3.

Security threats to e-commerceRequirements denition e-Commerce security requirements can be studied by examining the overall process, beginning with the consumer and ending with the commerce server. Considering each logical linking the commerce chain, the assets that must be protected to ensure secure e-commerce include client computers, the messages travelling on the communication channel, and the web and commerce servers including any hardware attached to the servers. While telecommunications are certainly one of the major assets to be protected, the telecommunications links are not the only concerning computer and e-commerce security. For instance, if the telecommunications links were made secure but no security measures were implemented for either client computers or commerce and web-servers, then no communications security would exist at all.

3.1 Client threats Until the introduction of executable web content, Web pages were mainly static. Coded in HTML, static pages could do little more than display content and provide links to related pages with additional information. However, the widespread use of active content has changed this perception. 3.1a Active content: Active content refers to programs that are embedded transparently in web pages and that cause action to occur. Active content can display moving graphics, download and play audio, or implement web-based spreadsheet programs. Active content is used in e-commerce to place items one wishes to purchase into a shopping cart and to compute the total invoice amount, including sales tax, handling, and shipping costs. The best known active content forms are Java applets, ActiveX controls, JavaScript, and VBScript. Since active content modules are embedded in web pages, they can be completely transparent to any one browsing a page containing them. Anyone can embed malicious active content in web pages. This delivery technique, called a trojan horse, immediately begins executing and taking actions that cause harm. Embedding active content to web pages involved in e-commerce introduces several security risks. Malicious programs delivered quietly via web pages could reveal credit card numbers, usernames, and passwords that are frequently stored in special les called cookies. Because the internet is stateless and cannot remember are sponse from one webpage view to another, Cookies help solve the problem of remembering customer order information or user names or passwords. Malicious active content delivered by means of cookies can reveal the contents of client-side les or even destroy les stored on client computers. 3.1b Malicious codes: Computer viruses, worms and trojan horses are examples of malicious code. A trojan horse is a program which performs a useful function, but performs an unexpected action as well. Virus is a code segment which replicates by

attaching copies to existing executables. A worm is a program which replicates itself and causes execution of the new copy. These can create havoc on the client side. 3.1c Server-side masquerading: Masquerading lures a victim into believing that the entity with which it is communicating is a different entity. For example, if a user tries to log into a computer across the internet but instead reaches another computer that claims to be the desired one, the user has been spoofed. This may be a passive attack(in which the user does not attempt to authenticate the recipient, but merely accesses it), but it is usually an active attack (in which the masquerader issues responses to mislead the user about its identity). 3.2 Communication channel threats Information is sent to the web-server for processing. One popular method of transmitting data to a web-server is to collect the text box responses and place them at the end of the target servers URL. The captured data and the HTTP request to send the data to the server is then sent. Now, suppose the user changes his mind, decides not to wait for a response from the any biz.com server, and jumps to another website insteadsay www.somecompany.com. The server somecompany.com may choose to collect web demographics and log the URL from which the user just came(www.anybiz.com). By doing this, some company.com has breached condentiality by recording the secret information the user has just entered. 3.2b Integrity threats: An integrity threat exists when an unauthorized party can alter a message stream of information. Unprotected banking transactions are subject to integrity violations. Cyber vandalism is an example of an integrity violation. Cyber vandalism is the electronic defacing of an existing website page. Masquerading or spoong pretending to be someone you are not or representing a website as an original when it really is a fake is one means of creating havoc on websites. Using a security hole in a domain name server (DNS), perpetrators can substitute the address of their website in place of there alone to spoof website visitors. Integrity threats can alter vital nancial, medical, or military information. It can have very serious consequences for businesses and people. 3.2c Availability threats: The purpose of availability threats, also known as delay or denial threats, is to disrupt normal computer processing or to deny processing entirely. For example, if the processing speeds of a single ATM machine transaction slows from one or two seconds to 30 seconds, users will abandon ATM machines entirely. Similarly, slowing any internet service will drive customers to competitors web or commerce sites. 3.3 Server threats

