Types of Security Attacks in E-Commerce

E-commerce attacks can come in many forms that can disrupt your ecommerce platform and
your customers’ accounts and data. Earning the trust of your customers requires a consistent
awareness of the evolving types of fraud and cyberattacks to help you ensure solutions are in
place across your sales funnel.

1. Financial fraud

Financial fraud takes several forms. It involves hackers gaining access to your customer's
personal information or payment information, then selling that information on the black
market. It also involves fraudsters using stolen credit card information to make illegitimate
purchases from your e-commerce store.

2. Phishing

Your customers are the target in a phishing scam, where a fraudster sends messages or emails
pretending to be you with the goal of obtaining their private information. These messages
may contain logos, URLs, and other information that appears to be legitimate, but it won't be
you sending it. They'll ask customers to verify their account by logging in and then use the
information to steal personal data.

3. Spamming

In an attempt to obtain personal information—or to affect your website's performance—

spammers may leave infected links in their comments or messages on your website, such as
on blog posts or contact forms. If you click on the links, they can take you to a spam website
that exposes you to malware.

4. Malware

Malware refers to malicious programs such as spyware, viruses, trojan horses, and
ransomware. Hackers install it on your computer system and spread it to your customers and
administrators, where it might swipe sensitive data on their systems and from your website.

5. Bad bots

People are generally aware that bots are all over the Internet, obtaining information about our
habits and behaviours. Your competition, however, could use bots to gather information
about your inventory and prices. They then use that information to change their prices. Or
hackers can send malicious bots to e-commerce checkout pages to buy large amounts of a
product and scalp it for up to 10 times the list price.

6. Distributed denial of service (DDoS) attacks

Distributed denial of service attacks happens when your servers receive an overwhelming
amount of requests from various IP addresses—usually untraceable—that cause your server
to crash. That means your e-commerce store isn't available to visitors, which disrupts your
sales.
7. Fake return and refund fraud

Fraudsters can obtain money from you by committing fake returns and refund fraud in many
ways. Some use a stolen credit card to purchase merchandise, then claim that the card is
closed and request a refund to another card. Others use counterfeit receipts to request refunds
for items they haven't purchased.

8. Man-in-the-middle attacks

With technology evolving, so are hackers' schemes. Man-in-the-middle attacks allow the
hacker to listen in on the communications of e-commerce website users. These users are
tricked into using a public wireless network, enabling hackers to access their devices and see
their browsing history. They can also access credit card information, passwords, and
usernames.

E-Commerce Security Solutions

The above e-commerce security threats might be scary, but there are ways to prevent them
from impacting your e-commerce marketplace. Some require fancy software, but others don't
take a lot of extra work to implement. And beyond protecting your online shop, your
customers will be happy that their personal data and information is kept private.

Address Verification Systems

An address verification system compares the customer's billing address against the credit card
issuer's information on file. If the addresses don't match, the system prevents the transaction
from going through.

Stronger passwords

Many e-commerce businesses don't require their users to provide strong passwords, making
client accounts easy to hack. Implement a system that requires your customers to use strong
passwords with letters, numbers, and symbols to make their accounts difficult to hack into.
While you're at it, make sure you and your administration have secure passwords, and ensure
user access is restricted to those who need it. When employees are terminated, revoke all
system access immediately. 

Payment gateways

Rather than being responsible for storing and securing your clients' information, use a third
party such as PayPal or Stripe to handle payment transactions separately from your website.
This keeps your customers' information safer and makes you less attractive to hackers.

HTTPS

Many e-commerce businesses still use HTTP protocols, which are vulnerable to attacks.
HTTPS is more secure and protects sensitive information. Before switching to HTTPS, you'll
need an up-to-date SSL certification from your hosting company. It's worth it to give your
customers peace of mind and protect their information—and your business.
E payment system.

An e-payment or Electronic Payment system allows customers to pay for the

services via electronic methods.They are also known as online payment
systems. Normally e-payment is done via debit, credit cards, direct bank
deposits, and e-checks, other alternative e-payment methods like e-wallets,
bitcoin, cryptocurrencies, bank transfers are also gaining popularity.

Types of E payment system

Internet banking – In this case, the payment is done by digitally transferring

the funds over the internet from one bank account to another.

Some popular modes of net banking are, NEFT, RTGS, IMPS.

Card payments – Card payments are done via cards e.g. credit cards, debit
cards, smart cards, stored valued cards, etc. In this mode, an electronic payment
accepting device initiates the online payment transfer via card
Credit/ Debit card – An e payment method where the card is required for
making payments through an electronic device.

