CYBER SECURITY

Module 4

E-COMMERCE
Definition of E- Commerce:
• E-Commerce (Electronic Commerce) is all about buying and selling of goods, products,
or services over the internet.
• It can also involve the transaction of money, funds, and data.

Main components of E-Commerce:

• User: This may be individual or organization or anybody using the e-commerce
platforms.
• E-commerce vendors: This is the organization/entity providing the goods/ services to
the user. E.g.: www.flipkart.com.
• Technology Infrastructure: This includes Server computers, apps etc. They store the
data/program used to run the whole operation of the organization.
• Internet/Network: Internet connectivity is important for any e-commerce transaction
to go through. The faster net connectivity leads to better e-commerce.
• Web Portal/Application: This provides the interface through which an
individual/organization shall perform e-commerce transactions. Web portals can be
accessed through computers, laptops, tablet phones, smart phones or smart TVs.
• Payment Gateway: Payment gateway represents the way e-commerce vendors collect
their payments from the users who places an order. Examples are Credit / Debit Card
Payments, Online bank payments, Vendors own payment wallet, Third Party Payment
wallets, like PAYTM and Unified Payments Interface (UPI).
• Logistics & Shipping: This includes packing the product and ensuring it is shipped
securely to customers.
• Reviews and Ratings: This allow users to leave reviews and ratings for products,
helping build trust and influence purchasing decisions.

Elements of E-Commerce security:

• Encryption: It ensures that sensitive information like credit card details, personal
information, and transaction data is encoded during transmission.
• Secure Payment Gateways: Using trusted and secure payment gateways ensures that
financial information is transmitted securely between the customer, merchant, and
financial institutions.
• Firewalls and Security Software: Implementing firewalls and up-to-date security
software helps to prevent unauthorized access to the e-commerce website's network.
This includes protection against malware, viruses, and other cyber threats.
• Authentication and Authorization: Employing strong user authentication methods, such
as two-factor authentication (2FA), helps verify the identity of users, reducing the risk
of unauthorized access.

SHIVA KUMAR C, St. Philomena’s College 1

 CYBER SECURITY

• Regular Updates and Patch Management: Ensuring that the e-commerce platform and
all associated software are regularly updated with the latest security patches helps
mitigate vulnerabilities that could be exploited by attackers.
• Data Privacy and Compliance: Adhering to data privacy regulations (such as GDPR,
CCPA) and implementing privacy policies that protect customer data is crucial.
• Customer Education: Educating customers about safe online practices, such as creating
strong passwords, avoiding public Wi-Fi for sensitive transactions, and being cautious
of phishing attempts, can significantly enhance overall e-commerce security.
• Backup and Disaster Recovery: Implementing robust backup and disaster recovery
plans ensures that in case of a security breach or system failure, data can be recovered
without significant loss.

E-Commerce threats:
• Payment Frauds: Fraudulent activities during payment transactions, such as stolen
credit card information or unauthorized transactions, pose a significant threat to e-
commerce platforms and customers.
• SQL Injection: Attackers exploit vulnerabilities in the website's code to insert malicious
SQL queries, allowing them to access or manipulate the database, compromising
sensitive information.
• Man-in-the-Middle (MITM) Attacks: Hackers intercept communication between a user
and an e-commerce website to eavesdrop, steal information, or manipulate data during
the transmission.
• Identity Theft: Cybercriminals may steal user identities from e-commerce platforms to
make fraudulent purchases, access financial accounts, or commit other forms of fraud.
• Phishing Attacks/Spam: Cybercriminals use deceptive emails, messages, or websites
that mimic legitimate sources to trick users into revealing sensitive information like
login credentials, credit card numbers, or personal details or even do a fraudulent
transaction.
• DDoS Attacks: Distributed Denial of Service attacks aim to overwhelm a website's
servers with excessive traffic, causing it to become slow or unavailable, disrupting
business operations and potentially leading to financial losses.
• Data Breaches: These occur when sensitive customer information, such as credit card
details or personal data, is accessed or stolen by unauthorized individuals or
cybercriminals.

E-Commerce security best practices:

• Implement Strong Password Policies: Encourage users to create strong passwords and
use multi-factor authentication (MFA) to add an extra layer of security.
• Regularly Update Software and Security Patches: Keep your e-commerce platform,
plugins, and software updated to patch vulnerabilities that attackers could exploit.
Secure Payment Gateways: Use reputed payment gateways that comply with Payment
Card Industry Data Security Standard (PCI DSS). Avoid storing payment information
on your servers.