The server is the third link in the client-internet-server trio embodying the ecommerce path between the user and a commerce server. Servers have vulnerabilities that can be exploited by anyone determined to cause destruction or to illegally acquire information 3.3a Web-server threats: Web-servers of tware is designed to deliver web pages by responding to HTTP requests. While web-server software is not inherently highrisk, it has been designed with web service and convenience as the main design goal. The more complex the software is, the higher the probability that it contains coding errors (bugs) and security holes security weaknesses that provide openings through which evildoers can enter. 3.3b Commerce server threats: The commerce server, along with the webserver, responds to requests from web browsers through the HTTP protocol and CGI scripts. Several pieces of software comprise the commerce server software suite, including an FTP server, a mail server, a remote login server, and operating systems on host machines. Each of this software can have security holes and bugs. 3.3c Database threats: E-commerce systems store user data and retrieve product information from databases connected to the web-server. Besides product information, databases connected to the web contain valuable and private information that could irreparably damage a company if it were disclosed or altered. Some databases store username/password pairs in a non-secure way. If someone obtains user authentication information, then he or she can masquerade as a legitimate database user and reveal private and costly information. 3.3d Common gateway interface threats: A common gateway interface (CGI) implements the transfer of information from a web-server to another program, such as a database program. CGI and the programs to which they transfer data provide active content to web pages. Because CGIs are programs, they present a security threat if misused. Just like web-servers, CGI scripts can be set up to run with their privileges set to high unconstrained. Defective or malicious CGIs with free access to system resources are capable of disabling the system, calling privileged (and dangerous) base system programs that delete les, or viewing condential customer information, including usernames and passwords. 3.3e Password hacking: The simplest attack against a password-based system is to guess passwords. Guessing of passwords requires that access to the complement, the complementation functions, and the authentication functions be obtained. If none of these have changed by the time the password is guessed, then the attacker can use the password to access the system.

4. Implementing security for e-commerce (life cycle approach)

Let us now look at the fundamental strategic requirements an organization needs to consider if it wants to ensure that an e-commerce or online security project will be a success. Technology components of good online security, such as encrypted email, secure SSL websites, and intranets/extranets all have a role to play in protecting valuable data, but for security to be effective it must be designed as a whole and applied consistently across an organization and its IT infrastructure. There is a subtle difference in the design of a software system and that of a security system. While designing softwares, the functional correctness of applications is the prime concern. Infact, in software systems, the designer aims at ensuring that for reasonable input, the user gets reasonable output. This can be traced from the system specication. But in the case of security systems, the designer has to ensure that the system properties are preserved in the face of attack. Thus the system outputs should not be completely disastrous for unreasonable inputs. In security systems, there denitely can be active interference from the adversary and the system should be hardened to withstand that. Moreover, in security systems, more functionality implies more complex system and more security holes in the system. The steps to design security of a system is to model the system, identify the security properties to be preserved, model the adversary, and then ensure that the security properties are preserved under attacks. Detail modeling of the system and identication of the required security properties are possible. But it almost impossible to accurately model the adversaries and vulnerabilities of the system exploited by those adversaries. The result is that there nothing called absolute security. Thus to the designer, system security means: under given assumptions about the system, no attack of a given form will destroy specied properties. Thus system security in general and e-commerce security in particular is conceived of a process rather than a one-time developed product. 4.1 Security engineering lifecycle It is important to note that the e-commerce security need of an enterprise is dynamic rather than static and depends on the operational dynamics, shift or addition to business goals, technological advancement etc. Thereby, the process of designing and deploying an information security infrastructure is a continuous process of analysis, design, monitoring, and adaptation to changing needs. Often, the change in needs is frequent in the organizations. In order to

Be survivable under such frequent changes, the process has to be developed from a life-cycle approach. This observation leads to the concept of security engineering life-cycle (Mazumdaretal2003). The security engineering life cycle consists of the following phases (gure1): 4.1a Security requirement specication and risk analysis: This is the rst phase in the security engineering life cycle. It collects information regarding assets of the organization that need to be protected, threat perception on those assets, associated access control policies, existing operational infrastructure, connectivity aspects, services required to access the asset and the access control mechanism for the services. 4.1b Security policy specication: This phase uses security requirement specication and risk analysis report as input and generates a set of e-commerce security policies. The policy statements are high-level rule-based and generic in nature, and, thereby, does not provide any insight to system implementation or equipment conguration. 4.1c Security infrastructure specication: This phase analyses the security requirement specication and the security policy specication to generate a list of security tools that are needed to protect the assets. It also provides views on the location and purpose of the security tools.

