ABSTRACT Electronic Commerce (Ecommerce) refers to thebuying and selling of goods and services via electronic channels, primarily theInternet. The applications of E- commerce includes online book store, e-banking, online ticket reservation(railway, airway, movie, etc.,), buying andselling goods, online funds transfer and so on. During E commerce transactions,confidential information is stored in databases as well communicated throughnetwork channels.
So security is the main concern in E commerce. E commerce applicationsare vulnerable to various security threats. This results in the loss ofconsumer confidence. So we need security tools to counter such securitythreats. Keywords —Authentication, Confidentiality, Integrity, Security, SSL. I.
INTRODUCTIONE-Commerce means conducting business online. Selling goods, in the traditionalsense, is possible to do electronically because of a certain software programsthat run the main functions of an e-commerce Web site, including productdisplay, online ordering, and inventory management. The software resides on acommerce server and works in conjunction with the online payment systems toprocess payments. Since these servers and data lines make up the backbone ofthe Internet, in a broad sense, e-commerce means doing business over theinterconnected networks. The definition of e-commerce includes businessactivities that are business-to-consumer (B2C), business-to-business (B2B),extended enterprise computing (also known as “newly emerging valuechains”), d-commerce, and m-commerce. Examples Of E-Commerce: ü Acceptingcredit cards for commercial online sales.ü Generatingonline advertising revenue. ü Tradingstock in an online brokerage account.
E-Commerce plays a very important role in the growthof industry as well as convenient and faster method of doing business. As thetrend of on-line transactions continues to grow, there will be an increase inthe number and types of attacks against the security of on-line paymentsystems. Such attacks threaten the security of the system, resulting in systemsthat may be compromised and less protected, resulting in consumer privacyissues.
Consumers may be at the risk for losing their personal data, since theymay be unaware of the security aspect of performing on-line transactions.Therefore, it is very important to make the Internet safe for buying andselling the products on-line. Global privacy consistency is required, asInternet usage is largely unregulated, which means that the laws in one countryare not aligned with the laws in other countries. This paper presents an overview of security threats toE- commerce applications and the technologies to counter them. This paper isorganized as follows: the need of security in E commerce. the threats in Ecommerce applications. the tools for countering those threats. And finally theconclusion.
II. NEED OF SECURITY IN E-COMMERCEThe six security needs in E-commerce applications areü Access Control. ü Confidentiality. ü Authentication. ü Non Repudiation. ü Integrity. ü Availability.
A. AccessControl Access control ensures only those that authorizedrequire access to resources are given access. This means only the authorizedpersons are allowed to access the resources.
B.Confidentiality When information is copied or read by someone notauthorized to do so, the result is known as loss of confidentiality. For sometypes of information, confidentiality or privacy is a very important attribute.
Examples include research data, insurance and medical records, new productspecifications, and corporate investment strategies. In some locations, theremay be a legal obligation to protect the privacy of the individuals. This isparticularly true for loan and bank companies; debt collectors. Businessesthat extend credit to their customers or issue credit cards; hospitals,doctors’ offices, and medical testing laboratories; individuals or agenciesthat offer services such as psychological counseling or drug treatment; andagencies that collect taxes.
Information can be corrupted when it is availableon an insecure communication network. When information is modified inunexpected ways, the result is known as loss of the integrity. This means thatunauthorized changes are made to information, whether by intentional tamperingor human error. C.Authentication In e-Business, computing and information security itis necessary to ensure that the data, transactions, communications or documents(electronic or physical) are genuine. It is also very important forauthenticity to validate that both parties involved are who they claim theyare.
D. NonRepudiation In law, non-repudiation means one’s intention tofulfil their obligations to a contract. It also means that one party of atransaction cannot deny having received a transaction nor can the other partydeny having sent a transaction. E- commerce uses technology such as digitalsignatures and encryption to establish authenticity and non- repudiation. E.Integrity Integrity is particularly important for criticalsafety and financial information used for activities such as electronic fundstransfers, air traffic control, and financial accounting.
Information can beerased or become inaccessible, resulting in loss of availability. This meansthat persons who are authorized to get information cannot get what they need. F.Availability Information system to serve its purpose, theinformation must be available whenever it is needed.
This means that thecomputing systems used to store and process the information, the securitycontrols used to protect that information, and the communication channels usedto access it must be functioning correctly. High availability systems aim toremain available at all times, preventing the service disruptions due to poweroutages, hardware failures, and system upgrades. III. THREATS TO E-COMMERCE SECURITYA.AuthenticationAttacks These types of attacks occur when a user changessystem resources or gains access to system information without authorization byeither sharing logins or passwords or using an unattended terminal with an opensession. Password attack is a frequently used method of repeating attempts on auser account and password.
They are performed using a program that runs acrossa network and attempts to log into a shared resource.B.Integrity Attacks In this type of attack, data or information is added,modified, or removed in transit across the network. This requires root accessto the router or a system.
