Study Of Attacks On E Commerce Systems Computer Science Essay

Study Of Attacks On E Commerce Systems Computer Science Essayelectronic commerce (e-commerce) services nowadays con direct become a core element and more popular on profit and Web environment. Electronic commerce, meshing and Web environment have enabled businesses to reduce costs and offer many a(prenominal) benefits both to the consumer and to the business. According to Forrester Research the online retail sales in the United say for 2003 exceeded $100 billion. As the Information Technology and the using of internet argon increasing every day, the demand for secure training and electronic services is growing. all online transaction in the internet nonify be monitored and stored in many different locations, since the Internet is a habitual profits it pull aheads very cardinal for businesses to pick up possible security department nemesiss and vulnerabilities to their business. The key factor that affects the success of e-commerce is to exchange security on network. In this paper we go forth describe just about of the security threats and vulnerabilities concerning the e-commerce security.Keywords e-Commerce security, threats, photograph, onrushs1. insane asylumThe improvements that Internet has made during the past few years have changed the panache people see and use the Internet itself. The more their use grows, the more attacks conception these systems and the amount of security risks increases. Security has become one of virtually important issues and significant concern for e-commerce that must be resolved 1. Every private and public organization is taking computer and e-commerce security seriously more than before because any possible attack directly has an effect in E-commerce business 5. The Internet and Web environment can provide as many security threats and vulnerabilities as opportunities for a company.The low cost and high availability of the world huge Internet for businesses and customers has made a revolution in e-comm erce 1. This revolution in e-commerce in turn increases the requirement for security, as well as the number of online cheats and duplicity as it is shown in the Figure 1. Although on that point has been investments and spent a very large amount of time and money to provide secures networks, still in that respect is always the possibility of a breach of security 5. According to IC3 2007 annual report, the total dollar loss from all referred complaints of fraud was $239.09 million 3. The major(ip)ity of these frauds and cheats were pull over the Internet or similar online services. Security is still a significant concern for e-commerce and a challenge for every company. Mitigate security threats and vulnerability is still a battle for every company 5. Good security infrastructure means good productivity for the company.Figure 1 Incidents of Internet fraud 15In this paper in the starting line section we testament give a brief describe of e-commerce and the types of e-commerce, and then in second section we go forth describe the security issues and some of the threats and vulnerabilities- attacks in e-commerce. Last section discuss sundry(a) defence mechanism uses to protect e-commerce security which is still high concerns of business.2. E-commerce sceneInformation and communication technology has become more and more essential and integral part of businesses. This highly uses of information technology have changed the traditional way of doing business. This new way of doing business is know as Electronic Commerce (E-Commerce) or Electronic Business (E-Business) 12. Electronic commerce or e-commerce means acquire and selling of products or services over the part of internet called World Wide Web. According to Verisign 2004 electronic commerce is a strategic imperative for some competitive organisations today as it is a key to finding new sources of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies. E-comm erce includes electronic trading, trading of stocks, banking, hotel booking, purchases of airline tickets etc 2. there be different types of e-commerce, except we leave alone encompass the e-commerce on there types of business transactionB2B ( business to business)B2C ( business to consumer)C2C (consumer to consumer) 4.Business to Business (B2B) e-commerce- is simply specify as commerce legal proceeding among and between businesses, frequently(prenominal) as interaction between two companies, between e manufacturer and wholesaler, between a wholesaler and a retailer 16. There are four basic roles in B2B e-commerce suppliers, grease ones palmsers, market-makers and web service providers. Every company or business plays at least(prenominal) one of them, and many companies or businesses play two-fold roles 9. According to the Queensland governments department of state development and innovation 2001 B2B ecommerce made up 94% of all e-commerce transactions 8. The good comp ositors cases and models of B2B are the companies such IBM, Hewlett Packard (HP), Cisco and Dell.Business-to-Consumer (B2C) e-commerce- is the commerce between companies and consumer, businesses sell directly to consumers physical goods (i.e., such as books, DVDs or consumer products), or information goods (goods of electronic material digitized content, such as software, music, movies or e-books) 10. In B2C the web is usually used as a medium to order physical goods or information goods 