Chapter Four:

Ecommerce Security and Cryptography

IN THIS CHAPTER THE STUDENT SHOULD BE ABLE TO LEARN:

 The different e-commerce crime and security problems
 The good e-commerce security
 Dimension of e-commerce security
 The various threats in e-commerce environment
 The various forms of encryption technology help protect the security of messages
sent over the Internet

E-COMMERCE CRIME AND SECURITY PROBLEMS

WHAT’S NEW IN E-COMMERCE SECURITY 2016–2017

 Large-scale data breaches continue to expose data about individuals to hackers and
other cybercriminals.
 Mobile malware presents a tangible threat as smartphones and other mobile devices
become more common targets of cybercriminals, especially as their use for mobile
payments rises.
 Malware creation continues to skyrocket and ransomware attacks rise.
 Distributed Denial of Service (DDoS) attacks are now capable of slowing Internet service
within entire countries.
 Nations continue to engage in cyberwarfare and cyberespionage.
 Hackers and cybercriminals continue to focus their efforts on social network sites to
exploit potential victims through social engineering and hacking attacks.
 Politically motivated, targeted attacks by hacktivist groups continue, in some cases
merging with financially motivated cybercriminals to target financial systems with
advanced persistent threats.
 Software vulnerabilities, such as the Heartbleed bug and other zero day vulnerabilities,
continue to create security threats.
 Incidents involving celebrities raise awareness of cloud security issues.

THE E-COMMERCE SECURITY ENVIRONMENT

 For most law-abiding citizens, the Internet holds the promise of a huge and convenient
global marketplace, providing access to people, goods, services, and businesses
worldwide, all at a bargain price.
 For criminals, the Internet has created entirely new and lucrative ways to steal from the
more than 1.6 billion Internet consumers worldwide in 2016.
 The potential for anonymity on the Internet cloaks many criminals in legitimate-looking
identities, allowing them to place fraudulent orders with online merchants, steal
information by intercepting e-mail, or simply shut down e-commerce sites by using
software viruses and swarm attacks.
 The Internet was never designed to be a global marketplace with billions of users and
lacks many basic security features found in older networks such as the telephone
system or broadcast television networks.
 The Internet is an open, vulnerable-design network.
 The actions of cybercriminals are costly for both businesses and consumers, who are
then subjected to higher prices and additional security measures.
  The costs of malicious cyberactivity include not just the cost of the actual crime, but also
the additional costs that are required to secure networks and recover from cyberattacks,
the potential reputational damage to the affected company, as well as reduced trust in
online activities, the loss of potentially sensitive business information, including
intellectual property and confidential business information, and the cost of opportunities
lost due to service disruptions.
 Ponemon Institute estimates that the average total cost of a data breach to U.S.
corporations in 2016 was $4 million (Ponemon Institute, 2016).

Situation
 Although there is an increasing attention being devoted to cybercrime, it is difficult to
estimate the actual amount of crimes
 Center for strategic international studies examined the difficulties in accurately
estimating the economic impact of cybercrime and cyber espionage, with its study
indicating a range of 375 to 575 billion USD worldwide.
 A survey conducted by Ponemon Institute of 58 representative U.S. companies in
various industries in 2015 found that the average annualized cost of cybercrime for the
organizations in the study was $15 million, representing a 20% increase from the
previous year, and an 82% increase since the first survey in 2009. The average cost per
attack was more than $1.9 million, a 22% increase from the previous year. The number
of successful cyberattacks also increased, by over 15%. The most costly cybercrimes
were those caused by denial of service, malicious insiders, and malicious code. The
most prevalent types of attacks were viruses, worms, and Trojans, experienced by 100%
of the companies surveyed, followed by malware (97%), web-based attacks (76%),
botnets (66%), phishing and social engineering attacks (59%), and malicious code (52%)
(Ponemon Institute, 2015a).

