KWAME NKRUMAH UNIVERSITY OF SCIENCE AND TECHNOLOGY, KUMASI

COLLEGE OF SCIENCE

E-COMMERCE AND I.T. SECURITY

TOPIC

SECURITY ISSUES IN E-COMMERCE APPLICATION

BY

EBENEZER AMANKWAA

PG NUMBER 4723815

APRIL 2016
Abstract

E-commerce applications are becoming popular day by day as they are working like a virtual

shop. Writing good E-commerce application is tedious task and complex also. The applications if

made complex are very difficult to maintain. Usability is a very basic concept in the E-commerce

application. User has to get the information at one click and with proper feedback. As these are

web based applications efficiency matters a lot for this application. As transaction in e-commerce

faces the problems such as database exploits, log data mining and sniffing attacks which can be

resolved by using different security measure. Hence security is important in e-commerce

application
 CHAPTER ONE
INTRODUCTION AND BACKGROUND

Electronic commerce lets companies integrate internal and external business processes through

information and communication technologies. Companies conduct these business processes over

intranets, extranets, and the Internet. E-commerce lets businesses reduce costs, attain greater

market reach, and develop closer partner relationships. However, using the Internet as the

underlying backbone network has led to new risks and concerns.

Often, industry analysts cite trust and security as the main hurdles in growing e-commerce. A

number of factors have hampered the growth of e-commerce in developing countries. Yet, the

main perceived obstacle to increased

Internet usage is very similar in companies from both developed and developing countries. Firms
already using the Internet consider the lack of network security to be the primary problem,
followed by slow and unstable connections. This litany of evolutionary phases masks a number
of growing technical challenges, including the following according to Vijay (2000).
 security and authentication;
 content management and publication;
 reliable systems, messaging, and data;
 complex interactions and transactions;
 business model implementation and business process enactment; and
 distributed processing and distributed data.
E-commerce applications are categories into different types
 B2B – Business to Business E-commerce
 B2C – Business to Consumer
 C2C-Consumer to Consumer
 B2E – Business to Employee
 C2B-Consumer to Business
 G2G- Government to Government
Clearly, the online transaction requires consumers to disclose a large amount of sensitive
personal information to the vendor, placing themselves at significant risk. Understanding
(indeed, even precisely defining) consumer trust is essential for the continuing development of e-
commerce.
Problem statement
E-commerce is used for a variety of products and services ranging from basic applications such as
electronic marketing to high security electronic payment applications. Electronic payments are now
becoming a widely used medium for carrying out financial transactions. E-commerce application
must provide means for carrying out secure authentication and financial transactions.
Authentication and secure payment is a major security issue when it comes to carrying out E-
commerce transactions remotely. Developers of such applications are always faced with questions
such as; how do we ensure that the person requesting to carry out a financial transaction is who he
claims to be? How to integrate security technologies into trust infrastructure e-commerce
applications?
Goal/ Objective of Thesis
The objective of this thesis is to describe the most common security issues and vulnerabilities
found in e-commerce sites, and to demonstrate whether the vulnerabilities can be exploited in
\real-life" applications and also to integrate security technologies into a trust infrastructure e-
commerce applications.

Organisation of Thesis
Chapter 1: Introduction and background which gives brief ideas about E-commerce applications.
Chapter 2: This chapter focused on security challenges in the E-commerce Applications.
Chapter 3: This discusses security-oriented transaction privacy design model for e-commerce.
Chapter 4: Conclusions and future work for this thesis work are presented in this final chapter.
 CHAPTER TWO

LITERATURE REVIEW/RELATED WORK

According to Donal (2007), the purpose of Web security is to meet the security expectations of

users and providers. To that end, Web security is concerned with

 client-side security,
 server-side security, and
 secure transmission of information

Transaction Security for E-commerce Application

Client-side security is concerned with the techniques and practices that protect a user's privacy
and the integrity of the user's computing system.
Server-side security is concerned with the techniques and practices that protect the Web server
software and its associated hardware from break-ins, Web site vandalism and denial of service
attacks.
Secure transmission is concerned with the techniques and practices that will guarantee protection
from eavesdropping and intentional message modification.

