guessed by hackers. 
CONCLUSION  
As security is very necessary for all  sites  because without security, hackers will easily attack on the confidential information on the network and customers will never transfer any confidential data from one computers to another computer. Now a days, new encrypted and decrypted algorithms are being designed by researchers so that confidential information on the network can be secured to the large extent and researchers are continuously applying their best to design more secured powerful tools so that the message over the network can not access by unauthorized users. In this paper, some common attacks which are being related to ecommerce along with some security issues are being discussed. 
REFERENCES

•    A.Colley, “Phishing scam ‘most devious ever’”, ZDNet Australia, 3 March 2004.
•    Anonymous (2003), “Web Defacement Statistics”, Security News Portal, 2 April 2003, (http://www.securitynewsportal.com/cgi-bin/cgiscript/csNews/csNews.cgi?database=JanY.dbid=67), referenced July 7, 2004.
•    Anonymous (2004) “About @Stake WebProxy, the Interactive Application Security Testing Tool”, @Stake, Inc., (http://www.atstake.com/products/webproxy/), referenced July 9, 2004.
•    Anonymous (2004) “Financial Services”, Teros Corporation, Internal Sales Training Document, Updated April 7, 2004, www.teros.com.
•    B.McWilliams, “Stealing MS Passport’s Wallet”, Wired News, 2 November 2001.
•    CSI (2002) “2002 Computer Security Institute (CSI) Computer Crime and Security Survey” (conducted with the participation of the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad), Computer Security Institute, 7 April 2002, (http://www.gocsi.com/press/20020407.jhtml?_requestid=280129), referenced July 6, 2004.
•    D.Charrau, S.M.Furnell and P.S.Dowland, “PassImages : An alternative method of user authentication”, Proceedings of 4th Annual ISOneWorld Conference and Convention, Las Vegas, USA, 30 March – 1 April 2005.
•    D.Katsabas, S.M.Furnell and P.S.Dowland, “Using Human Computer
•    Dekker, M. (1997). The Frolich/Kent Encyclopedia of Telecommunications vol 15. New York. P231.
•    Dekker, M. (1997). The Frolich/Kent Encyclopedia of Telecommunications vol 15. New York. P231.  AOL/NCSA, AOL/NCSA Online Safety Study. America Online and
•    Federal Trade Commission, “How Not to Get Hooked by a 'Phishing'
•    Interaction principles to promote usable security”, Proceedings of the Fifth International Network Conference (INC 2005), Samos, Greece, 5-7 July 2005, pp235-242.
•    J.Johnston, J.H.P.Eloff and L.Labuschagne, “Security and human computer interfaces”, Computers & Security, vol. 22, no. 8, pp675-684.
•    La Trobe Credit Union, “Direct Link Internet banking – Introducing the
•    McCullough, J. (2005) Beyond the Firewall: Using a Layered Security Strategy to Address Internal Security Threats, Accessed June 10, 2005 at http://wp.bitpipe.com/resource/org_978461805_612/surfcontrol.pdf
•    Morrison, Michael C. 2001 July 13. E-Commerce Trends. Accessed May 12, 2005, at http://www.niacc.cc.ia.us/admin/academic/scroll/trends.html
•    National Cyber Security Alliance. October 2004.    http://www.staysafeonline.info/news/safety_study_v04.pdf
•    new Factor2TM authentication safeguard”,http://www.latrobeunicredit.com.au/directlink.html (accessed 3 June
•    S.M.Furnell, “Using security: easier said than done?”, Computer Fraud & Security,. pp. 6-10, April 2004.
•    Scam”, FTC Consumer Alert, July 2003.
•    Turban, E., King, D., Lee, J., Warkentin, M., Chung, H. (2002). Electronic Commerce: A Managerial Perspective 2002. New Jersey:Prentice Hall.
•    Zinkewiez, Phil, 2000, February 19. Insurance Advocate. Hacker Attackers Raise Troubling questions on eCommerce Security, Developments. Retrieved July 19, 2003 from Business Source Premier. [1] Anonymous (2003) Special Report, 2003, April 17. Computing. Security: Smart Moves to earn Consumer Confidence. Retrieved July 19, 2003 from Lexis Nexis.