 According to Symantec, the number of data breaches increased 23% in 2015, over half
a billion personal records were stolen, the number of spear-phishing attacks increased
by 55%, malware increased by 36%, and ransomware attacks grew by 35% (Symantec,
2016).

 However, Symantec does not attempt to quantify actual crimes and/or losses related to
these threats. Online credit card fraud is one of the most high-profile forms of e-
commerce crime. The average amount of credit card fraud loss experienced by any one
individual is typically relatively small, the overall amount is substantial. The overall rate
of online credit card fraud is estimated to be about 0.8% of all online card transactions,
including both mobile and web transactions (Cybersource, 2016).

 The nature of credit card fraud has changed greatly from the theft of a single credit card
number and efforts to purchase goods at a few sites, to the simultaneous theft of millions
of credit card numbers and their distributions to thousands of criminals operating as
gangs of thieves.

 The emergence of identity fraud, described in detail later in this chapter, as a major
online/offline type of fraud may well increase markedly the incidence and amount of
credit card fraud, because identity fraud often includes the use of stolen credit card
information and the creation of phony credit card accounts.

The Underground Economy Marketplace: The Value of Stolen Information

THE CYBER BLACK MARKET FOR STOLEN DATA
DATA PRICE*
Individual U.S. card number with expiration date and CVV2 (the three-digit $5–$8
number printed on back of card) (referred to as a CVV)
Individual U.S. card number with full information, including full name, billing $30
address, expiration date, CVV2, date of birth, mother’s maiden name, etc.
(referred to as a Fullz or Fullzinfo)
Dump data for U.S. card (the term “dump” refers to raw data such as name, $110–$120
account number, expiration data, and CVV encoded on the magnetic strip on the
back of the card)
Online payment service accounts $20–$300
Bank account login credentials $80–$700
Online account login credentials (Facebook, Twitter, eBay) $10–$15
Medical information/health credentials $10–$20
1,000 e-mail addresses $1–$10
Scan of a passport $1–$2
SOURCES: Based on data from McAfee, 2016; Intel Security, 2015; Symantec, 2015; Maruca,
2015; Infosec Institute,
2015; RAND Corporation, 2014.

WHAT IS GOOD E-COMMERCE SECURITY?

E-commerce merchants and consumers face many of the same risks as participants in
traditional commerce, albeit in a new digital environment. Theft is theft, regardless of whether it
is digital theft or traditional theft. Burglary, breaking and entering, embezzlement, trespass,
malicious destruction, vandalism—all crimes in a traditional commercial environment—are also
present in e-commerce. However, reducing risks in e-commerce is a complex process that
involves new technologies, organizational policies and procedures, and new laws and industry
standards that empower law enforcement officials to investigate and prosecute offenders.
Figure 5.1 illustrates the multi-layered nature of e-commerce security.

To achieve the highest degree of security possible, new technologies are available and should
be used. But these technologies by themselves do not solve the problem. Organizational
policies and procedures are required to ensure the technologies are not subverted. Finally,
industry standards and government laws are required to enforce payment mechanisms, as well
as to investigate and prosecute violators of laws designed to protect the transfer of property in
commercial transactions.

Good e-commerce security requires a set of laws, procedures, policies, and technologies that,
to the extent feasible, protect individuals and organizations from unexpected behavior in the e-
commerce marketplace
 The E-Commerce Security Environment

DIMENSIONS OF E-COMMERCE SECURITY

There are six key dimensions to e-commerce security: integrity, nonrepudiation, authenticity,
confidentiality, privacy, and availability.
Integrity refers to the ability to ensure that information being displayed on a website, or
transmitted or received over the Internet, has not been altered in any way by an unauthorized
party.
Nonrepudiation refers to the ability to ensure that e-commerce participants do not deny (i.e.,
repudiate) their online actions.
Authenticity refers to the ability to identify the identity of a person or entity with whom you are
dealing on the Internet.
Confidentiality refers to the ability to ensure that messages and data are available only to
those who are authorized to view them. Confidentiality is sometimes confused with privacy
Privacy refers to the ability to control the use of information a customer provides about himself
or herself to an e-commerce merchant.
E-commerce merchants have two concerns related to privacy.
(1) They must establish internal policies that govern their own use of customer
information, and
(2) They must protect that information from illegitimate or unauthorized use.
Availability refers to the ability to ensure that an e-commerce site continues to function as
intended.

