Threats And Vulnerability Episodes On Ecommerce Systems Computer Research Essay

Electronic business (e-commerce) services nowadays have become a core element and popular on Internet and Web environment. Electronic business, Internet and Web environment have allowed businesses to reduce costs and offer many benefits both to the buyer and to the business. Relating to Forrester Research the web retail sales in the United explained for 2003 exceeded $100 billion. As the Information Technology and the using of internet are increasing every day, the demand for secure information and electronic digital services is growing. Every online business deal in the internet can be watched and stored in numerous locations, since the Internet is a open public network it makes very important for businesses to understand possible security dangers and vulnerabilities to their business. The main element factor that influences the success of e-commerce is to switch security on network. Within this newspaper we will summarize some of the security risks and vulnerabilities concerning the e-commerce security.

Keywords: e-Commerce security, hazards, vulnerability, attacks

1. Introduction

The advancements that Internet has made in the past couple of years have changed just how people see and use the Internet itself. The greater their use increases, the more attacks purpose these systems and the amount of security risks increases. Security is becoming one of all important issues and significant concern for e-commerce that must be settled [1]. Every private and general public group is taking computer and e-commerce security critically more than before because any possible attack directly has an effect in E-commerce business [5]. The Internet and Web environment provides as many security hazards and vulnerabilities as opportunities for a corporation.

The low cost and high option of the worldwide Internet for businesses and customers has made a trend in e-commerce [1]. This revolution in e-commerce in turn increases the requirement of security, as well as the number of on-line cheats and scam as it is shown in the Figure 1. Although there's been investments and spent a very large amount of time and money to provide secures networks, still there is always the possibility of your breach of security [5]. Relating to IC3 2007 gross annual report, the total dollar loss from all referred complaints of fraud was $239. 09 million [3]. The majority of these frauds and cheats were determined online or similar online services. Security is still a significant concern for e-commerce and an effort for each company. Mitigate security risks and vulnerability is still a battle for every company [5]. Good security infrastructure means good productivity for the business.

Figure 1: Situations of Internet scams [15]

In this newspaper in the first section we gives a brief describe of e-commerce and the types of e-commerce, and then in second section we will identify the security issues and some of the dangers and vulnerabilities- episodes in e-commerce. Last section discuss various defence mechanism uses to safeguard e-commerce security which continues to be high concerns of business.

2. E-commerce Background

Information and communication technology has become more and more essential and crucial part of businesses. This highly uses of information technology have changed the original way to do business. This new way of doing business is known as Electronic Business (E-Commerce) or Electronic Business (E-Business) [12]. Electronic business or e-commerce means investing of products within the part of internet called World Wide Web. Regarding to Verisign [2004] electronic digital commerce is a "strategic essential for most competitive organisations today as it is an integral to finding new resources of revenue, growing into new markets, lowering costs, and creating breakaway business strategies". E-commerce includes digital trading, trading of companies, banking, hotel scheduling, purchases of airline tickets etc [2]. There will vary types of e-commerce, but we will encompass the e-commerce on there types of business transfer

B2B ( business to business);

B2C ( business to consumer);

C2C (consumer to consumer) [4].

Business to Business (B2B) e-commerce- is merely defined as business transactions among and between businesses, such as conversation between two companies, between e producer and wholesaler, between a wholesaler and a shop [16]. There are four basic jobs in B2B e-commerce - suppliers, clients, market-makers and web service providers. Every company or business works at least one of them, and many companies or businesses play multiple functions [9]. Based on the Queensland governments office of talk about development and technology [2001] B2B ecommerce made up 94% of all e-commerce transactions [8]. The good examples and models of B2B will be the companies such IBM, Hewlett Packard (HP), Cisco and Dell.

Business-to-Consumer (B2C) e-commerce- is the commerce between companies and consumer, businesses sell right to consumers physical goods (i. e. , such as books, Dvd videos or consumer products), or information goods (goods of electronic digital material digitized content, such as software, music, videos or e-books) [10]. In B2C the web is usually used as a medium to order physical goods or information goods [8]. A good example of B2C transfer would be when a person will buy a booklet from Amazon. com. Regarding to eMarketer the earnings of B2C e-commerce form US$59. 7 billion in 2000 increase to US$428. 1 billion by 2004 [10].