8. An example of B2C transaction would be when a person will buy a book from Amazon.com. According to eMarketer the revenue of B2C e-commerce form US$59.7 billion in 2000 will increase to US$428.1 billion by 2004 10.Consumer to Consumer (C2C) e-commerce- this is the type of e-commerce which involves business transactions among private individuals or consumers using the Internet and World Wide Web. use C2C, costumers can advertise goods or products and selling them directly to other consumers. A goo d example of C2C is eBay.com, which is an online auction where costumers by using this web come out are able to sell a wide variety of goods and products to each other 6. There is less information on the size of global C2C e-commerce 10. Figure 2 illustrates some of the e-commerce business describe above.Figure 2 Common e-Commerce business model 143. Security threats to e-commerceSecurity has three basic concepts privyity, integrity, and availability. Confidentiality ensures that only the authorized persons have glide path to the information, not access for the unauthorized persons, Integrity ensures the selective information stored on any devices or during a communication process are not modify by any malicious user, Availability ensures that the information must be available when it is needed 16. Security plays an important role in e-commerce. The number of online transaction last years has a tremendous increase this has been accompanied by an equal rise in the number of threa ts and type of attacks against e-commerce security 13. A threat can be defined as the potential to exploit a weakness that may result in unauthorised access or use, manifestation of information or consumption, theft or destruction of a resource, disruption or modification 8. E-commerce environment has different members abstruse E-commerce networkShoppers who order and buy products or servicesMerchant who offer products or services to the stigmatisepersThe Software (Web Site) installed on the merchants master of ceremonies and the serverThe assailants who are the dangerous part of E-commerce network aspect on the above parties involved in the e-commerce network, it is easy tosee that malicious hackers threaten the whole network and are the most dangerous part of network. These threats on e-commerce can abuse, misuse and cause high financial loss to business. Figure 3 briefly displays the methods the hackers use in an E-commerce network 11.Figure 3 goat points of the attacker 11 The assets that must be protected to ensure secure electronic commerce in an E-commerce network include customer (shopper) computers or client-side, transaction that make a motion on the communication channel, the Web post on the server and the merchants server- including any hardware attached to the server or server-side. Communication channel is one of the major assets that need to protect, but it is not the only concern in e-commerce security. Client- side security form the users point of mass is the major security server-side security is a major concern form the service providers point of view. For example, if the communication channel were made secure but no security measure for either client-side or server-side, then no secure transmission of information would exist at all 1, 2. According to Figure 3 above there are some different security attack methods that an attacker or hacker can use to attack an E-commerce network. In the conterminous section we will describes poten tial security attack methods.4. Possible AttacksThis section overviews and describes various attacks that can occur in the sense of an e-commerce action. Moreover, ethical aspects are taken into consideration. From an attackers point of view, there are multiple actions that the attacker can perform, whereas the shopper does not have any clue what is going on. The attackers purpose is to gain access to each and every information in the network flow from the when the buyer has pressed the buy button until the web website server has responded back. Furthermore, the attacker tries to attach the application system in a most discrete and ethical way. An onview of various attacks on ecommerce are givenTricking the Shopper One very profitable and simple way of capturing the shoppers behaviour and information to use against the attacker is by tricking the shopper, which in other words is known as the social engineering technique. This can be done in various ways. Some of them areAn attacker can call the shopper, representing to be an employee from a shopping site to extract information about the shopper. Thereafter, the attacker can call the shopping site and then dissemble to be the shopper and ask them for the user information, and further ask for a password to reset the user account. This is a very usual scenario. other example would be to reset the password by giving information about a shoppers in the flesh(predicate) information, such as the date of birth, mothers maiden name, favourite(a) movie, etc. If it is the case the shopping websites gives away these information out, then retrieving the password is not a big challenge anymore.A last way of retrieving in-person information, which by the way is used a lot during the world wide web today, is by using the phishing schemes. It is very difficult to distinguish for example, www.microsoft.com/shop with www.micorsoft.com/shop . The difference between these two is a switching between the