E-commerce security is designed to protect these six dimensions. When any one of them is
compromised, overall security suffers.
THE TENSION BETWEEN SECURITY AND OTHER VALUES
Ease of Use
There are inevitable tensions between security and ease of use. Security is a technological and
business overhead that can detract from doing business. Too much security can harm
profitability, while not enough security can potentially put you out of business. One solution is to
adjust security settings to the user’s preferences.

Public Safety and the Criminal Uses of the Internet

There is also an inevitable tension between the desires of individuals to act anonymously (to
hide their identity) and the needs of public officials to maintain public safety that can be
threatened by criminals or terrorists.

KEY SECURITY THREATS IN THE E-COMMERCE ENVIRONMENT

 Typical E-Commerce Transaction

Vulnerable points of E- Commerce Security attacks

There are three major vulnerable points in e-commerce transactions: Internet communications,
servers, and clients.

In this section, we describe a number of the most common and most damaging forms of security
threats to e-commerce consumers and site operators:

1. Malicious code (“malware”) includes a variety of threats such as viruses, worms, Trojan
horses, ransomware, and bots. Some malicious code, sometimes referred to as an
exploit, is designed to take advantage of software vulnerabilities in a computer’s
operating system, web browser, applications, or other software components.
a. Exploit kits are collections of exploits bundled together and rented or sold as a
commercial product, often with slick user interfaces and in-depth analytics
functionality. Malware is often delivered in the form of a malicious attachment to an
 email or embedded as a link in the email. Malicious links can also be placed in
innocent-looking Microsoft Word or Excel documents.
b. Maladverising. One of the latest innovations in malicious code distribution is to
embed it in the online advertising chain,
c. Drive-by download is malware that comes with a downloaded file that a user
intentionally or unintentionally requests.
d. Virus is a computer program that has the ability to replicate or make copies of itself,
and spread to other files. In addition to the ability to replicate, most computer viruses
deliver a “payload.” The payload may be relatively benign, such as the display of a
message or image, or it may be highly destructive—destroying files, reformatting the
computer’s hard drive, or causing programs to run improperly.
e. Worm is designed to spread from computer to computer. A worm does not
necessarily need to be activated by a user or program in order for it to replicate itself.
f. Ransomware (scareware) is a type of malware (often a worm) that locks your
computer or files to stop you from accessing them.
g. A Trojan horse appears to be benign, but then does something other than expected.
The Trojan horse is not itself a virus because it does not replicate, but is often a way
for viruses or other malicious code such as bots or rootkits (a program whose aim is
to subvert control of the computer’s operating system) to be introduced into a
computer system.
h. Backdoor is a feature of viruses, worms, and Trojans that allows an attacker to
remotely access a compromised computer.
i. Bots (short for robots) are a type of malicious code that can be covertly installed on
your computer when attached to the Internet. Once installed, the bot responds to
external commands sent by the attacker; your computer becomes a “zombie” and is
able to be controlled by an external third party (the “bot-herder”).
j. Botnets are collections of captured computers used for malicious activities such as
sending spam, participating in a DDoS attack, stealing information from computers,
and storing network traffic for later analysis.
2. POTENTIALLY UNWANTED PROGRAMS (PUPS)
In addition to malicious code, the e-commerce security environment is further challenged
by potentially unwanted programs (PUPs) such as adware, browser parasites, spyware,
and other applications that install themselves on a computer, such as rogue security
software, toolbars, and PC diagnostic tools, typically without the user’s informed consent.
a. Adware is typically used to call for pop-up ads to display when the user visits certain
sites.
b. Browser parasite is a program that can monitor and change the settings of a user’s
browser, for instance, changing the browser’s home page, or sending information about
the sites visited to a remote computer.
c. Spyware, on the other hand, can be used to obtain information such as a user’s
keystrokes, copies of e-mail and instant messages, and even take screenshots (and
thereby capture passwords or other confidential data).