4.1d Security infrastructure implementation: The organization, in this phase, procures, deploys, and congures the selected security infrastructure at the system level. 4.1e Security testing: In this phase, several tests are carried out to test the effectiveness of the security infrastructure, functionality of the access control mechanism, specied operational context, existence of known vulnerabilities in the infrastructure etc. 4.1f Requirement validation: This phase analyses the extent of fulllment of the security requirements of the e-commerce organization by the corresponding security policy and the implemented security infrastructure. Change in the business goal, operational environment, and technological advancement may lead to a fresh set of security requirements and thereby, triggering a new cycle of the security engineering life cycle. Now, let us see the Security Requirements, Security Policy, Security Infrastructure, and Security Testing phases in greater detail. 4.2 Security requirements during this phase, the security needs of an enterprise are identied. These needs are governed by the necessity to protect the following security attributes: 4.2a Authentication: This is the ability to say that an electronic communication (whether via email or web) does genuinely come from who it purports to. Without face-to-face contact, passing oneself off as someone else is not difficult on the internet. Forging the From: eld in an email header is a trivial matter, and far more sophisticated attacks are standard fare for hackers. In online commerce the best defence against being misled by an imposter is provided by unforgeable digital certicates from a trusted authority (such as VeriSign). Although anyone can generate digital certicates for themselves, a trusted authority demands real-world proof of identity and checks its validity before issuing a digital certicate. Only certicates from trusted authorities will be automatically recognized and trusted by the major web browser and email client software. Authentication can be provided in some situations by physical tokens (such as a drivers license), by a piece of information known only to the person involved (eg. a PIN), or by a physical property of a person (nger prints or retina scans). Strong authentication requires at least two or more of these. A digital certicate provides strong authentication as it is a unique token (the certicate itself) and requires a password (something known only to the owner) for its usage. 4.2b Privacy: In online commerce, privacy is the ability to ensure that information is accessed and changed only by authorized parties. Typically this is achieved via encryption. Sensitive data (such as credit card details, health records, sales gures etc.) are encrypted before being transmitted across the open internet via email or the web. Data which has been protected with strong 128-bit encryption may be intercepted by hackers, but cannot be decrypted by them within a short time.

Again, digital certicates are used here to encrypt email or establish a secure HTTPS connection with a web-server. For extra security, data can also be stored long-term in an encrypted format. 4.2c Authorization: Authorization allows a person or computer system to determine if someone has the authority to request or approve an action or information. In the physical world, authentication is usually achieved by forms requiring signatures, or locks where only authorized individuals hold the keys. Authorization is tied with authentication. If a system can securely verify that are quest for information (such as a webpage) or a service (such as a purchase requisition) has come from a known individual, the system can then check against its internal rules to see if that person has sufcient authority for the request to proceed. In the online world, authorization can be achieved by a manager sending a digitally signed email (an email stamped by their personal digital certicate). Such an email once checked and veried by the recipient is a legally binding request for a service. Similarly, if a web-server has a restricted access area, the server can request a digital certicate from the users browser to identify the user and then determine if they should be given access to the information according to the servers permission rules. 4.2d Integrity: Integrity of information means ensuring that a communication received has not been altered or tampered with. Traditionally, this problem has been dealt with by having tight control over access to paper documents and requiring authorized ofcers to initial all changes madea system with obvious drawbacks and limitations. If someone is receiving sensitive information online, he not only wants to ensure that it is coming from who he expects it to (authentication), but also that it hasnt been intercepted by a hacker while in transit and its contents altered. The speed and distances involved in online communications requires a very different approach to this problem from traditional methods. One solution is afforded by using digital certicates to digitally sign messages. A travelling employee can send production orders with integrity to the central ofce by using their digital certicate to sign their email. The signature includes a hash of the original messagea brief numerical representation of the message content. When the recipient opens the message, his email software will automatically create a new hash of the message and compare it against the one included in the digital signature. If even a single character has been altered in the message, the two hashes will differ and the software will alert the recipient that the email has been tampered with during transit. 4.2e Non-repudiation: Non-repudiation is the ability to guarantee that once someone has requested a service or approved an action, they cannot turn around and say I didnt do that!. Non-repudiation allows one to legally prove that a person has sent a specic email or made a purchase approval from a website.

Traditionally non-repudiation has been achieved by having parties sign contracts and then have the contracts notarized by trusted third parties. Sending documents involved the use of registered mail, and postmarks and signatures to date-stamp and record the process of transmission and acceptance. In the realm of ecommerce, non-repudiation is achieved by using digital signatures. Digital signatures which have been issued by a trusted authority (such as VeriSign) cannot be forged and their validity can be checked with any major email or web browser software. A digital signature is only installed in the personal computer of its owner, who is usually required to provide a password to make use of the digital signature to encrypt or digitally sign their communications. If a company receives a purchase order via email which has been digitally signed, it has the same legal assurances as on receipt of a physical signed contract. 4.3 Security policy The rst step in securing an e-commerce venture is to formulate written security policies (website1)whichclearlydenetherequirementsforeachcomponentofthesystem(huma n,