UNIT 3

E-Commerce Security
 Unit 3: E-Commerce Security (8 Hrs.)

• E-commerce Security, E-commerce Security Environment,

• Dimensions of E-commerce Security: Integrity, Non-repudiation,
Authenticity, Confidentiality, Privacy, Availability;
• Security Threats in E-commerce: Malicious Code, Potentially
Unwanted Programs, Phishing, Hacking, Cyber vandalism and
Hacktivism, Data Breaches, Credit Card Fraud, Identity Fraud,
Spoofing, Pharming, and Spam, Sniffing and Man-in-The-Middle
Attacks, DOS and DDOS Attacks, Insider Attacks, Social Network
Security Issues, Mobile Platform Security Issues, Cloud Security
Issues, IOT Security Issues;
• Achieving E-commerce Security: Cryptography, Digital Envelopes,
Digital Certificates and Public Key Infrastructure, SSL, TLS, HTTPS,
VPNs, Firewalls, Intrusion Detection and Prevention, Anti-viruses;
• E-commerce Security Plan, Laws, Government and Public Policies,
Electronic Transaction Act of Nepal
 E-commerce Security
• Security:-information security or information system
security, refers to a variety of activities and methods that
protect information from any action designed to destroyed,
modify or degrade the system and their operation.
• E-commerce security is a set of protocol that safely guide e-
commerce transaction. It is a critical aspect of online business
operations, ensuring that transactions, data, and personal
information remain safe from threats and breaches.
• It is a pure mixture of techniques, technologies and protocols
aimed at ensuring the availability and security of data within
the online shopping environment as it has to protect many
other types of information in the e-commerce site.
E-commerce Security Environment
• Creating a secure e-
commerce environment
involves a multi-layered
approach to protect the
entire ecosystem in which
online transactions occur.
This includes safeguarding
the website, the server
infrastructure, the data, and
user interactions.
 Why ecommerce security is important ?

1. Protecting customer data

2. Preventing financial loss
3. Preserving reputation
4. Competitive advantage
Dimension of E-commerce security
1. Integrity
2. Non-repudiation
3. Authentication
4. Confidentiality
5. Privacy
6. Availability
Dimension of E-commerce security
1. Integrity:- Integrity is another crucial concept of E-Commerce
Security. It means ensuring that any information that customers
have shared online remains unaltered.
2. Non-repudiation:- Repudiation means denial. Therefore, non-
repudiation is a legal principle that instructs players not to deny
their actions in a transaction.
3. Authentication:- ability to identify the person or entity with
whom you are dealing with
4. Confidentiality:- ensure the message/data are available only to
those who are authorized to view them.
5. Privacy :- Privacy includes preventing any activity that will lead to
the sharing of customers’ data with unauthorized third parties.
6. Availability :- ensure that an E-commerce site continue to
function as intended.
 Security Threats in E-commerce
• E-Commerce security requirements can be studied by
examining the overall process, beginning with the consumer
and ending with the commerce server.