Smart card – Also known as a chip card, a smart card, a card with a
microprocessor chip is needed to transfer payments.

Stored value card – These types of cards have some amount of money stored
beforehand and are needed to make funds transfer. These are prepaid cards like
gift cards, etc.

Direct debit – Direct debit transfers funds from a customer’s account with the
help of a third party

E-cash – It is a form where the money is stored in the customer’s device, which
is used for making transfers.

E-check – This is a digital version of a paper check used to transfer funds

within accounts.

Alternate payment methods – As technology is evolving, e-payment methods

kept evolving with it (are still evolving..) These innovative alternate e-payment
methods became widely popular very quickly thanks to their convenience.

E-wallet – Very popular among customers, an E-wallet is a form of prepaid

account, where customer’s account information like credit/ debit card
information is stored allowing quick, seamless, and smooth flow of the
transaction.

Mobile wallet – An evolved form of e-wallet, mobile wallet is extensively used

by lots of customers.

It is a virtual wallet, in the form of an app that sits on a mobile device. Mobile
wallet stores card information on a mobile device.

The user-friendly nature of mobile wallets makes them easier to use. It offers a
seamless payment experience making customers less dependent on cash.

QR payments – QR code-enabled payments have become immensely popular.

QR code stands for ‘Quick Response’ code, a code that contains a pixel pattern
of barcodes or squares arranged in a square grid.

Each part of the code contains information. This information can be merchant’s
details, transaction details, etc. To make payments, one has to scan the QR code
with a mobile device.

Contactless payments – Contactless payments are becoming popular for quite

some time. These payments are done using RFID and NFC technology.

The customer needs to tap or hover the payment device or a card near the
payment terminal, earning it a name, ‘tap and go’.

UPI payments – NPCI (National Payment Corporation of India) has developed

an instant real-time payment system to facilitate interbank transactions.

This payment system is titled UPI(Unified Payment Interface). Payments via

UPI can be made via an app on a mobile device.

Biometric payments – Biometric payments are done via using/scanning

various parts of the body, e.g. fingerprint scanning, eye scanning, facial
recognition, etc.

These payments are replacing the need to enter the PIN for making transactions
making these payments more accessible and easy to use.

Payments are done via Wearable devices – Wearable devices are rapidly
becoming popular among customers.

These devices are connected to the customer’s bank account and are used to
make online payments.
An example of a wearable used for making an online payment is a smartwatch.

AI-based payments – As machine learning and Artificial Intelligence is

creating a revolution all around the world, AI-based solutions are becoming
more popular.

Payments based on AI such as speakers, chatbots, ML tools, deep learning tools,

etc are making it easier for businesses to maintain transparency.

Working of e payment

It includes the following entities

Payment initiation – Customer finalizes the product/service and chooses the

payment method to initiate the transaction.

Depending on the payment method, the customer enters the required

information like card number, CVV, personal details, expiration date, PIN, etc.

The chosen payment method either redirects the customer to an external

payment page or a bank’s payment page to continue the payment process.

Payment authentication – The information submitted by the customer along

with other details like payment information, customer’s account information is
authenticated by the operator.

The operator can be a payment gateway or any other solution involved. If

everything gets authenticated positively, the operator reports a successful
transaction.
 Digital signature?

A digital signature is a mathematical technique used to

validate the authenticity and integrity of a digital document,
message or software. It's the digital equivalent of a
handwritten signature or stamped seal, but it offers far more
inherent security. A digital signature is intended to solve the
problem of tampering and impersonation in digital
communications.
Digital signatures can provide evidence of origin, identity and
status of electronic documents, transactions or digital
messages. Signers can also use them to acknowledge
informed consent. In many countries, including the U.S.,
digital signatures are considered legally binding in the same
way as traditional handwritten document signatures.
How do digital signatures work?

Digital signatures are based on public key cryptography, also known as

asymmetric cryptography. Using a public key algorithm -- such as Rivest-
Shamir-Adleman, or RSA -- two keys are generated, creating a mathematically
linked pair of keys: one private and one public.

Digital signatures work through public key cryptography's two mutually

authenticating cryptographic keys. For encryption and decryption, the person
who creates the digital signature uses a private key to encrypt signature-related
data. The only way to decrypt that data is with the signer's public key.

If the recipient can't open the document with the signer's public key, that
indicates there's a problem with the document or the signature. This is how
digital signatures are authenticated.

