Security Issues of E-Commerce

Invasion of privacy—especially related to minors

Privacy is very important to the home user when purchasing off of the internet. However, when the user is under age then there must be sufficient protection. This is for their safety with the increase in child abuse and so on. Normally, however minors cannot purchase off of the internet for these reasons alone.

Unauthorized changes to database records

There are some extreme reasons why this is a very dangerous security issue when using the internet and e-commerce. The protection of someone’s data, (and the businesses own, stored data) must be looked after at all costs. If someone gains access to the database of information, which may contain bank details or home addresses then there are some very big issues that need to be looked at.

Fraud

Fraud is a very obvious, but yet very serious threat and is one of the most common internet crimes of all time. Fraud can be committed in many ways and it is becoming harder and harder for all businesses to combat fraud. To do so there have been a few initiatives set up and put in place but these will be spoken about later.

Spreading viruses

The spreading of viruses on the internet is another big cause of internet crime, especially relating to e-commerce. Viruses and spy ware have common tools that allow the creators to see what information users put in to there computers and then it sends this information back to them. For this reason both users and businesses are affected by fraud. On the flip side a business may become affected with viruses and spy ware and this would allow an attack by someone in attempting to steal personal information.

Email harassment, Employee privacy

The above two are all to do with the protection of data. If data is protected in the correct way then these security errors cannot be achieved. There is the data protection act that has been implemented and is a standard law that is meant to combat this.

We can see that the above security issues are all very important to consider when choosing to use e-commerce. By, never the less, governments across the world are introducing rules and regulations to stop it, or at least try and stop it from happening. Below is a list of what I believe to be the most important procedures in preventing the main security issues.

• The data protection act
• SSL (Secure Sockets Layer)
• Encryption
• Secure e-mails
• Reliable credit card processing
• Firewalls
• Anti Virus Software
• TPM (Trusted Platform Modules)

When deciding if e-commerce has security flaws or not we need to consider if the above list has been implemented properly. If it has then there is no need to worry, if not then the internet site being used for e-commerce isn’t a safe place.

In the next task I will prove that the internet is a safe place to trade by using detailed examples to support this.

Task 2

Introduction

It is of my opinion that the method of trading over the internet is very insecure. What we have to remember is that the internet was designed for the following reason; “to route data between any two destinations over the internet”. There was absolutely no other reason in which the internet was intended for. However, as time has increased we have found new uses and new methods for the internet which has meant some external protection is needed. If, the external methods are implemented with aplomb then there is no safer was of carrying out a transaction. But how many other methods are needed to make the e-commerce transactions safe? Quite a few, they shall be explained in more detail below.

The data protection act

This is where information on individuals must be kept completely confidential and can only be used for the intentions it was gathered for. To store information about individuals on the computer system they must register first with the data protection registrar. At any time, an individual has the right to see what information is being kept about them. By adopting this method we can be 100% sure that when any information is passed to a company or a business that they by law, have no rights to distribute or modify this data in anyway what so ever.

E-commerce is currently one of the best ways for the businesses to take the information from customers and gather as much knowledge as possible in order for them to build a better knowledge base. It is the claims of e-tailors and telecommunication companies that this ability to gain information will help these companies to greater understanding of the consumer's needs. However should the law allow companies to use this information as they want? The answer is no.

If you walk in to a shop, pay by card; do you no what happens to your information? Most people now days don’t even consider it any more. This is because they no (or hope) that it’s going to be protected. Well it has to be by law and this is the same for e-commerce. So when comparing data security as far as keeping it and not distributing it then the e-commerce world is just as safe as the manual, bricks and mortar methods.

SSL (Secure Sockets Layer)

When using the internet there are many differing types of protocols that are used. The protocol is a method of describing how certain things should be carried out in order for the process to be completed successfully. In this case the secure sockets layer uses the methods of encryption and decryption. To do so an algorithm must be implemented. Further to this the business tends to adopt a further network called a virtual circuit which is actually devoted to the encryption and decryption process. This is a very secure method of transferring data and therefore means the susceptibility of hackers successfully gaining detailed information is kept to a minimum.

Dedicated, protected servers back up the process of SSL and in doing so means all transactions can be kept separately so that any unauthorised access can be avoided. It is the servers ultimately that are protected by the SSL and therefore the process needs to be set-up by the business in the first place. If this is done it is a very effective method in preventing unwanted intrusion or data loss. In comparison to the day to day, brick and mortar methods we see a similar stance, an encrypted process when entering the pin in to the card machine, which sends the encrypted value down the connection and ultimately is received, decrypted and sent back to the user. So, again we see the similar methods being sued and we can therefore deduce from this that is just as safe to use as the conventional in store method. If anything the in store method is worse as the user of the pin maybe watched the cards the stolen and fraud is committed.

