Module 5 Ecom
Module 5 Ecom
Phishing attacks.
Phishing is social engineering. Here, attackers obtain private information about a
target and use it in an attempt to trick someone into providing important information
such as bank account information or social security numbers.
Malware and ransomware attacks.
Malware and ransomware go back to the dial up modem days of the internet. Malware
can significantly damage systems and ransomware can completely lock you out unless
you pay a ransom, with no guarantee you’ll ever be able to get access again.
SQL injection.
If there are vulnerabilities in the database where you store sensitive information, a
malicious query can be injected to give the attacker view or even edit rights.
E-skimming.
In e-skimming, hackers steal sensitive payment information, such as credit card
numbers, from online shoppers. This is typically done by injecting malicious code
into ecommerce websites or point-of-sale (POS) systems to steal credit card details as
customers make purchases.
Distributed Denial of Service (DDoS) attacks.
A Distributed Denial of Service (DDoS) overloads a website with traffic from
multiple sources, making it unavailable to users. In a DDoS attack, a large number of
compromised devices are used to flood a website with traffic.
Employee training & awareness: Human error is one of the significant factors in
cybersecurity incidents. Comprehensive training programs ensure that employees are
aware of cybersecurity best practices, recognize phishing attempts & understand their
role in maintaining a secure online environment.
Incident response plan: Developing a robust incident response plan is crucial for
minimising the impact of a cyber incident. This plan outlines the steps to be taken in
the event of a security breach, ensuring a swift & coordinated response to mitigate
damage & protect customer data.
Secure e-commerce transactions:
Customer data privacy: Prioritising customer data privacy involves transparent data
handling practices & compliance with privacy regulations. Providing clear privacy
policies, obtaining explicit consent for data processing & giving customers control
over their data contribute to a positive & secure online shopping experience.
Encryption not only ensures the confidentiality of data or messages but it also provides
authentication and integrity, proving that the underlying data or messages have not been
altered in any way from their original state.
Types of Encryption
There are many different types of encryption, each with its own benefit and use case.
Symmetric Encryption
In this simple encryption method, only one secret key is used to both cipher and decipher
information. While the oldest and best-known encryption technique, the main drawback is
that both parties need to have the key used to encrypt the data before they can decrypt it.
Symmetric encryption algorithms include AES-128, AES-192, and AES-256. Because it is
less complex and executes faster, symmetric encryption is the preferred method for
transmitting data in bulk.
Asymmetric Encryption
Also known as public key cryptography, asymmetric encryption is a relatively new method
that uses two different but related keys to encrypt and decrypt data. One key is secret and one
key is public. The public key is used to encrypt data, and the private key is used to decrypt
(and vice versa). Security of the public key is not needed because it is publicly available and
can be shared over the internet.
Asymmetric encryption presents a much stronger option for ensuring the security of
information transmitted over the internet. Websites are secured using Secure Socket Layer
(SSL) or Transport Layer Security (TLS) certificates. A query to a web server sends back a
copy of the digital certificate, and a public key can be extracted from that certificate, while
the private key stays private.
DES is a deprecated symmetric key method of data encryption. DES works by using the same
key to encrypt and decrypt a message, so both the sender and the receiver must have access to
the same private key. DES has been superseded by the more secure AES algorithm. It was
adopted by the U.S. government as an official standard in 1977 for the encryption of
government computer data. It can be said that DES was the impetus for the modern
cryptography and encryption industry.
The Triple Data Encryption Standard involved running the DES algorithm three times, with
three separate keys. 3DES was largely seen as a stopgap measure, as the single DES
algorithm was increasingly becoming seen as too weak to stand up to brute force attacks and
the stronger AES was still under evaluation.
RSA
Because encryption consumes more bandwidth, many cloud providers only offer basic
encryption on a few database fields, such as passwords and account numbers. This is often
not enough for some organizations. So they rely on a Bring Your Own Encryption (BYOE)
model in which they use their own encryption software and manage their own encryption
keys to ensure a level of cloud computing security they are comfortable with.
End-to-End Encryption
End-to-end encryption (E2EE) ensures that only the two users communicating with one
another can read the messages. Even the intermediary, such as the telecom or internet service
provider, cannot decrypt the messages. E2EE is generally seen as the most secure way to
communicate privately and securely online. Examples of E2EE in use include the WhatsApp
messaging service, which famously asserts that users' messages are secured with "locks."
The Benefits of Encryption
Encryption can prevent data breaches. Even if an attacker maliciously gains access to a
network, if a device is encrypted, the device will still be secure, rendering attempts by the
attacker to consume the data useless. Encryption ensures no one can read communications or
data except the intended recipient or data owner. This prevents attackers from intercepting
and accessing sensitive data.