SHIVA KUMAR C, St. Philomena’s College 2

 CYBER SECURITY

• Data Encryption: Encrypt sensitive data, including customer information and payment
details, when stored in databases or during transmission.
• Use Secure Sockets Layer (SSL) Encryption & HTTPS: Encrypt data transmitted
between your website and users' browsers. This prevents interception of sensitive
information like credit card details.
• Implement Firewalls and DDoS Protection: Install firewalls to monitor and control
incoming and outgoing traffic. Use DDoS (Distributed Denial of Service) protection to
prevent service disruption due to attacks.
• Monitor Suspicious Activity: Implement monitoring systems to detect unusual activity
and take necessary actions against them.
• Backup Data Regularly: Keep regular backups of your e-commerce data to ensure you
can recover in case of a security breach or data loss.

Advantages of e-commerce:
• Global Reach: E-commerce allows businesses to reach a global audience without the
need for physical stores in multiple locations.
• 24/7 Availability: Online stores are accessible 24/7, providing customers with the
flexibility to shop at any time that suits them.
• Cost Efficiency: E-commerce reduces the need for physical storefronts and the
associated costs such as rent, utilities, and in-store staff.
• Reduced Transaction Costs: Online transactions often have lower processing and
transaction costs compared to traditional businesses.
• Convenience for Customers: Customers can shop from their homes or using mobile
devices, eliminating the need for physical travel.
• Wider Product Selection: E-commerce enables businesses to offer a broader range of
products without the constraints of physical shelf space.
• Easier Price Comparison: Consumers can easily compare prices, read reviews, and
research products online, facilitating informed decision-making.
• Faster Transactions: Customers need not wait in the queue to do the payment unlike in
a physical shop & instead do online payments soon after the selection of the products.

Survey of popular e-commerce sites:

• Amazon: One of the largest online retailers, offering a wide range of products from
electronics to books to household items.
• eBay: Known for its auction-style selling and a vast array of products, including both
new and used items.
• Alibaba: A Chinese e-commerce company specializing in wholesale trading between
businesses and consumers.
• Walmart: A major retailer with a strong online presence, selling a variety of products
similar to its physical stores.
• Flipkart: It is an Indian e-commerce platform, popular among customers for electronics,
appliances, fashion, furniture, sports, books, and more.
• Zomato: It is a platform which allows the customers to order food from their favourite
restaurants.

SHIVA KUMAR C, St. Philomena’s College 3

 CYBER SECURITY

INTRODUCTION TO DIGITAL PAYMENTS

Introduction:
• Digital payments or electronic payments (e-payments) are the payments done through
digital or online modes, with no exchange of hard cash being involved.
• The transfer of value happens from one payment account to another where one or both
the payer and the payee use a digital device (mobile phone, computer, or a credit, debit,
or prepaid card).
• For digital payments to take place, the payer and payee both must have a bank account,
an online banking method, a device from which they can make the payment, and a
medium of transmission.

Components of Digital Payment:

• Payment Gateway: It's the technology that authorizes and facilitates transactions by
connecting merchants, banks, and customers.
• Payment Processor: It is responsible for transmitting data between the merchant's bank
and the customer's bank & verifies transaction details.
• Mobile Wallets: Apps or platforms that store payment information, allowing users to
make transactions through their smartphones. Ex: Google Pay, Paytm and PayPal.
• Digital Currencies/Cryptocurrencies: These decentralized forms of currency (Ex:
Bitcoin) which facilitate peer-to-peer transactions through blockchain technology.
• Near Field Communication (NFC): Technology that enables contactless payments by
allowing devices to communicate when in close proximity.
• QR Codes: Scannable codes that store payment information, enabling easy transactions
by simply scanning the code.

Stakeholders:
• Customers/Users: Individuals or entities making payments or transactions using digital
payment methods.
• Merchants/Retailers: Businesses or individuals selling goods or services and accepting
digital payments from customers.
• Financial Institutions: Banks, credit unions, and other financial entities that provide the
infrastructure and accounts necessary for digital transactions.
• Payment Service Providers (PSPs): Companies that offer services facilitating digital
payments for merchants, such as Stripe, Square, or Adyen.
• Regulatory Bodies/Government Agencies: Entities responsible for creating and
enforcing rules, regulations, and standards for digital payments to ensure security.
• Technology Providers: Companies developing and maintaining the technology and
software necessary for secure digital payment systems.
• Security Firms: Organizations specializing in ensuring the security of digital payment
systems by providing encryption, fraud detection, and cybersecurity services.