Consumer to Consumer (C2C) e-commerce- this is the type of e-commerce that involves business ventures among private individuals or consumers utilising the web and World Wide Web. Using C2C, costumers can advertise goods or products and providing them right to other consumers. A good example of C2C is eBay. com, which is an online auction where costumers by using this web site are able to sell a multitude of goods and products to each other [6]. There is less home elevators the size of global C2C e-commerce [10]. Amount 2 illustrates some of the e-commerce business express above.

Figure 2: Common e-Commerce business model [14]

3. Security hazards to e-commerce

Security has three basic principles: confidentiality, integrity, and availability. Confidentiality means that only the official persons get access to the information, not access for the unauthorized persons, Integrity ensures the data stored on any devices or during a communication process are not transformed by any destructive user, Availability means that the info must be available when it is needed [16]. Security performs an important role in e-commerce. The number of online transaction last years has a significant increase; it has been associated with an equal rise in the number of threats and type of problems against e-commerce security [13]. A danger can be explained as "the to exploit a weakness that could lead to unauthorised gain access to or use, disclosure of information or utilization, theft or damage of a tool, disruption or adjustment" [8]. E-commerce environment has different associates included E-commerce network

Shoppers who order and buy products or services

Merchant who offer products or services to the shoppers

The Software (SITE) installed on the merchant's server and the server

The attackers who will be the dangerous part of E-commerce network

Looking on the above mentioned parties mixed up in e-commerce network, it is straightforward to

see that destructive hackers threaten the complete network and will be the most dangerous part of network. These dangers on e-commerce can abuse, misuse and cause high financial damage to business. Number 3 briefly shows the techniques the hackers use within an E-commerce network [11].

Figure 3: Concentrate on items of the attacker [11]

The assets that must be protected to ensure secure electronic commerce in an E-commerce network include consumer (shopper) personal computers or client-side, transaction that travel on the communication route, the website on the server and the merchant's server- including any hardware attached to the server or server-side. Communication route is one of the major investments that need to safeguard, but it is not the only matter in e-commerce security. Client- area security form the user's point of view is the major security; server-side security is a significant concern form the service provider's perspective. For instance, if the communication route were made secure but no security strategy for either client-side or server-side, then no secure transmission of information would can be found in any way [1, 2]. Relating to Figure 3 above there are a few different security harm methods that an attacker or hacker may use to strike an E-commerce network. In the next section we will describes potential security invasion methods.

4. Possible Attacks

This section overviews and explains various attacks that may appear in the sense associated with an e-commerce application. Additionally, moral aspects are taken into consideration. From an attacker's viewpoint, there are multiple actions that the attacker is capable of doing, whereas the shopper doesn't have any clue what is going on. The attacker's purpose is to get access to every single information in the network movement from the when the customer has pressed the ''buy" button until the web site server has responded again. Furthermore, the attacker will try to attach the application system in a most discrete and ethical way. An onview of varied episodes on ecommerce are given
Tricking the Shopper: One very profitable and simple way of acquiring the shopper's behavior and information to use from the attacker is by tricking the shopper, which quite simply is known as the social engineering technique. This can be done in various ways. Some of them are

An attacker can call the shopper, representing to be an employee from a shopping site to extract information about the shopper. Thereafter, the attacker can call the shopping site and then pretend to be the shopper and have them for an individual information, and additional require a security password to reset the user account. That is a very regular scenario.

Another example would be to reset the security password by giving information in regards to a shopper's private information, such as the date of labor and birth, moms maiden name, favourite movie, etc. If it's the situation the shopping websites provides away these information out, then retrieving the password is not a huge challenge anymore.

A last way of retrieving private information, which by the way is used a lot through the internet today, is by using the phishing plans. It's very difficult to tell apart for example, www. microsoft. com/shop with www. micorsoft. com/shop. The difference between these two is a moving over between the letters 'r' and 'o'. But by getting into the wrong wrong shop to pretend to be a genuine shop with login varieties with password domains, will provide the attacker all private information. And this is performed if the shopper mistypes this URL website link. The mistyped URL might be dispatched through email and pretend to be a genuine shop without the notice from the customer [11, 15].