3. PHISHING
Phishing is any deceptive, online attempt by a third party to obtain confidential
information for financial gain. Phishing attacks typically do not involve malicious code but
instead rely on straightforward misrepresentation and fraud, so-called “social
engineering” techniques.

4. HACKING, CYBERVANDALISM, AND HACKTIVISM

  Hacker – an individual who intends to gain unauthorized access to a computer
system
 Cracker – within the hacking community, a term typically used to denote a hacker
with criminal intent
 Cybervandalism - intentionally disrupting, defacing, or even destroying a site
 Hacktivism – cybervandalism and data theft for political purposes
 White hats - “good” hackers who help organizations locate and fix security flaws
 Black hats - hackers who act with the intention of causing harm
 Grey hats hackers - who believe they are pursuing some greater good by
breaking in and revealing system flaws
5. DATA BREACHES
Occurs whenever organizations lose control over corporate information to outsiders
6. CREDIT CARD FRAUD/THEFT
Theft of credit card data is one of the most feared occurrences on the Internet. Fear that
credit card information will be stolen prevents users from making online purchases in
many cases.
7. IDENTITY FRAUD
Identity fraud involves the unauthorized use of another person’s personal data, such as
social security, driver’s license, and/or credit card numbers, as well as user names and
passwords, for illegal financial benefit. Criminals can use such data to obtain loans,
purchase merchandise, or obtain other services, such as mobile phone or other utility
services. Cybercriminals employ many of the techniques described previously, such as
spyware, phishing, data breaches, and credit card theft, for the purpose of identity fraud.
8. SPOOFING, PHARMING, AND SPAM (JUNK) WEBSITES
Spoofing involves attempting to hide a true identity by using someone else’s e-mail or
IP address. IP spoofing involves the creation of TCP/IP packets that use someone else’s
source IP address, indicating that the packets are coming from a trusted host. Most
current routers and firewalls can offer protection against IP spoofing.

Spoofing a website sometimes involves pharming, automatically redirecting a web link

to an address different from the intended one, with the site masquerading as the
intended destination. Links that are designed to lead to one site can be reset to send
users to a totally unrelated site—one that benefits the hacker

Spam (junk) websites (also sometimes referred to as link farms) are a little different.
These are sites that promise to offer some product or service, but in fact are just a
collection of advertisements for other sites, some of which contain malicious code.

9. SNIFFING AND MAN-IN-THE-MIDDLE ATTACKS

A sniffer is a type of eavesdropping program that monitors information traveling over a
network. When used legitimately, sniffers can help identify potential network trouble-
spots, but when used for criminal purposes, they can be damaging and very difficult to
detect. Sniffers enable hackers to steal proprietary information from anywhere on a
network, including passwords, e-mail messages, company files, and confidential reports.

A man-in-the-middle (MitM) attack also involves eavesdropping but is more active than
a sniffing attack, which typically involves passive monitoring. In a MitM attack, the
attacker is able to intercept communications between two parties who believe they are
directly communicating with one another, when in fact the attacker is controlling the
communications. This allows the attacker to change the contents of the communication.
10. DENIAL OF SERVICE (DOS) AND DISTRIBUTED DENIAL OF SERVICE (DDOS)
ATTACKS

In a Denial of Service (DoS) attack, hackers flood a website with useless pings or page
requests that inundate and overwhelm the site’s web servers. Increasingly, DoS attacks
involve the use of bot networks and so-called “distributed attacks” built from thousands
of compromised client computers.