SHIVA KUMAR C, St. Philomena’s College 4

 CYBER SECURITY

Modes of digital payments:

• Banking cards:
o Debit/Credit cards for online purchases, in digital payment apps, PoS (Point of
Sale) machines, online transactions, etc.
o The cards must be linked to the customer’s banking account.
o Customers can store card information in digital payment apps or mobile wallets
to make a cashless payment.
o Popular card payment systems: Visa, Rupay and MasterCard, among others.

• Unified Payment Interface (UPI):

o UPI allows the transfer of money easily between two bank accounts belonging
to the payer & payee.
o A unique UPI ID and QR code is generated for every user which us
entered/scanned to initiate the transaction.
o We need not enter the card/bank/account details to carry out the transactions.

• E-Wallets (Electronic wallets):

o They store financial information so that users can make faster online
transactions.
o It is similar to a pre-paid account in which a user can add his/her money to the
e-wallet (similar to a physical wallet) for any future online transaction.
o An E-wallet is protected with a password.
o Popular e-wallets: PayPal, Google Pay, Apple Pay, and Paytm.

• Unstructured Supplementary Service Data (USSD):

o USSD technology enables mobile banking services through phones without
installing mobile banking application.
o It allows users to access banking services by dialling a short code to avail of
services including interbank account to account fund transfer, balance inquiry,
and mini statements.
o This method doesn't require internet connectivity and is particularly beneficial
in regions with limited internet access.
o USSD mobile banking transactions are initiated by simply dialling *99# on any
phone, which is operational across all Telecom Service Providers (TSPs).
o The leading banks offer USSD service in various local languages along with
Hindi & English.

• Aadhar enabled payments system (AEPS):

o Customers can use their Aadhaar-linked accounts to transfer money between
two Aadhaar linked Bank Accounts.
o AEPS doesn’t require any physical activity like visiting a branch, using debit or
credit cards or making a signature on a document.
o This bank-led model allows digital payments at PoS (Point of Sale / Micro
ATM) via a Bank Correspondent (also known as Bank Mitra) using Aadhaar
authentication.

SHIVA KUMAR C, St. Philomena’s College 5

 CYBER SECURITY

• National Electronic Funds Transfer (NEFT):

o It allows user to electronically transfer money between two accounts
irrespective of the branch/bank/account type.
o NEFT has gained popularity due to it saving on time and the ease of doing the
transactions.
o NEFT can be done either on internet/mobile banking platforms or by visiting
the bank physically (charges applied).
o RTGS (Real Time Gross Settlement) is used instead of NEFT if the payer &
payee accounts belong to the same bank & hence resulting in faster transactions.

• Immediate Payment Service (IMPS):

o It is similar to NEFT but the transaction is completed immediately.
o Here money can be transferred immediately from one account to the other
account across various banks irrespective of the branch/bank/account type.
o Upon successful transaction, the money gets credited in the account of the
receiver instantly.
o This facility is available 24/7 and can be used through internet/mobile banking.

Digital Payments Related Common Frauds and Preventive Measures:

➢ Phishing:
• Scammers send fake messages, emails, or websites to trick people into providing
their personal information, such as login credentials, credit card details, etc.
• Scammers then use this information to access victims’ accounts and steal their
funds.
• Preventive Measures:
o Verify website URLs before entering any personal information.
o Never share personal or financial details via email or unsecured websites.
o Enable two-factor authentication for added security.

➢ Identity Theft:
• Fraudster steals someone’s personal information, such as their name, address,
account details, etc.
• They are used for fraudulent activities, such as opening a new credit card or mobile
payment account.
• Preventive Measures:
o Use strong, unique passwords for each financial account.
o Regularly monitor your credit report for any suspicious activities.
o Be cautious while sharing personal information online.
o Implement robust customer verification processes for all the transactions.

SHIVA KUMAR C, St. Philomena’s College 6

 CYBER SECURITY

➢ Account Takeover:
• A fraudster gains access to a user’s digital payment account by stealing their login
credentials or obtaining their personal information using phishing scams.
• The attacker then uses the account details to make unauthorized transactions and
transfer funds.
• Preventive Measures:
o Use strong, unique passwords and change them regularly.
o Set maximum limit for a transaction.
o Enable account alerts for any unusual activity (OTP for login).
o Consider using biometric authentication if available.

➢ Card Skimming:
• It involves the illegal copying of a user’s credit/debit card information using a
skimming device when the card is swiped for payment.
• The scammers then use the copied information to make fraudulent transactions.
• Preventive Measures:
o Check for tampering on card readers before using them.
o Use contactless payment methods where possible.
o Regularly monitor your account statements for any unauthorized charges.