Regulations
Encrypting data allows organizations to protect data and maintain privacy in accordance with
industry regulations and government policy. Many industries, especially those in financial
services and healthcare, have explicit rules on data protection. For example, the Gramm-
Leach-Bliley Act requires financial institutions to let customers know how their data is being
shared and also how their data is remaining protected. Encryption helps financial institutions
comply with this act.
Encryption also keeps users safe while browsing the internet. Earlier in the internet's history,
attackers found ways to steal unencrypted information sent between users and web services
over the Hypertext Transfer Protocol (HTTP). The standard to encrypt web content by
running HTTP over the Secure Socket Layer protocol emerged, soon to be replaced with the
Transport Layer Security protocol, enabling enterprises, publishers, and e-commerce
providers to offer a secure experience for users.
With encryption, users feel safer entering personal information into webpages and carrying
out financial or e-commerce transactions.
Digital Signature
Digital signature is a mathematical technique used to validate the authenticity and integrity of
a digital document, message or software. It's the digital equivalent of a handwritten signature
or stamped seal, but it offers far more inherent security. A digital signature is intended to
solve the problem of tampering and impersonation in digital communications.
Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm -- such as Rivest-Shamir-Adleman, or RSA --
two keys are generated, creating a mathematically linked pair of keys: one private and one
public.
Digital signatures work through public key cryptography's two mutually authenticating
cryptographic keys. For encryption and decryption, the person who creates the digital
signature uses a private key to encrypt signature-related data. The only way to decrypt that
data is with the signer's public key.
If the recipient can't open the document with the signer's public key, that indicates there's a
problem with the document or the signature. This is how digital signatures are authenticated.
Digital certificates, also called public key certificates, are used to verify that the public key
belongs to the issuer. Digital certificates contain the public key, information about its owner,
expiration dates and the digital signature of the certificate's issuer. Digital certificates are
issued by trusted third-party certificate authorities (CAs), such as DocuSign or GlobalSign,
for example. The party sending the document and the person signing it must agree to use a
given CA.
Digital signature technology requires all parties trust that the person who creates the signature
image has kept the private key secret. If someone else has access to the private signing key,
that party could create fraudulent digital signatures in the name of the private key holder.
Timestamping. This provides the date and time of a digital signature and is
useful when timing is critical, such as for stock trades, lottery ticket issuance and
legal proceedings.
Globally accepted and legally compliant. The public key infrastructure (PKI)
standard ensures vendor-generated keys are made and stored securely. With
digital signatures becoming an international standard, more countries
are accepting them as legally binding.
Time savings. Digital signatures simplify the time-consuming processes of
physical document signing, storage and exchange, enabling businesses to quickly
access and sign documents.
Cost savings. Organizations can go paperless and save money previously spent
on the physical resources, time, personnel and office space used to manage and
transport documents.
Positive environmental effects. Reducing paper use also cuts down on the
physical waste generated by paper and the negative environmental impact of
transporting paper documents.
Traceability. Digital signatures create an audit trail that makes internal record-
keeping easier for businesses. With everything recorded and stored digitally, there
are fewer opportunities for a manual signee or record-keeper to make a mistake or
misplace something.
There are three different classes of digital signature certificates (DSCs) as follows:
Class 1. This type of DSC can't be used for legal business documents, as they're
validated based only on an email ID and username. Class 1 signatures provide a
basic level of security and are used in environments with a low risk of data
compromise.
Class 2. These DSCs are often used for electronic filing (e-filing) of tax
documents, including income tax returns and goods and services tax returns. Class
2 digital signatures authenticate a signer's identity against a pre-verified database.
Class 2 digital signatures are used in environments where the risks and
consequences of data compromise are moderate.
Class 3. The highest level of digital signatures, Class 3 signatures require people
or organizations to present in front of a CA to prove their identity before signing.
Class 3 digital signatures are used for e-auctions, e-tendering, e-ticketing and
court filings, as well as in other environments where threats to data or the
consequences of a security failure are high.
Digital signature attacks
Chosen-message attack. The attacker either obtains the victim's public key or
tricks the victim into digitally signing a document they don't intend to sign.
Known-message attack. The attacker obtains messages the victim sent and a key
that enables the attacker to forge the victim's signature on documents.
Key-only attack. The attacker only has access to the victim's public key and can
re-create the victim's signature to digitally sign documents or messages that the
victim doesn't intend to sign.
Security is the main benefit of using digital signatures. Security features and methods used in
digital signatures include the following:
PINs, passwords and codes. These are used to authenticate and verify a signer's
identity and approve their signature. Email, username and password are the most
common methods used.
CA validation. CAs issue digital signatures and act as trusted third parties by
accepting, authenticating, issuing and maintaining digital certificates. The use of
CAs helps avoid the creation of fake digital certificates.