Assignme

nt#3
E-COMMERCE
Beenish Hafeez(0016)

Page 2 of 11

Introduction
E-commerce is defined as the buying and selling of products or services over electronic systems
such as the Internet and to a lesser extent, other computer networks. It is generally regarded as
the sales and commercial function of e-Business. There has been a massive increase in the level
of trade conducted electronically since the widespread penetration of the Internet.
This massive increase in the uptake of e-Commerce has led to a new generation of associated
security threats, but any e-Commerce system must meet four integral requirements:
privacy information exchanged must be kept from unauthorized parties
integrity the exchanged information must not be altered or tampered with
authentication both sender and recipient must prove their identities to each other
and
non-repudiation proof is required that the exchanged information was indeed
received
These basic maxims of e-Commerce are fundamental to the conduct of secure business online.
Further to the fundamental maxims of e-Commerce above, e-Commerce providers must also
protect against a number of different external security threats, most notably Denial of Service
(DoS). These are where an attempt is made to make a computer resource unavailable to its
intended users though a variety of mechanisms discussed below. The financial services sector
still bears the brunt of e-crime, accounting for 72% of all attacks. But the sector that experienced

Page 3 of 11

the greatest increase in the number of attacks was e-Commerce. Attacks in this sector have risen

2. Privacy
Privacy has become a major concern for consumers with the rise of identity theft and
impersonation, and any concern for consumers must be treated as a major concern for eCommerce providers. According to Consumer Reports Money Adviser the US Attorney General
has announced multiple indictments relating to a massive international security breach involving
nine major retailers and more than 40 million credit- and debit-card numbers. US attorneys think
that this may be the largest hacking and identity-theft case ever prosecuted by the justice
department. Both EU and US legislation at both the federal and state levels mandates certain
organizations to inform customers about information uses and disclosures. Such disclosures are
typically accomplished through privacy policies, both online and offline
Trust in turn is linked to increased customer loyalty that can be manifested through increased
purchases, openness to trying new products, and willingness to participate in programs that use
additional personal information. Privacy now forms an integral part of any e-commerce strategy
and investment in privacy protection has been shown to increase consumers spend,
trustworthiness and loyalty.
3. Integrity, Authentication & Non-Repudiation
In any e-commence system the factors of data integrity, customer & client authentication and
non-repudiation are critical to the success of any online business. Data integrity is the assurance

Page 4 of 11

that data transmitted is consistent and correct, that is, it has not been tampered or altered in any
way during transmission. Authentication is a means by which both parties in an online
transaction can be confident that they are who they say they are and non-repudiation is the idea
that no party can dispute that an actual event online took place. Proof of data integrity is typically
the easiest of these factors to successfully accomplish. A data hash or checksum, such as MD5 or
CRC, is usually sufficient to establish that the likelihood of data being undetectably changed is
extremely low). Notwithstanding these security measures, it is still possible to compromise data
in transit through techniques such as phishing or man-in- the-middle attacks These flaws have
led to the need for the development of strong verification and security measurements such as
digital signatures and public key infrastructures (PKI).
4. Technical Attacks
Technical attacks are one of the most challenging types of security compromise an e-commerce
provider must face. Perpetrators of technical attacks, and in particular Denial-of-Service attacks,
typically target sites or services hosted on high-profile web servers such as banks, credit card
payment gateways, large online retailers and popular social networking sites.
Denial of Service Attacks
Denial of Service (DoS) attacks consist of overwhelming a server, a network or a website in
order to paralyze its normal activity Defending against DoS attacks is one of the most
challenging security problems on the Internet today. A major difficulty in thwarting these attacks
is to trace the source of the attack, as they often use incorrect or spoofed IP source addresses to
disguise the true origin of the attack
The United States Computer Emergency Readiness Team defines symptoms of denial-of-service
attacks to include
Unusually slow network performance
Unavailability of a particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received
DoS attacks can be executed in a number of different ways including:
ICMP Flood (Smurf Attack) where perpetrators will send large numbers of IP packets with the
source address faked to appear to be the address of the victim. The networks bandwidth is
quickly used up, preventing legitimate packets from getting through to their destination

