Upload
gordon-mitchell
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Security and Trust in E-Security and Trust in E-CommerceCommerce
The E-commerce Security Environment: The E-commerce Security Environment: The Scope of the ProblemThe Scope of the Problem
Overall size of cybercrime unclear; amount Overall size of cybercrime unclear; amount of losses significant but stable; individuals of losses significant but stable; individuals face new risks of fraud that may involve face new risks of fraud that may involve substantial uninsured lossessubstantial uninsured losses– Symantec: Cybercrime on the rise from 2006Symantec: Cybercrime on the rise from 2006– 2007 CSI survey: 46% detected security breach; 91% 2007 CSI survey: 46% detected security breach; 91%
suffered financial loss as a resultsuffered financial loss as a result– Underground economy marketplace that offers sales Underground economy marketplace that offers sales
of stolen information growingof stolen information growing
The Tension Between Security and The Tension Between Security and Other ValuesOther Values
Security vs. ease of use: the more Security vs. ease of use: the more security measures added, the more security measures added, the more difficult a site is to use, and the slower it difficult a site is to use, and the slower it becomesbecomes
Security vs. desire of individuals to act Security vs. desire of individuals to act anonymously anonymously
Security Threats in the E-commerce Security Threats in the E-commerce EnvironmentEnvironment
Three key points of vulnerability:Three key points of vulnerability:– ClientClient– ServerServer– Communications channelCommunications channel
55
A Typical E-commerce TransactionA Typical E-commerce Transaction
SOURCE: Boncella, 2000.
66
Vulnerable Points in an E-commerce Vulnerable Points in an E-commerce EnvironmentEnvironment
SOURCE: Boncella, 2000.
Most Common Security Threats in the Most Common Security Threats in the E-commerce EnvironmentE-commerce Environment
Malicious code (viruses,Trojans)Malicious code (viruses,Trojans) Unwanted programs (spyware, browser Unwanted programs (spyware, browser
parasites)parasites) Phishing/identity theftPhishing/identity theft Credit card fraud/theftCredit card fraud/theft DoS attacksDoS attacks Phishing and Identity TheftPhishing and Identity Theft Insider attacksInsider attacks
Malicious CodeMalicious Code Viruses: Have ability to replicate and spread to Viruses: Have ability to replicate and spread to
other files; most also deliver a “payload” of some other files; most also deliver a “payload” of some sort (destructive or benign); include macro sort (destructive or benign); include macro viruses, file-infecting viruses, and script virusesviruses, file-infecting viruses, and script viruses
Worms: Designed to spread from computer to Worms: Designed to spread from computer to computercomputer
Trojan horse: Appears to be benign, but then Trojan horse: Appears to be benign, but then does something other than expecteddoes something other than expected
Bots: Can be covertly installed on computer; Bots: Can be covertly installed on computer; responds to external commands sent by the responds to external commands sent by the attackerattacker
Unwanted ProgramsUnwanted Programs
Installed without the user’s informed Installed without the user’s informed consentconsent– Browser parasites: Can monitor and change settings Browser parasites: Can monitor and change settings
of a user’s browserof a user’s browser– Adware: Calls for unwanted pop-up adsAdware: Calls for unwanted pop-up ads– Spyware: Can be used to obtain information, such Spyware: Can be used to obtain information, such
as a user’s keystrokes, e-mail, IMs, etc.as a user’s keystrokes, e-mail, IMs, etc.
Phishing and Identity TheftPhishing and Identity Theft Any deceptive, online attempt by a third Any deceptive, online attempt by a third
party to obtain confidential information for party to obtain confidential information for financial gainfinancial gain– Most popular type: e-mail scam letterMost popular type: e-mail scam letter– One of fastest growing forms of e-commerce crimeOne of fastest growing forms of e-commerce crime
Hacking and CybervandalismHacking and Cybervandalism
Hacker: Individual who intends to gain Hacker: Individual who intends to gain unauthorized access to computer systemsunauthorized access to computer systems
Cracker: Hacker with criminal intent (two Cracker: Hacker with criminal intent (two terms often used interchangeably)terms often used interchangeably)
Cybervandalism: Intentionally disrupting, Cybervandalism: Intentionally disrupting, defacing or destroying a Web sitedefacing or destroying a Web site
Credit Card FraudCredit Card Fraud
Fear that credit card information will be Fear that credit card information will be stolen deters online purchasesstolen deters online purchases
Hackers target credit card files and other Hackers target credit card files and other customer information files on merchant customer information files on merchant servers; use stolen data to establish credit servers; use stolen data to establish credit under false identityunder false identity
One solution: New identity verification One solution: New identity verification mechanismsmechanisms
Spoofing (Pharming) and Spam (Junk) Spoofing (Pharming) and Spam (Junk) Web SitesWeb Sites
Spoofing (Pharming)Spoofing (Pharming)– Misrepresenting oneself by using fake e-mail Misrepresenting oneself by using fake e-mail
addresses or masquerading as someone elseaddresses or masquerading as someone else– Threatens integrity of site; authenticityThreatens integrity of site; authenticity
Spam (Junk) Web sitesSpam (Junk) Web sites– Use domain names similar to legitimate one, Use domain names similar to legitimate one,
redirect traffic to spammer-redirection domainsredirect traffic to spammer-redirection domains
DoS and DDoS AttacksDoS and DDoS Attacks Denial of service (DoS) attackDenial of service (DoS) attack
– Hackers flood Web site with useless traffic to inundate Hackers flood Web site with useless traffic to inundate and overwhelm networkand overwhelm network
Distributed denial of service (DDoS) attackDistributed denial of service (DDoS) attack– Hackers use numerous computers to attack target Hackers use numerous computers to attack target
network from numerous launch pointsnetwork from numerous launch points
Other Security ThreatsOther Security Threats Sniffing: Type of eavesdropping program that Sniffing: Type of eavesdropping program that
monitors information traveling over a network; monitors information traveling over a network; enables hackers to steal proprietary enables hackers to steal proprietary information from anywhere on a networkinformation from anywhere on a network
Insider jobs: Single largest financial threatInsider jobs: Single largest financial threat Poorly designed server and client software: Poorly designed server and client software:
Increase in complexity of software programs Increase in complexity of software programs has contributed to increase is vulnerabilities has contributed to increase is vulnerabilities that hackers can exploitthat hackers can exploit
Technology SolutionsTechnology Solutions
Protecting Internet communications Protecting Internet communications (encryption)(encryption)
Protecting networks (firewalls)Protecting networks (firewalls) Protecting servers and clients Protecting servers and clients