Password Guessing: Attackers are also alert to that is possible to speculate a shoppers password. But this requires information about the shopper. The attacker may need to know the birthday, the age, the last name, etc. of the shopper, to try of different combinations. It is very common that the non-public information is utilized into the security password by many users through the internet, since they are easy to be remembered. But still, it needs a whole lot of effort from the attacker's view, to make a software that guesses the shoppers security password. One very famous assault might be to research words from the dictionary and use these as passwords, this is also known as the dictionary episode. Or the attacker might look at information over which passwords are mostly used in the whole world [15].

Workstation Invasion: A 3rd procedure is to endeavoring to assault the workstation, where the website is located. This requires that the attacker is aware of the weaknesses of the workstation, since such weak points are always shown in work channels which there are present no perfect system with no vulnerabilities. Therefore, the attacker might have a possibility of accessing the workstations main by via the vulnerabilities. The attacker first attempts to see which plug-ins are open to the prevailing work place by using either own or already developed applications. And ones the attacker has gained access to the system, it'll therefore be possible to scan the workstations information about customers to get their ID and passwords or other confidential information.

Network Sniffing: When a shopper is visiting a shopping website, and there is a transaction ongoing, then your attacker has a fourth opportunity. The possibility is called sniffing. That an attacker is sniffing means that data which is exchanged between your customer and server are being sniffed (tracked) by using several applications. Network communication is furthermore not like individuals communication as well. Inside a human communication, there could be a 3rd person somewhere, listening to the conversation. Within the network communication technology, the data which is sent via both functions are first divided in something called "data plans" before the actual sending in one part to some other. The other area of the network will therefore collect these packages back to the main one data that was sent to be read. Usually, the attacker looks for to be as close as you possibly can to the either the purchasers site or near to the shopper to sniff information. When the attacker places himself in the halfway between your shopper and website, the attacker might therefore get every information (data packages). Given an example in this, then supposing a Norwegian local shopper wants to buy something from a webshop located in the United States of America. The very first thing which will happen is the fact the personal information data which is being delivered from the shopper will be split into small pieces of data to the server situated in the USA. Since the data flow within the network is not manipulated by the individuals, the deals might be send to different locations before reaching the destination. For instance, some information might go via France, Holland and Spain before actually achieving the USA. When this happens, the sniffer/attacker was found in France, Holland or Spain, means that the attacker may not retrieve every and solitary information. And given that data, the attacker may not analyze and retrieve enough information. This is exactly the key reason why attackers are as close as you possibly can to either the source or the vacation spot point (consumer side or server area).

Known Bug Invasion: The known bug attack can be used on both the customers' site and on the website site. Through the use of already developed tools, the attacker can apply these tools to learn which software to the mark the server is having and using. From that time, the attacker further need to find patches of the program and analyze which bugs have not been corrected by the administrators. So when knowing the bugs that are not set, the attacker will thus have opportunity of exploiting the system [11].

There remain many various of episodes one can do more than these referred to above. More episodes that be used against ecommerce request could by doing Denial of Service (DOS) attacks where in fact the attacker impact the servers and by using several methods, the attacker can get necessary information. Another known assault is the buffer overflow attack. If an attacker has gained access to the main, the attacker might further get personal information by causing his own buffer, where all overflow (information) is transferred to the attacker's buffer. Some attackers also use the opportunity looking at the html code. The attacker might get sensitive information from that code, if the html is not well set up or optimized. Java, Javascript or Dynamic X export are being used in html as applets, and the attacker may also distort these and placed a worm in to the computer to retrieve private information.

5. Defence

For each new strike presented in the real world, a new defence system needs further to be provided as well to protect the population from unsuspicious issues. This section introduce some defence issues how to protect the attacks identified in the section before. However, the key purpose from an vendors viewpoint within an ecommerce request is to safeguard all information. Safeguarding a system can be carried out in several ways.