A Distributed Denial of Service (DDoS) attack uses hundreds or even thousands of

computers to attack the target network from numerous launch points. DoS and DDoS
attacks are threats to a system’s operation because they can shut it down indefinitely.
Major websites have experienced such attacks, making the companies aware of their
vulnerability and the need to continually introduce new measures to prevent future
attacks.

11. INSIDER ATTACKS

We tend to think of security threats to a business as originating outside the organization.
In fact, the largest financial threats to business institutions come not from robberies but
from embezzlement by insiders. Bank employees steal far more money than bank
robbers. The same is true for e-commerce sites. Some of the largest disruptions to
service, destruction to sites, and diversion of customer credit data and personal
information have come from insiders—once trusted employees.

12. POORLY DESIGNED SOFTWARE

Many security threats prey on poorly designed software, sometimes in the operating
system and sometimes in the application software, including browsers. The increase in
complexity and size of software programs, coupled with demands for timely delivery to
markets, has contributed to an increase in software flaws or vulnerabilities that hackers
can exploit.

SQL injection attacks take advantage of vulnerabilities in poorly coded web application
software that fails to properly validate or filter data entered by a user on a web page to
introduce malicious program code into a company’s systems and networks. An attacker
can use this input validation error to send a rogue SQL query to the underlying database
to access the database, plant malicious code, or access other systems on the network.

A zero-day vulnerability is one that has been previously unreported and for which no
patch yet exists. In 2015, 54 zero-day vulnerabilities were reported, up from 24 in 2014
(Symantec, 2016). The very design of the personal computer includes many open
communication ports that can be used, and indeed are designed to be used, by external
computers to send and receive messages. Ports that are frequently attacked include
TCP port 445 (Microsoft-DS), port 80 (WWW/HTTP), and 443 (SSL/HTTPS).

13. SOCIAL NETWORK SECURITY ISSUES

Social networks like Facebook, Twitter, LinkedIn, Pinterest, and Tumblr provide a rich
and rewarding environment for hackers. Viruses, site takeovers, identity fraud, malware-
loaded apps, click hijacking, phishing, and spam are all found on social networks.

14. MOBILE PLATFORM SECURITY ISSUES

 The explosion in mobile devices has broadened opportunities for hackers. Mobile users
are filling their devices with personal and financial information, and using them to
conduct an increasing number of transactions, from retail purchases to mobile banking,
making them excellent targets for hackers. In general, mobile devices face all the same
risks as any Internet device as well as some new risks associated with wireless network
security. For instance, public Wi-Fi networks that are not secured are very susceptible to
hacking. While most PC users are aware their computers and websites may be hacked
and contain malware, most cell phone users believe their cell phone is as secure as a
traditional landline phone. Mobile cell phone malware (sometimes referred to as
malicious mobile apps (MMAs) or rogue mobile apps) was developed as early as 2004
with Cabir, a Bluetooth worm affecting Symbian operating systems (Nokia phones) and
causing the phone to continuously seek out other Bluetooth-enabled devices, quickly
draining the battery. The iKee.B worm, first discovered in 2009, only two years after the
iPhone was introduced, infected jailbroken iPhones, turning the phones into botnet-
controlled devices.

15. CLOUD SECURITY ISSUES

The move of so many Internet services into the cloud also raises security risks. From an
infrastructure standpoint, DDoS attacks threaten the availability of cloud services on
which more and more companies are relying. For instance, as previously noted, the
DDoS attack on Dyn in 2016 caused a major disruption to cloud services across the
United States.
A 2016 Ponemon Insititute study of 3,400 IT executives found that the majority of IT and
IT security practitioners surveyed felt that the likelihood of a data breach increases due
to the cloud, in part due to the fact that many organizations do not thoroughly examine
cloud security before deploying cloud services. The study also found that only one-third
of sensitive data in cloud-based applications was encrypted, and that half of the firms
involved do not have a proactive approach to cloud security, relying instead on the cloud
providers to ensure security (Loten, 2016; Gemalto and Ponemon, 2016).