Reliable credit card processing

If the website has been set-up correctly then when we go to enter our details, sufficient checks are put in place for the system to detect whether the correct card holder is using the selected card. The sufficient checks can be very different dependant on the firms, but normally the following are used as a standard;

• Name
• Address
• Date of birth
• Expiry Number
• Maiden Names / Previous Names

We can see that if a un trusted user were to try and gain access or purchase with someone else’s details or cards then the chances of success are limited greatly, whereas the chip and pin is a lot easier to sue. The perpetrator needs not to no any details other than the pin, and then there tends to be absolutely no other checks. This is a very dangerous process and can lead to many fraudulent attempts at gaining money or goods. Again, e-commerce is safer.

Firewalls and Anti Virus Software

In this day and age it is important to have as much security on the computer as well as at the home and with the new digital era really in blossom there has never been a greater need for it. As for the personal computer, when being used for day to day activities we can see a clear need for anti virus protection, and anti spy ware detection, but why? Well, more and more people are in the market to defraud you, to commit crime and the internet has opened up a whole new bag of worms. But why these two pieces of software. Well the fact that theses viruses and spy ware can trace your every move and copy all the details you enter in to your machine we can see that if using the computer for e-commerce or online banking that there is a massive security risk.

Real World Examples

The security measures written above are all general examples of measures that can be taken in order for businesses to function and provide secure methods for the public. The methods vary from business to business and I shall now provide two examples of differing businesses utilising these technologies.

Online Banking and Ebay

Online banking is one of the more popular choices of online activities that have migrated from the typical high street chore. Now days more and more people tend to use this type of e-commerce than the traditional shop (bricks and mortar stores). There are many reasons for this, but mainly the two key ones are the time saving capabilities and the security implications.

Typically the online banking procedure requires the user to apply for a unique ID, which is then sent in the post. This is then typed in by the user where they can then proceed to make there own user name and password which will always be used from here on. However, this is a pretty basic form of security and the standard user name and password is by no means sufficient for the public to ensure all there details remain safe.

There are always people trying to steal information and this can be done in many ways, however the most common, for stealing the user names and passwords of online banking users is that of phishing and pharming, cross site scripting and key loggers/Trojan horses.

The first of the two, phishing and pharming  have ethical principles behind them, the first being a social attempt to lure users in two providing details and information, the latter being that of the hacker, trying to redirect users to another site where their details will be entered and stored for fraudulent activities. Pharming can either exploit the home user or a shabby DNS server setup; this is the most common type.

Cross Site scripting is another problem that was listed above, cross site scripting involves the use of malicious code placed in to a web age and typically involves HTML coding although this isn’t a stringent rule. In some ways this security implication is directly linked to the phishing element of security risks.

Key loggers and Trojan horses are, the most common to be found on home users and it is normally the need for the home user here to provide the security against these opposed to the actual banking system itself Trojan Horses are embedded deep in to the root system files and monitor and report back activity to host who could be located any where in the world, this is a major security concern. Key loggers are the same but typically for one of these to be used the hacker needs access to the target computer physically, unless the user can be fooled in to downloading and setting it up, which seems very unlikely.

So now we have looked at the major security implications of online banking, and considered a user name and password as a secure option. But this just isn’t enough to combat the above. We need to also implement the following at least.

Firstly the usage of online digital signatures is an absolute must on the banks part, and in some cases on the browsers as well, so this is actually a third party here that needs to implement some measures.  A digital signature/certificate is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. On top of this we could use and in some cases do use hardware and or software tokens. An example of hardware token could be a physical device that is carried by the user small enough to fit in the pocket and this in turn could carry the digital certificate. To protect against the Trojan Horse there isn’t much the bank can do, unless its obviously their end there protecting opposed to the users end, in which case both would supply their own anti virus which constantly monitors activities on the machines. Used in conjunction with firewall software and both ends should be just fine. If all the above processes are followed then the user should have no problems carrying out their banking tasks online and there would be a very minimal risk. Obviously the banks implement other security features, but those are much more advanced.

EBAY

EBay and similar places actually have security limitations, in fact with such a number of people using the site it makes it a prime target for attacks. And, we can to see it counters these problems in the same sort of way as the banks. EBay has been caught out a couple of times, but with the millions of people that use it two times isn’t bad.

Ebay uses exactly the same system as the banks, but the big difference is that the money exchange is done using a third party called pay pal. This means that all users they can be rest assured knowing all that can be done is the losing of there personal details. If a hacker did get my details he or she couldn’t access pay pal without having the separate login information, thus limiting the potential of theft. As well as this EBAY will have all the same digital signature software, anti virus software and things that the banks have. Maybe a little less strict though.

Conclusion

Overall I can see that there are many features that are included to make the shopping experience of e-commerce safer than the day to day method of the bricks and mortar stores. However we must conclude that the task of completely eradicating all security errors is almost absolutely impossible. There will always be a threat no matter how good your defence is and it’s just a case of trying to make systems as secure as possible.