.
Fig 1: Security Areas of E-commerce Application
A. Security issues in e-commerce application
There are following types of security issues in any e-commerce application which needs to be
addressed Jose (2008) and Skalka (2008).
1) Malicious Code
• Viruses: They have ability to replicate and spread to other files; most also deliver a “payload”
of some sort (destructive or benign); include macro viruses, file-infecting viruses, and script
viruses
• Worms: They are designed to spread from computer to computer
• Trojan horse: They appear to be benign, but then does something other than expected
• Bots: It can be covertly installed on computer; responds to external commands sent by the
attacker
2) Unwanted Programs
These are installed without the user’s informed consent. Following are its types.
Browser parasites: It can monitor and change settings of a user’s browser
Adware: It calls for unwanted pop-up ads
Spyware: It can be used to obtain information, such as a user’s keystrokes, e-mail, IMs, etc.
3) Phishing and Identity Theft
Any deceptive, online attempt by a third party to obtain confidential information for financial
gain – Most popular type: e-mail scam letter – It is one of fastest growing forms of e-commerce
crime
4) Hacking and Cyber vandalism
Hacker: Individual who intends to gain unauthorized access to computer systems
• Cracker: Hacker with criminal intent (two terms often used interchangeably)
• Cyber vandalism: Intentionally disrupting, defacing or destroying a Web site

5) Credit Card Fraud

Fear that credit card information will be stolen deters online purchases. Hackers target credit
card files and other customer information files on merchant servers; use stolen data to establish
credit under false identity.
One solution: New identity verification mechanisms.
6) Spoofing (Pharming) and Spam (Junk) Web Sites
• Spoofing (Pharming): Misrepresenting oneself by using fake e-mail addresses or masquerading
as someone else –
Threatens integrity of site; authenticity
• Spam (Junk) Web sites: Use domain names similar to legitimate one, redirect traffic to
spammer redirection domains
7) DoS and DDoS Attacks
Denial of service (DoS) attack: Hackers flood Web site with useless traffic to inundate and
overwhelm network
Distributed denial of service (DDoS) attack: Hackers use numerous computers to attack target
network from numerous launch points.
8) Other Security Threats
Sniffing: Type of eavesdropping program that monitors information travelling over a network;
enables hackers to steal proprietary information from anywhere on a network
Insider jobs: Single largest financial threat
Poorly designed server and client software: Increase in complexity of software programs has
contributed to increase is vulnerabilities that hackers can exploit.

B. Trust in Electronic Commerce

Trust is an especially important factor under conditions of uncertainty and risk. The importance
of trust is elevated in e-commerce because of the high degree of uncertainty and risk present in
most on line transactions. In today’s electronic world of business, trust is the centre component
between the consumer and the Internet Merchant.
Researchers found trust very important, especially, in the relationships between consumers and
e-vendors (Jolly, 2003).
Fig 2: A Relationship between Consumer and Internet Merchant

Source: Author’s Own Construct (2016)