Digital certificates, also called public key certificates, are used to verify that the
public key belongs to the issuer. Digital certificates contain the public key,
information about its owner, expiration dates and the digital signature of the
certificate's issuer. Digital certificates are issued by trusted third-party
certificate authorities (CAs), such as DocuSign or GlobalSign, for example. The
party sending the document and the person signing it must agree to use a given
CA.
Digital signature technology requires all parties trust that the person who creates
the signature image has kept the private key secret. If someone else has access
to the private signing key, that party could create fraudulent digital signatures in
the name of the private key holder.

What are the benefits of digital signatures?

Digital signatures offer the following benefits:

 Security. Security capabilities are embedded in digital signatures to

ensure a legal document isn't altered and signatures are legitimate.
Security features include asymmetric cryptography, personal
identification numbers (PINs), checksums and cyclic redundancy checks
(CRCs), as well as CA and trust service provider (TSP) validation.
 Timestamping. This provides the date and time of a digital signature and
is useful when timing is critical, such as for stock trades, lottery ticket
issuance and legal proceedings.
 Globally accepted and legally compliant. The public key infrastructure
(PKI) standard ensures vendor-generated keys are made and stored
securely. With digital signatures becoming an international standard,
more countries are accepting them as legally binding.
 Time savings. Digital signatures simplify the time-consuming processes
of physical document signing, storage and exchange, enabling
businesses to quickly access and sign documents.
 Cost savings. Organizations can go paperless and save money previously
spent on the physical resources, time, personnel and office space used
to manage and transport documents.
 Positive environmental effects. Reducing paper use also cuts down on
the physical waste generated by paper and the negative environmental
impact of transporting paper documents.
 Traceability. Digital signatures create an audit trail that makes internal
record-keeping easier for businesses. With everything recorded and
stored digitally, there are fewer opportunities for a manual signee or
record-keeper to make a mistake or misplace something.

How do you create a digital signature?

To create a digital signature, signing software -- such as an email program -- is

used to provide a one-way hash of the electronic data to be signed.

A hash is a fixed-length string of letters and numbers generated by an algorithm.

The digital signature creator's private key is used to encrypt the hash. The
encrypted hash -- along with other information, such as the hashing algorithm --
is the digital signature.

The reason for encrypting the hash instead of the entire message or document is
because a hash function can convert an arbitrary input into a fixed-length value,
which is usually much shorter. This saves time, as hashing is much faster than
signing.

The value of a hash is unique to the hashed data. Any change in the data -- even
a modification to a single character -- results in a different value. This attribute
enables others to use the signer's public key to decrypt the hash to validate the
integrity of the data.

If the decrypted hash matches a second computed hash of the same data, it
proves that the data hasn't changed since it was signed. But, if the two hashes
don't match, the data has either been tampered with in some way and is
compromised or the signature was created with a private key that doesn't
correspond to the public key presented by the signer. This signals an issue with
authentication.

Public key cryptography (PKC)

Public key cryptography (PKC) is an encryption technique that uses a paired

public and private key (or asymmetric key) algorithm for secure data
communication. A message sender uses a recipient's public key to encrypt a
message. To decrypt the sender's message, only the recipient's private key may
be used.

The two types of PKC algorithms are RSA, which is an acronym named after
this algorithm's inventors: Rivest, Shamir and Adelman, and Digital Signature
Algorithm (DSA). PKC encryption evolved to meet the growing secure
communication demands of multiple sectors and industries, such as the military.

PKC is also known as public key encryption, asymmetric encryption,

asymmetric cryptography, asymmetric cipher, asymmetric key encryption and
Diffie-Hellman encryption.

Public key cryptography involves a pair of keys known as a public key and a
private key (a public key pair), which are associated with an entity that needs to
authenticate its identity electronically or to sign or encrypt data. Each public
key is published and the corresponding private key is kept secret. Data that is
encrypted with the public key can be decrypted only with the corresponding
private key.
RSA public key pairs can be any size. Typical sizes today are 1024 and 2048
bits.

Public key cryptography enables the following:

 Encryption and decryption, which allow two communicating parties to

disguise data that they send to each other. The sender encrypts, or
scrambles, the data before sending it. The receiver decrypts, or
unscrambles, the data after receiving it. While in transit, the encrypted
data is not understood by an intruder.
 Nonrepudiation, which prevents:
o The sender of the data from claiming, at a later date, that the data
was never sent
o The data from being altered.

Figure 1 shows you a simplified view of how public key cryptography works.
Figure 1. Public-key encryption