letters r and o. But by entering into the wrong false shop to pretend to be an original shop with login forms with password fields, will provide the attacker all confidential information. And this is performed if the shopper mistypes this URL link. The mistyped URL mogul be sent with email and pretend to be an original shop without any notice from the buyer 11, 15.Password Guessing Attackers are to a fault aware of that is possible to look a shoppers password. But this requires information about the shopper. The attacker might need to know the birthday, the age, the last name, etc. of the shopper, to try of different combinations. It is very common that the personal information is used into the password by many users through the internet, since they are easy to be remembered. But still, it needs a lot of effort from the attackers view, to make a software that guesses the shoppers password. One very famous attack might be to look up words from the dictionary and use these as passwords, this is also know n as the dictionary attack. Or the attacker might look at statistics over which passwords are most commonly used in the faultless world 15.Workstation Attack A triplet approach is to trying to attack the workstation, where the website is located. This requires that the attacker knows the weaknesses of the workstation, since such weak points are always presented in work move and that there exist no perfect system without any vulnerabilities. Therefore, the attacker might have a possibility of accessing the workstations root by via the vulnerabilities. The attacker first tries to see which ports are open to the existing work station by using either own or already developed applications. And ones the attacker has gained access to the system, it will therefore be possible to scan the workstations information about shoppers to retrieve their ID and passwords or other confidential information.Network Sniffing When a shopper is visiting a shopping website, and there is a transaction ong oing, then the attacker has a fourth possibility. The possibility is called sniffing. That an attacker is sniffing means that all data which is exchanged between the client and server are being sniffed (traced) by using several applications. Network communication is furthermore not like human communication as well. In a human communication, there might be a third person somewhere, listening to the conversation. In the network communication technology, the data which is sent via the two parties are first divided in something called data packages before the actual sending from one part to another. The other part of the network will therefore gather these packages back into the one data which was sent to be read. Usually, the attacker seeks to be as close as possible to the either the shoppers site or near the shopper to sniff information. If the attacker places himself in the halfway between the shopper and website, the attacker might therefore retrieve every information (data package s). Given an example in this, then assuming a Norwegian local shopper wants to buy an item from a webshop located in the United States of America. The first thing which will happen is that the personal information data which is being sent from the shopper will be divided into small pieces of data to the server located in the USA. Since the data flow over the network is not jibeled by the human, the packages might be send to different locations before reaching the destination. For instance, some information might go via France, Holland and Spain before actually reaching the USA. In such a case, the sniffer/attacker was located in France, Holland or Spain, will mean that the attacker might not retrieve every and single information. And given that data, the attacker might not analyze and retrieve enough information. This is exactly the reason why attackers are as close as possible to either the source or the destination point (client side or server side).Known Bug Attack The known bug attack can be used on both the shoppers site and on the webpage site. By using already developed tools, the attacker can apply these tools to find out which software to the target the server is having and using. From that point, the attacker further need to find patches of the software and analyze which bugs have not been correct by the administrators. And when knowing the bugs which are not fixed, the attacker will thus have the possibility of exploiting the system 11.There are still many various of attacks one can do more than these described above. More attacks that be used against ecommerce application could by doing Denial of Service (DOS) attacks where the attacker impact the servers and by using several methods, the attacker can retrieve necessary information. Another known attack is the buffer overflow attack. If an attacker has gained access to the root, the attacker might further get personal information by making his own buffer, where all overflow (information) is transf erred to the attackers buffer. Some attackers also use the possibility looking into the hypertext mark-up language code. The attacker might retrieve sensitive information from that code, if the html is not well structured or optimized. Java, Javascript or Active X export are being used in html as applets, and the attacker might also distort these and set a worm into the computer to retrieve confidential information.5. DefenceFor each new