C. Mechanisms and Technologies to Build Trust

There is a strong relation between consumer trust and security aspects that govern the whole
transaction processes in an e-commerce website.
As a new form of commercial activity, e-commerce involves more uncertainty and risks that
traditional commerce because they are less well known to consumers. Factors that affecting trust
in e-commerce for consumers include security risks, privacy issue and lack of reliability e-
commerce processes in general. A consumer cannot monitor the safety and security of sending
sensitive personal and financial information. Online business organizations should search for
high-tech security mechanism to protect itself from intrusion and also protect it customer from
being indirectly invaded. There are two lines of defense for ecommerce which are technology
solutions and policy solutions.
1) Encryption Approach
Encryption is the process of transforming plain text or data into cipher text that cannot be read by
anyone other than the sender and the receiver. The purpose of encryption is
(a) to secure stored information and
(b) to secure information transmission.
There are several types of encryption that differs in the context of its functionalities.
In Symmetric Key Encryption, both the sender and the receiver use the same key to encrypt and
decrypt messages while Public Key Encryption used two mathematically related digital keys
which are public key and private key.
2) Secure Socket Layer
The most common form of securing channels is through the Secure Sockets Layer (SSL) of
TCP/IP. The SSL protocol provides data encryption, server authentication, optional client
authentication, and message integrity for TCP/IP connections. Secure Socket Layer (SSL) is a
security protocol, first developed by Netscape Communications Corporation and now taken over
by the transport layer security working groups. The design goal of the protocol is to prevent
eavesdropping, tampering or message forgery when a data is transported over the Internet
between two communicating applications (Ahuja, 2000).
3) Secure Hypertext Transfer Protocol (S-HTTP)
S-HTTP is a secure message-oriented communications protocol designed for use in conjunction
with HTTP. It is designed to coexist with HTTP and to be easily integrated with HTTP
applications. Whereas SSL is designed to establish a secure connection between two computers,
S-HTTP is designed to send individual messages securely.
Using S-HTTP, any message may be signed, authenticated, encrypted or any combination of
these. Generally, SHTTP attempts to make HTTP more secure.
4) Trust Seals Programs
A number of Trustmark seals have been developed to provide assurance about Web business
practices and policies through the Web interface. One example is TRUSTe, which audit a site’s
stated privacy policies and allows sites to display the TRUSTe seal if privacy policies and
disclosure meet specific standards. Cheskin and Sapient (1999) found that where trust mark seals
were recognized, they increase consumer perceptions of a site’s trustworthiness.
Seal programs such as TRUSTe, BBBOnLine, MultiCheck and WebTrust allow licensees who
abide by posted privacy policies and/or allow compliance monitoring to display means for
addressing consumer privacy concerns.
5) Digital Signature
Digital signature means a digital method executed by a party with the intent to authenticate a
record, which is a unique to the person using it and is capable of verification. It is linked to the
data in such a manner that if the data is changed, the electronic signature is invalidated. A digital
signature is normally a hash of the message which is encrypted with the owner’s private key
(chapin, 2008).
6) Secure Electronic Transaction (SET)
A SET specification for credit/payment card transactions is required for the safety of all involved
in e-commerce. It is designed to meet three main objectives. First, it will enable payment security
for all involved, authenticate card holders and merchants, provide confidentiality for payment
data and define protocols and potential electronic security service providers. It will also enable
interoperability among applications developed by various vendors and among different operating
systems and platform.
7) Privacy Policy Statements

A privacy policy statement is a contractual commitment to consumers outlining how their

personal information will be treated. The evidence suggests that posting a self-reported guarantee
of compliance with e-commerce standards is an effective means of increasing consumer trust.
Privacy policy statements appear to be most beneficial to the web merchants that have the
greatest need to increase consumer trust. Privacy is the willingness of consumers to share
information over the Internet that allows purchases to be conducted.
8) Digital Certificate
A digital certificate is a digital document issued by a trusted third party institution known as a
certification authority that contains the name of the subject or company, the subject’s public key,
a digital certificate serial number, an expiration date, an issuance date, the digital signature of the
certification authority and other identifying information.
The Certification Authority (CA) is a trusted third party that hands out certificates and publishes
identities and public keys in a directory. The certificate is signed with the private key of the
Certification Authority; therefore, its authenticity can be confirmed by using the known public
key of the CA Ahuja, 2000).
 CHAPTER THREE
DISCUSSION

The transaction privacy service protects against loss of privacy with respect to transactions being

performed by an individual on the EC system. The concept of transaction privacy is defined as a

service for preventing unauthorized disclosure of transaction contents, parties involved, location

of parties involved, and the exact time of occurrence of the transaction. Transaction privacy,

thus, includes the following:

 Data privacy: the contents of the transaction must be protected from disclosure to
unauthorized parties. Source and destination privacy: the parties involved in the
transaction should not be revealed to unauthorized parties.
 Location privacy: the location of the parties performing the transaction should not
be disclosed to unauthorized parties.
 Time privacy: the exact time when a transaction occurs should not be disclosed to
unauthorized parties.
The specific security attacks related to transaction privacy in e-commerce systems are
- DBMS exploits, or attacks targeted towards exploiting security of Data Base Management
Systems
- Log data mining attacks, also known as log data analysis attacks
- Sniffing attacks, also known as man-in-the-middle attacks (Stuart, 2000).

Fig 3: Security attacks related to transaction privacy.

Source: Meshram (2011)
Transaction Privacy Attack Enablers and Countermeasures
Figure 4 (a) shows all security attacks related to authentication in e-commerce systems (b) along
with the attack enablers (c) and prescribed countermeasures.