If a program does not check the buffer limits whenreading or receiving data, this opening can be exploited by an attacker to addarbitrary data into a program or system. When running, this data gives theintruder root access to the system. Integrity attacks can create a delay,causing data to be held or otherwise made unavailable for a period of time. Theattackers flood the network with useless traffic, making the system extremelyslow to serve the customers, and in the extreme case, causing the system tocrash down.
They could also cause the data to be discarded before the finaldelivery. Both delay and denial attacks can result in the denial of service (DOS)to the network users. C. Confidentiality Attacks Because network computers communicate serially (evenif networks communicate in parallel) and contain limited immediate buffers,data and information are transmitted in small blocks or pieces called packets.The hackers use a variety of methods known collectively as social engineeringattacks. With the use of dozens of shareware and freewarepacket sniffers available, which do not require the user to understand anythingabout the underlying protocols, the attackers would capture all network packetsand thereby the users login names, passwords, and even accounts. The attackersusually take advantage of human tendency, e.g.
using a single, same passwordfor multiple accounts. More often they are successful in gaining access tocorporate sensitive and confidential information. Some snooping attacks placethe network interface card in promiscuous mode, while the other packet snifferscapture the first 300 bytes of all telnet, file transfer protocol (FTP), andlogin sessions. D. Virus Viruses are computer programs that are written bydevious programmers and are designed to replicate themselves and infectspecific computers when triggered by a specific event.
For example, virusescalled macro viruses attach themselves to files that contain macro instructions(routines that can be repeated automatically, such as mail merges) and are thenactivated every time when the macro runs. The effects of some viruses arerelatively benign and cause annoying interruptions such as displaying thecomical message when striking a certain letter on the keyboard. Other virusesare more destructive and cause such problems as deleting files from a hard diskor slowing down a system.
A network can be infected by a virus only if thevirus enters the network through an outside source- for example through aninfected floppy disk or a file downloaded from the Internet. When one computeron the network becomes infected then the other computers on the network arehighly susceptible to contracting the virus. E. TrojanHorse A trojan horse is a malicious code which requiresusers to invite it in, and is therefore disguised as something else.Unsuspecting users will allow the trojan in to their machine through aseemingly harmless and routine task, only to have their system compromised. Atypical trojan horse will be presented as something useful such as an e- mailalert regarding a new security patch.
The e- mail might provide a link,inviting the user to click on it to download and install the patch. When thelink is followed the trojan gains access to the user’s computer and thenexecutes its programmed task. By design, a trojan horse is used by hackers togain access of a large network or secure system so as to put it to use for itsown purposes. F. Worms Computer worms are malicious programs designed tospread via computer networks. Computer worms are one form of malware along withthe viruses and trojans. A person typically installs worms by inadvertentlyopening an e- mail attachment or message that contains executable scripts. Onceinstalled on a system, worms spontaneously generate additional email messagescontaning copies of the worm.
They may also open TCP ports to create networkssecurity holes for other applications, and they may attempt to”flood” the network with spurious Denial of Service (DoS) datatransmissions. Being embedded inside everyday network software, computer wormseasily penetrate in to most firewalls and other network security measures. G. DatabaseThreats E-commerce systems store user personal data andretrieve product information from databases connected to the web-server.Besides product information, databases connected to the web contain valuableand private information that could irreparably damage a company if it werealtered or disclosed. Some databases store username and password pairs in anon-secure way.
If someone obtains user authentication information, then he/she can masquerade as a legitimate database user and reveal private and costlyinformation. IV. SECURITY TECHNOLOGIESTwo types of encryption methods offer reliableprotection to E- commerce businesses. They are symmetric and asymmetric. A.SymmetricEncryption Symmetric encryptionmay also be referred to as singlekey or shared secret encryption. In symmetric encryption, a single key is usedboth to encrypt and decrypt messages.
Common symmetric encryption algorithmsinclude AES, DES, 3DES, and RC4. Symmetric encryption algorithms can beextremely fast, and low complex which allows for easy implementation inhardware. Require that all hosts participating in the encryption have alreadybeen configured with the shared secret key through some external means. B.AsymmetricEncryption Asymmetric encryptionis also known as public-keycryptography or two- key encryption. Asymmetric encryption differs fromsymmetric encryption primarily in that two keys are used: one for encryptionand other for decryption. The most common public key encryption algorithm isRSA. Compared to shared key encryption, asymmetricencryption imposes a high computational burden, and tends to be much slower.
its major strength is its ability to establish a secure channel over a non-secure medium (for example, the Internet). This is accomplished by the exchangeof public keys, which can only be used to encrypt information. Thecomplementary private key(non shared) is used to decrypt. C.SecureSocket Layer The E-commerce business is all about making money andfinding ways to make more and more money. But that’s hard to if the consumersdon’t feel safe executing a transaction on your Web site.