Education: In order to reduce the tricking episodes, one might teach all shoppers. This problem requires a whole lot of effort in time and not simple, since many customers still will be tricked by common social engineering work. Sellers therefore have to keep and remind customers to employ a secure password since this person is employed as the personal information. Therefore it is important to get different passwords for different websites as well and probably save these passwords in a secure way. Furthermore, it is vital not to hand out information with a telephone discussion, email or online programs.

Setting a safe Password: It is vital that customers do not use passwords which can be related to themselves, such as their birthdays, children's name, etc. Therefore it is important to use a strong password. A strong password has many definitions. For example, the length of passwords can be an essential aspect with various special individuals. If a shopper cannot find a solid security password, then there are extensive net sites proving such strong passwords.

Managing Cookies: When a shopper registers into a site with personal information, a cookie is being stored into the computer, so no information is needed to be joined again at next logon. These details is very useful for an attacker, therefore it is recommended to avoid using cookies, which can be an very easy step to do in the browser [11].

Personal Firewall: A strategy of protecting the shopper's computer is by using a personal firewall. The goal of the firewall is to regulate all incoming traffic to the computer from the outside. And further it will also control all out approaching traffic. In addition, a firewall has also an intrusion diagnosis system installed, which ensures that unwanted attempts at accessing, adjustment of disabling of the computer will never be possible. Therefore, it is strongly recommended a firewall is installed into the pc of the shopper. And since insects can occur in a firewall, it is therefore further important to update the firewall [11].

Encryption and decryption: All traffic between two get-togethers can be encrypted from it has been send from the client and decrypted when it has been received until the server, vice versa. Encrypting information can make it a lot more difficult for an attacker to retrieve confidential information. This is performed by either using symmetric-key algorithms or asymmetric key algorithms [11].

Digital Signatures: Just like the hand signatures that happen to be performed by the human hand, addititionally there is something known as the digital personal. This personal verifies two important things. First, it bank checks if the data originates from the original client and secondly, it verifies if the concept has been improved from it's been dispatched until it was received. That is a great edge for ecommerce systems [11].

Digital Certificates: Digital signature cannot handle the problem of attackers spoofing purchasers with a wrong website (man-in-the-middle-attack) to information about the shopper. Therefore, using digital certificates will solve this problem. The shopper can with high likelihood accept that the web site is legal, since it is trusted by a third party plus more legal party. Furthermore, a digital certificate is not a permanent unlimited time respected. Therefore one is liable to see if the qualification is still valid or not [11].

Server Firewall: Unlike personal firewall, there is also something known as the server firewall. The server firewall can be an more complex program which is set up by by using a demilitarized zone technique (DMZ) [11]. In addition, it is also possible to use a honey container server [11].

These preventions were some out of many in the real world. It is vital to make users aware and administrators upgrade patches to all or any used application to further protect their systems against problems. One could also analyze and keep an eye on security logs that are one big defence strategy, to see which traffic has happened. Therefore it is important that administrators read their logs frequently and understand which parts have been strike, so administrators can update their system.

6. Conclusion

In this paper firstly we offered a brief history of e-commerce and its own application, but our main attention and the aim of this newspaper was to provide e-commerce security issues and different attacks that may appear in e-commerce, also we summarize a few of the defence device to protect e-commerce against these disorders. E-commerce has proven its great advantage for the shopper and merchants by reducing the costs, but e-commerce security is still difficult and a substantial concern for everybody who is involved with e-commerce. E-commerce security dosage not belong only specialized administrators, but everyone who participate in e-commerce- vendors, shopper, service agency etc. Even there are several technologies and mechanisms to safeguard the E-commerce such as end user IDs and passwords, firewall, SSL, Digital certificates etc, still we need to take note and prepared for any possible assault that may appear in e-commerce.

Also We Can Offer!

Other services that we offer

If you don’t see the necessary subject, paper type, or topic in our list of available services and examples, don’t worry! We have a number of other academic disciplines to suit the needs of anyone who visits this website looking for help.

How to ...

We made your life easier with putting together a big number of articles and guidelines on how to plan and write different types of assignments (Essay, Research Paper, Dissertation etc)