Fig 4: (a) all security attacks related to authentication in e-commerce systems (b) along with the
attack enablers (c) and prescribed countermeasures

Source: Author’s Own Construct (2016)

A. Sniffing Attacks
Sniffing attacks (also known as the man-in-the-middle attacks) are the digital analogues to phone
tapping or eavesdropping. This attack captures information as it flows between a client and a
server. Usually, a malicious user attempts to capture TCP/IP transmissions, because they may
contain information such as usernames, passwords, or the actual contents of an e- mail message.
A sniffing attack is often classified as a man-in-the-middle attack because in order to capture
packets from a user, the machine capturing packets must lie in between the two systems that are
communicating (a man-in-the-middle attack can also be waged on either one of the two systems)
(Stuart,2000).
B. Log Data Mining Attacks
Data mining is the search for significant patterns and trends in large databases by using
sophisticated statistical techniques and software. This provides information crucial to helping
businesses and industries improve products, marketing, sales, and customer service. Similarly,
log data mining attacks (a3) can be targeted towards retrieving private transaction information
from EC systems’ log data files. The attack enabler for this type of attack has two properties:
having access to the log data file (b2), and logging sensitive transaction information in the log
data file
The first attack enabler property, physical access to the log data file (b2), allows malicious users
to retrieve a copy of the logged data and perform log data mining attacks.
The proper countermeasure for this attack enabler property is to enforce access permissions on
the log data file at the underlying operating system level (c2). By doing so, malicious users will
not be able to have access to the log data file and, thus, the attack is disabled.
The second attack enabler property, logging sensitive information (b4), allows log data mining
attacks to retrieve useful transaction information in case malicious users gain access to the log
data file. This is highly probable in the case of malicious users categorized as insiders.
The proper countermeasure for this attack enabler property is to prevent the EC system from
logging sensitive data.
This will prevent malicious users from succeeding in retrieving useful transaction information. In
case sensitive data logging is required, database management systems (DBMS) must be used to
save this type of data

C. DBMS Exploits
As discussed above, relying on Data Base Management System (DBMS) security is considered a
residual vulnerability. This is because malicious users might be able to exploit the EC system by
exploiting the DBMS itself
The attack enabler in this case might be any exploit in DBMS security (b5).
The proper countermeasure is to enforce security at the DBMS level by keeping it up-to-date
with security fixes and patches (c5). This will help prevent malicious users from exploiting our
EC system by exploiting the DBMS system that we rely on for transaction privacy in general,
and sensitive data logging in particular.
 CHAPTER FOUR

CONCLUSION

The study points out one of the very important factors that creates security issues within e-

commerce, which is bad technology. One does not need to be a supper hacker in order to break

into a Web server of the companies and cause different kind of security issues, if he/she is facing

a bad technology.

Study explains that a good service and valuable treatment increase consumers’ level of trust. It is

important that the consumers do not feel tricked in order to gain their trust and real, detailed and

valid information on Website is vital in order to increase trust.

Successfully integrating security technologies into a trust infrastructure is the key to ensuring

secure e-commerce: This is the first step in establishing trust. Many of the existing security

measures are used in the E-commerce application in association with other measures.
REFERENCES
1. Vijay Ahuja, “Building Trust in Electronic Commerce”, IEEE/2000, pp:61-63
2. Stuart Feldman, “The Changing Face of E-Commerce: Extending the Boundaries of the
Possible”, IEEE INTERNET COMPUTING, MAY • JUNE 2000, pp:82-83
3. JOSE A. ONIEVA, “Multiparty Nonrepudiation: A Survey”, ACM Computing Surveys,
Vol. 41, No. 1, Article 5, December 2008, pp:5.1-5.42
4. Adam Jolly, “The Secure Online Business”, Great Britain and the United States- Kogan
Page Limited 2003, pp: 93-118
5. PETER C. CHAPIN, CHRISTIAN SKALKA, and X. SEAN WANG, “Authorization in
Trust Management: Features and Foundations”, ACM Computing Surveys, Vol. 40, No.
3, Article 9,August 2008,pp: 9.1-9.48
6. Donal O.Mahony, Michael Peirce Hitesh Tewari, “Electronic Payment Systems for E
Commerce“, Artech House computer security series-Boston 2001, Second Edition, pp:
19-69
7. Thesis by Victor Sawma, “E-commerce Security”, Master of Computer Science,
University of Ottawa, Canada 2002, pp:83-93
8. Yao-Hua Tan and Walter Thoen, “Formal Aspects of a Generic Model of Trust for
Electronic Commerce”, IEEE/2000.
9. Brian Thomas, “RECIPE FOR E-COMMERCE”, IEEE/ DECEMBER 1997,pp:72-74.