Page 5 of 11

Teardrop Attack A Teardrop attack involves sending mangled IP fragments with overlapping,
over-sized, payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code
of various operating systems causes the fragments to be improperly handled, crashing them as a

result of this.
5. Non-Technical Attacks
Phishing Attacks
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such
as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an
electronic communication. Phishing scams generally are carried out by emailing the victim with
a fraudulent email from what purports to be a legitimate organization requesting sensitive
information. When the victim follows the link embedded within the email they are brought to an
elaborate and sophisticated duplicate of the legitimate organizations website. Phishing attacks
generally target bank customers, online auction sites (such as eBay), online retailers (such as
amazon) and services providers (such as PayPal). According to community banker more recent
times cybercriminals have got more sophisticated in the timing of their attacks with them posing
as charities in times of natural disaster.
Social Engineering

Page 6 of 11

Social engineering is the art of manipulating people into performing actions or divulging
confidential information. Social engineering techniques include pretexting (where the fraudster
creates an invented scenario to get the victim to divulge information), Interactive voice recording
(IVR) or phone phishing (where the fraudster gets the victim to divulge sensitive information
over the phone) and baiting with Trojans horses (where the fraudster baits the victim to load
malware unto a system). Social engineering has become a serious threat to e-commerce security
since it is difficult to detect and to combat as it involves human factors which cannot be
patched akin to hardware or software, albeit staff training and education can somewhat thwart the
attack
6. Conclusions
In conclusion the e-commerce industry faces a challenging future in terms of the security risks it
must avert. With increasing technical knowledge, and its widespread availability on the internet,
criminals are becoming more and more sophisticated in the deceptions and attacks they can
perform. Novel attack strategies and vulnerabilities only really become known once a perpetrator
has uncovered and exploited them. In saying this, there are multiple security strategies which any
e-commerce provider can instigate to reduce the risk of attack and compromise significantly.
Awareness of the risks and the implementation of multi-layered security protocols, detailed and
open privacy policies and strong authentication and encryption measures will go a long way to
assure the consumer and insure the risk of compromise is kept minimal.
Client security
By default all printing is automatically charged to the user's personal account. For a user to be
able to select a shared account the user needs to be granted access to the account selection popup.

Page 7 of 11

Access to the account selection popup, as shown in the above figure, is controlled at the user
level on the user's details page.
Display the shared account selection popup all users
The Bulk user actions action is a convenient way to apply this change to many users.
1

Click the Groups tab.

The Group List page is displayed.

In the Actions menu, click Bulk user actions.

The Bulk User Operations page is displayed.

In the Change settings area, select the Change account selection setting check box; then
select the account selection popup to display.

Complete the following optional fields:

o Information to show in popupselect the options you want available in the
popup.

Page 8 of 11

o Default shared accountenter the name of the shared account to which costs will
be charged by default.
o When shared account is selectedselect whether you want to charge costs to the
shared account or the user's personal account.
1

Click OK.

Display the shared account selection popup per user

You can also apply the account selection popup to individual users.
1

Click the Users tab.

The User List page is displayed.

Select a user.
The User Details page is displayed.

In the Account Selection area, in Print account selection, select the account selection
popup to display.

Complete the following optional fields:

o Information to show in popupselect the options you want available in the
popup.
o Default shared accountenter the name of the shared account to which costs will
be charged by default.
o When shared account is selectedselect whether you want to charge costs to the
shared account or the user's personal account.

Click OK.