➢ Social Engineering Attacks:

• Manipulating individuals to reveal confidential information.
• Scammers make a phone call to the users pretending to be a banking official & trick
the users to share the sensitive information such as account number, PIN, OTP, etc.
• Preventive Measures:
o Be cautious of unsolicited calls or messages asking for personal
information.
o Verify the identity of the person or organization before sharing any details.
o Educate yourself and your family about common social engineering tactics.

➢ Man-in-the-Middle Attacks:
• Attackers intercept communication between two parties in order to alter it.
• Their goal is to steal sensitive information during digital transactions.
• Preventive Measures:
o Use secure and encrypted communication channels (HTTPS).
o Choose known and secure payment gateways.
o Employ end-to-end encryption.
o Keep software and devices updated.

SHIVA KUMAR C, St. Philomena’s College 7

 CYBER SECURITY

RBI guidelines on digital payments and customer protection in unauthorized

banking transactions:
The Reserve Bank of India (RBI) has put forth various guidelines regarding digital payments
and customer protection, particularly concerning unauthorized banking transactions.
Digital Payments:
• Security Measures:
o RBI mandates that banks and financial institutions implement robust security
measures to safeguard digital transactions.
o This includes two-factor authentication, encryption, and other security
protocols.
• Customer Awareness:
o Banks are required to educate customers about safe digital practices, potential
risks, and methods to secure their transactions.
o This could be through notifications, SMS alerts, or educational campaigns.
• Fraud Monitoring:
o Regular monitoring of transactions for any suspicious activity or patterns to
prevent fraudulent transactions is mandatory.
• Prompt Redressal:
o There are provisions for customers to report unauthorized transactions
promptly.
o Upon receiving such reports, banks are obligated to investigate and resolve
complaints within a specific timeline.
Customer Protection in Unauthorized Transactions:
• Limited Liability of Customers:
o In cases of unauthorized transactions, if the customer reports the transaction
within a stipulated time frame, the customer's liability is limited.
o The liability shift is from the customer to the bank, subject to certain conditions
and documentation.
• Timely Reporting:
o Customers are encouraged to report unauthorized transactions or any suspicious
activity as soon as possible.
o It will help to minimize their liability.
• Dispute Resolution:
o There is a defined process for dispute resolution between the customer and the
bank regarding unauthorized transactions.
• Reversal of Transactions:
o The RBI mandates that banks have to ensure prompt reversal of any
unauthorized transaction within a specified time frame once it is reported by the
customer.
o Sufficient information should be available to ensure that the transaction has
happened without the knowledge of the customer or the recipient’s account is
not the intended destination account.

SHIVA KUMAR C, St. Philomena’s College 8

 CYBER SECURITY

Relevant provisions of Payment Settlement Act,2007:

It is an Indian legislation that provides the regulatory framework for payment systems in India.
• Regulation of Payment Systems:
o The Act establishes the RBI as the regulatory authority for payment systems in
India.
o It aims to ensure the stability, efficiency, and integrity of payment systems.
• Designation of Payment Systems:
o The RBI has the authority to designate systems for the purpose of the Act,
allowing it to regulate and supervise various payment systems in the country.
• Licensing of Payment System Operators:
o The Act outlines provisions for the licensing and regulation of payment system
operators.
o This ensures that entities involved in payment systems should meet certain
criteria and adhere to specified norms.
• Oversight and Monitoring:
o The RBI is empowered to oversee and monitor payment systems.
o This ensures their smooth functioning, stability, and compliance with
regulations.
• Settlement Finality:
o The Act provides for settlement finality in order to finalise the payment.
o It means once a settlement in a payment system is deemed final, it cannot be
revoked or reversed, except in certain specified circumstances.
• Dispute Resolution:
o It allows RBI to address appeals against decisions or orders of the RBI related
to payment and settlement systems.
• Establishment of Payment System Board:
o The Act establishes a Payment System Board within the RBI to regulate and
supervise payment systems more effectively.
• Penalties and Enforcement:
o Provisions for penalties and enforcement mechanisms are outlined in the Act to
ensure compliance with its provisions and regulations set by the RBI.
• Issuance of Guidelines:
o The RBI is empowered to issue guidelines, circulars, and directives to facilitate
the implementation of the Act and to guide the functioning of payment system
operators.

SHIVA KUMAR C, St. Philomena’s College 9