Secure SocketLayer(SSL) is a commonly-used protocol for managing the security of a messagetransmission on the Internet. When you have SSL, you are protected as well asyour customer. The server – which is basically another name for a computer thatstores information about your website for viewing by the customers and others –must have a digital SSL certificate. SSL provides these certificates and isable to read them. SSL certificates come from a trusted third party that canguarantee encryption process. The SSL certificate is a proof that the server iswhat it says it is. Having a SSL makes it harder for fraudsters to pretend to beanother server.
D.Digital Signature Based on the public-key cryptographic method combinedwith data hashing functions such as MD-5 and SHA-1, digital signatures areimplemented to verify the origin and contents of the online transaction,translating to consumers proving their identity to vendors in the transactionand providing non-repudiation features. A digital signaturefunctions for an electronicdocument like a handwritten signature does for printed documents. The handwritten signature is an unforgeable piece of data that asserts that a namedperson wrote or otherwise agreed to the document to which the signature isattached. A digital signature actually provides a greater degree of securitythan the handwritten signature. The recipient of a digitally signed message canverify both that the message originated from the person whose signature isattached and that the message has not been modified either intentionally oraccidentally since it was signed. Furthermore, secure digital signatures cannotbe repudiated, this means the signer of a document cannot later disown it byclaiming the signature was forged.Digital messages, assuring that the recipientof a digital message of both the identity of the sender and the integrity ofthe message.
E. DigitalCertificates Digital Certificates provide a means of proving apersons identity in electronic transactions, much like a driver license or apassport does in face-to-face interactions. With a Digital Certificate, you canassure business associates, friends and online services that the electronicinformation they receive from you are authentic. Digital Certificates bind anidentity to a pair of electronic keys that can be used to encrypt and sign thedigital information. A Digital Certificate makes it possible to verifysomeone’s claim that they have the right to use a given key, helping to preventusers from using phony keys to impersonate other users. A Digital Certificateis issued by a Certification Authority (CA) and signed using the CA’s privatekey. Digital Certificates can be used for a variety of electronic transactionswhich includes e-mail, electronic commerce, groupware and electronic fundstransfers.
F. SmartCards A smart cardcan generally be defined as a plastic cardwith dimensions similar to traditional debit/credit cards, into which anelectronic device has been incorporated to allow information storage.Frequently, it also has an integrated circuit chip with data processingcapacity. Smart cards are normally separated into two categories:microprocessor cards and memory cards, commonly named smart cards for theircapability to do data processing and the sophisticated algorithms embedded inthem. The lack of security and a fear of hackers are some of the reasons thathave caused the slow growth of the online interactive commercial transactionsamong individuals and enterprises, generally called consumer–to-business (C2B)e-commerce. In spite of the number of these breaches, credit cards are beingused as one of the payment mechanisms over the Internet. As long as commercialtransactions over the Internet are not too great in the number and have a smallindividual economic value, the actual threat could be considered at a low oracceptable risk level.
Once this type of transaction gains more consumerconfidence and the volume increases, it will attract more and more fraudactivities, thus increasing the level of risk exposure. One of the techniquesthat has begun to be used in France and other countries is the smart card witha C-SET(Chip-Secure Electronic Transaction ) protocol for onlineauthentication. This authenticates both the card as well as the customer, andtherefore offers a payment guarantee without customer non-repudiation. G.Electronic Money Electronic money or digital cash (DC) is an electronicmethod of payment on the Internet with the result that money is transferredfrom one account to another. One can visualize a DC transaction as a foreignexchange market, in the sense that money is converted to DC before it can bespent. When making a purchase, a buyer will send a ‘digital coin’ messageencrypted with its private key containing his identity, the amount of the coin,Internet address, its serial number and expiry date. Kept of that transactionto ensure that the coin is not double spent.
The digital coin is also encryptedwith the merchant’s public key. The merchant decrypts the digital coin with hisprivate key and verifies the message. The issuer must verify the serial numberof the digital coin to confirm that it is still current and has not beenalready spent. The issuer then credits the merchant’s bank account with thecurrency and then cancels the serial number.
V. CONCLUSIONSecurity in electronic commerce is becoming moretopical as the shift from traditional shopping and transactions move away fromphysical stores to online. Security has three main concepts- confidentiality,integrity, and availability. Confidentiality ensures that only authorizedparties to read protected information.
Integrity ensures that data remains asis from the sender to the receiver. Availability ensures that you have accessand are authorized to resources. Globally E-commerce is growing but however itcomes with a risk that some part of the transaction is compromised which maylead to financial loss or unindented shared private information. It istherefore the security of e-commerce transactions that is a critical part ofthe ongoing success as well as growth of E-commerce. The security threat of Ecommerce includes viruses, worms, Trojan horse, Denial of service, passwordthefting. The technologies for protecting E commerce transactions includeencryption of data, SSL, digital signature, digital certificates, smart card,e- cash.