16. INTERNET OF THINGS SECURITY ISSUES

Internet of Things (IoT) involves the use of the Internet to connect a wide variety of
sensors, devices, and machines, and is powering the development of a multitude of
smart connected things, such as home electronics (smart TVs, thermostats, home
security systems, and more), connected cars, medical devices, and industrial equipment
that supports manufacturing, energy, transportation, and other industrial sectors. IoT
raises a host of security issues that are in some ways similar to existing security issues,
but even more challenging, given the need to deal with a wider range of devices,
operating in a less controlled, global environment, and with an expanded range of attack.
In a world of connected things, the devices, the data produced and used by the devices,
and the systems and applications supported by those devices, can all potentially be
attacked (IBM, 2015).

VARIOUS FORMS OF ENCRYPTION TECHNOLOGY HELP PROTECT THE SECURITY OF

MESSAGES SENT OVER THE INTERNET

1. Symmetric key cryptography—Both the sender and the receiver use the same key to
encrypt and decrypt a message.
2. Public key cryptography—Two mathematically related digital keys are used: a public key
and a private key. The private key is kept secret by the owner, and the public key is
widely disseminated. Both keys can be used to encrypt and decrypt a message. Once
 the keys are used to encrypt a message, the same keys cannot be used to unencrypt
the message.
3. Public key cryptography using digital signatures and hash digests—This method uses a
mathematical algorithm called a hash function to produce a fixed-length number called a
hash digest. The results of applying the hash function are sent by the sender to the
recipient. Upon receipt, the recipient applies the hash function to the received message
and checks to verify that the same result is produced. The sender then encrypts both the
hash result and the original message using the recipient’s public key, producing a single
block of cipher text. To ensure both the authenticity of the message and nonrepudiation,
the sender encrypts the entire block of cipher text one more time using the sender’s
private key. This produces a digital signature or “signed” cipher text that can be sent
over the Internet to ensure the confidentiality of the message and authenticate the
sender.
4. Digital envelope—This method uses symmetric cryptography to encrypt and decrypt the
document, but public key cryptography to encrypt and send the symmetric key.
5. Digital certificates and public key infrastructure—This method relies on certification
authorities who issue, verify, and guarantee digital certificates (a digital document that
contains the name of the subject or company, the subject’s public key, a digital
certificate serial number, an expiration date, an issuance date, the digital signature of the
certification authority, and other identifying information).

In addition to encryption, there are several other tools that are used to secure Internet channels
of communication, including:
1. Secure Sockets Layer (SSL)/Transport Layer Security (TLS),
2. virtual private networks (VPNs), and
3. Wireless security standards such as WPA2.

After communications channels are secured, tools to protect networks, the servers, and clients
should be implemented. These include:
1. firewalls,
2. proxies,
3. intrusion detection and prevention systems (IDS/IDP),
4. operating system controls, and
5. anti-virus software.

Appreciate the importance of policies, procedures, and laws in creating security.

1. In order to minimize security threats, e-commerce firms must develop a coherent
corporate policy that takes into account the
a. nature of the risks,
b. the information assets that need protecting, and
c. the procedures and technologies required to address the risk, as well as
d. Implementation and auditing mechanisms.

2. Public laws and active enforcement of cybercrime statutes also are required to both
raise the costs of illegal behavior on the Internet and guard against corporate abuse of
information.

3. The key steps in developing a security plan are:

a. Perform a risk assessment—an assessment of the risks and points of
vulnerability.
b. Develop a security policy—a set of statements prioritizing the information risks,
identifying acceptable risk targets, and identifying the mechanisms for achieving
these targets.
c. Create an implementation plan—a plan that determines how you will translate the
levels of acceptable risk into a set of tools, technologies, policies, and
procedures.
d. Create a security team—the individuals who will be responsible for ongoing
maintenance, audits, and improvements.
e. Perform periodic security audits—routine reviews of access logs and any unusual
patterns of activity