In addition to granting users access to the popup, they also need access to a shared account. You
can control shared accounts access using two methods:

Network group membership

PINs (also known as security codes or passwords)

Page 9 of 11

If an account is allocated a PIN (an alpha-numeric access code) users with knowledge of the PIN
can select the account. A PIN based system would be a sensible selection in an organization
when PINs are already in use for other systems such as photocopiers or door access codes.
To grant access to a shared account for all members in a given network group:
1

Click the Accounts tab.

The Shared Account List page is displayed.

Select an account.
The Account Details page is displayed.

Click Security.

Select the appropriate group from the list.

Click Add.

Using account security with PIN/codes

PIN/codes provide a convenient way to select shared accounts. However, this convenience can
compromise security when short or guessable PINs are used. For this reason Paper Cut NG
allows the user/group security to be also applied to PIN/code access. This allows sites to use
convenient and short codes with confidence that only authorized users are granted access.
To enforce user/group security for PIN/code access:
1

Click the Options tab.

The General page is displayed.

In the Account Options area, change Access rules defined on shared account security tab
apply to to both PIN/code and selection from list.

Click Apply.

With this setting changed, users can only select an account using PIN/code when they:

Page 10 of 11

know the PIN/code

are in the shared account's user/group security

Mobile developers have several options for securing a communications channel between a device
and a remote system. Each of these choices is based upon standard cryptographic algorithms
(such as AES, DES, RSA, etc) using either symmetric key encryption, public key encryption, or
a combination of these.

Standards-based encrypted protocol.

This method works well for short messages over brief connection times.

Secure Sockets Layer (SSL).

This method works well for longer messages over longer connection where SSL is
available and the protocol on top of the channel is not HTTP.

HTTPS Protocol
This is a good option when the end service is HTTP.

Third party solutions such as VPN.

Standards-Based Encrypted Protocol

One option is to use a standards-based protocol encrypted with standard cryptographic
algorithms. The client and server application exchange messages using a custom protocol

Page 11 of 11

encrypted with an algorithm such as AES or DES. The encryption technique can either be a
shared key or it can be symmetric. Depending on delivery requirements, you may choose to build
the protocol on top of a UDP or TCP. This approach enables selection of a crypto algorithm
according to the message size, and is much "lighter weight" than other protocols. However, it is
more difficult to implement, requiring knowledge of cryptographic libraries and algorithms.
Blackberry. Communication between a BlackBerry device and the BlackBerry Enterprise Server
is encrypted by default using either Triple DES or AES, so no extra level of encryption is needed
as long as the application on the device is communicating within the corporate network, and the
corporate network is secure. This applies both to core applications such as e-mail, as well as
applications developed using the BlackBerry Mobile Data System (MDS). To communicate
securely with an external application, a mobile device application it must implement its own
secure channels. A BlackBerry can use HTTPS or SSL for this purpose.
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL) is a protocol built upon standard cryptographic algorithms. SSL
enables the automatic selection of the encryption algorithm to be made during the handshake
phase of the initial connection. In that regard, it is much easier to implement. You do not need to
be aware (at the same level) of which algorithm is being used because the SSL layer will choose
the best one available. Also, SSL is built upon the TCP communications stack and the connection
is maintained by the underlying TCP layer, so the delivery of packets between client and server is
guaranteed.
This protocol is a good choice when channels will be open for longer durations and exchange
greater amounts of data. However, the time it takes to construct an SSL channel is significant.
Java ME. Support for secure communications in Java ME using HTTPS is provided in the
namespace javax.microedition.io. The HTTPS protocol is provided by the Https Connection
class.
HTTPS Protocol
Essentially, HTTPS is the HTTP protocol layered on top of the SSL protocol with the added
requirement that the data sent between the client and server must be in HTTP. The channel itself
is encrypted using SSL. This is a good choice if an existing service is HTTPS, or may expand to
serve other client types beyond its original design.
Java ME. Support for secure communications in Java ME using SSL is provided in the
namespace javax.microedition.io. The SSL protocol is provided by the Secure Connection class.