attack presented in the real world, a new defence mechanism needs further to be presented as well to protect the society from unsuspicious issues. This section introduce some defence issues how to protect the attacks described in the section before. However, the main purpose from an sellers point of view in an ecommerce application is to protect all information. Protecting a system can be performed in several ways.Education In order to fall the tricking attacks, one might educate all shoppers. This issue requires a lot of effort in time and not si mple, since many customers still will be tricked by common social engineering work. Merchants therefore have to keep and remind customers to use a secure password since this person is used as the identity. Therefore it is important to have different passwords for different websites as well and probably save these passwords in a secure way. Furthermore, it is very important not to give out information via a telephone conversation, email or online programs.Setting a safe Password It is very important that customers do not use passwords which are related to themselves, such as their birthdays, childrens name, etc. Therefore it is important to use a strong password. A strong password has many definitions. For example, the length of passwords is an important factor with various special characters. If a shopper cannot find a strong password, then there are many net sites proving such strong passwords.Managing Cookies When a shopper registers into a website with personal information, a coo kie is being stored into the computer, so no information is needed to be entered again at next logon. This information is very useful for an attacker, therefore it is recommended to stop using cookies, which is an very easy step to do in the browser 11.Personal Firewall An approach of protect the shoppers computer is by using a personal firewall. The purpose of the firewall is to control all incoming traffic to the computer from the outside. And further it will also control all out coming traffic. In addition, a firewall has also an intrusion detection system installed, which ensures that unwanted attempts at accessing, modification of disabling of the computer will not be possible. Therefore, it is recommended that a firewall is installed into the pc of a shopper. And since bugs can occur in a firewall, it is therefore further important to update the firewall 11.Encryption and decipherment All traffic between two parties can be encrypted from it is being send from the client and d ecrypted when it has been received until the server, vice versa. Encrypting information will make it much more difficult for an attacker to retrieve confidential information. This can be performed by either using symmetric-key algorithms or asymmetric key algorithms 11.Digital Signatures care the hand signatures which are performed by the human hand, there is also something known as the digital signature. This signature verifies two important things. First, it checks whether the data comes from the original client and secondly, it verifies if the message has been modified from it has been sent until it was received. This is a great advantage for ecommerce systems 11.Digital Certificates Digital signature cannot handle the problem of attackers spoofing shoppers with a false web site (man-in-the-middle-attack) to information about the shopper. Therefore, using digital certificates will solve this problem. The shopper can with very high probability accept that the website is legal, si nce it is trusted by a third party and more legal party. In addition, a digital certificate is not a permanent unlimited time trusted. Therefore one is creditworthy to see if the certificate is still valid or not 11.Server Firewall Unlike personal firewall, there is also something known as the server firewall. The server firewall is an more advanced program which is setup by using a demilitarized zone technique (DMZ) 11. In addition, it is also possible to use a love life pot server 11.These preventions were some out of many in the real world. It is very important to make users aware and administrators update patches to all used application to further protect their systems against attacks. One could also analyze and monitor security logs which are one big defence strategy, to see which traffic has occurred. Therefore it is important that administrators read their logs frequently and understand which parts have been hit, so administrators can update their system.6. ConclusionIn this paper firstly we gave a brief overview of e-commerce and its application, but our main attention and the aim of this paper was to present e-commerce security issues and various attacks that can occur in e-commerce, also we describe some of the defence mechanism to protect e-commerce against these attacks. E-commerce has proven its great benefit for the shopper and merchants by reducing the costs, but e-commerce security is still a challenge and a significant concern for everyone who is involved in e-commerce. E-commerce security dose not belong only technical administrators, but everyone who participate in e-commerce- merchants, shopper, service provider etc. Even there are various technologies and mechanisms to protect the E-commerce such as user IDs and passwords, firewall, SSL, Digital certificates etc, still we need to be aware and prepared for any possible attack that can occur in e-commerce.