• Considering each logical link in the commerce chain, the

assets that must be protected to ensure secure e-commerce
include client computers, the messages travelling on the
communication channel, and the web and commerce servers
including any hardware attached to the servers.
• E-commerce security concern
1. Malicious Code
2. Potentially Unwanted Programs
3. Phishing
4. Hacking
5. Cyber vandalism and Hacktivism
6. Data Breaches
7. Credit Card Fraud
8. Identity Fraud
9. Spoofing
10. Pharming
11. Spam
12. Sniffing
13. Man-in-The-Middle Attacks (MIMA)
14. DOS and DDOS Attacks
15. Insider Attacks
16. Social Network Security Issues
17. Mobile Platform Security Issues
18. Cloud Security Issues,
1. Malicious Code:-
 Malware is a software program that, when spread is designed to infect,
alter, damage , delete or replace data or an information system without
the owner’s knowledge.
 Malware is a comprehensive term that describes any malicious program
or software. Malware attach is most frequent security breaches.
 Computer viruses, worms and Trojan horses are examples of malicious
code.
 Virus :-programmed S/W, It has mechanism by which it spreads. Carry
out damage activities . Sometime a particular event triggers the virus’s
execution.
 Worms :- worms can replicate itself automatically. It uses N/W to
propagate and infect a computer or devices in a N/W as well as degrade
N/W performance.
 A Trojan horse is a program that seems to be harmless or even looks
useful but actually contains malicious code. Virus is a code segment
which replicates by attaching copies to existing executables. A DEPT OF
CSE & IT VSSUT, Burla worm is a program which replicates itself and
causes execution of the new copy. These can create havoc on the client
side.
2. Potentially Unwanted Programs :-
 PUPs are software programs that, while not necessarily malicious,
can negatively impact a computer’s performance, security, or user
experience.
 They often get installed without the user’s full awareness or
consent, sometimes bundled with other software.
3. Phishing:-
 Several e-commerce shops have received reports of their customers receiving
messages or emails from hackers masquerading to be the legitimate store
owners.
 Phishing is a type of cyber attack that uses fraudulent emails, text
messages, phone calls or websites to trick people into sharing sensitive
data, downloading malware or otherwise exposing themselves to
cybercrime.
 E.g. :- an e-mail to update your credit card in the Next 24 hours as a security
message. You change but after sometime website become unresponsive.
After couple of hours you got message “Thank for your purchase on for
amount of 15000 ”
Types of Phishing in E-commerce
• Email Phishing: Attackers send emails that appear to be from legitimate e-
commerce sites, urging users to click on links or provide personal information. i)
spear Phising ii) whaling( senior and higher –profile target ) iii) CEO fraud (senior
executives to employee)
• SMS Phishing (Smishing): Phishing attempts via SMS messages, often containing
links to fraudulent websites.
• Voice Phishing (Vishing): Phone calls that impersonate legitimate businesses to
extract personal information.
• Colon phishing:-
4. Hacking:-
 Process of identifying weakness in computer system,
network to exploit the security and gain access to
personal data or business data.
 Hacking refers to the unauthorized access,
manipulation, or control of computer systems,
networks, or data.
 Types of Hacking:-
 Types of Hacking:-
a. Black Hat Hacking: Malicious hacking performed with the intent to steal,
damage, or manipulate data for personal gain or to cause harm.
b. White Hat Hacking: Ethical hacking performed to identify and fix
security vulnerabilities, typically by security professionals.
c. Gray Hat Hacking:- Gray hat hackers enact a blend of both black hat and
white hat activities. Gray hat hackers often look for vulnerabilities in a
system without the owner's permission or knowledge. If issues are found,
they report them to the owner.
d. Hacktivism: Hacking performed for political, social, or ideological
motives, often targeting organizations or systems perceived as unethical
or corrupt.
e. Script Kiddies:- Inexperienced hackers who use pre-written scripts or
tools to launch attacks without understanding the underlying technology.
f. State-Sponsored Hacking:- Hacking carried out by or on behalf of
government entities to achieve political, military, or economic objectives.
5. Cyber vandalism :-
 Cyber vandalism involves the deliberate defacement, disruption, or
destruction of digital content or systems.
 Cyber vandalism is the deliberate, malicious destruction of digital
property. It usually targets websites and other tech products, but it
can also be used to threaten individuals or institutions. Cyber
vandals use all sorts of tools to deface websites, delete files, take
over user accounts, or send spam and viruses.
 The result of cyber vandalism can have a huge impact ranging from financial
loss or compromising of personal or high-level security data.
 Types of Cyber Vandalism
• Cyber Vandalism comes in various forms having its own set of
challenges and impacts. Some of them are as follows:
• Website Defacement: One of the maximum common styles of
cyber vandalism entails altering the appearance of websites by
changing content with offensive pictures or
messages. Hackers exploit vulnerabilities in web servers to gain
unauthorized access and deface websites, regularly leaving behind
digital graffiti as a mark of their intrusion.
• Malware Attacks: Malicious software, or malware, is often used as a
tool for cyber vandalism. Malware can infect computers and networks,
inflicting a range of dangerous consequences which include records theft,
system corruption, and provider disruption. Ransomware, a kind of
malware that encrypts documents and needs to charge for their launch, is
an especially insidious form of cyber vandalism.
 Impact of Cyber Vandalism
• Financial Loss: Cyber Vandalism can cause a severe financial loss to
individuals or organizations alone. This loss can include many loss
factors like recovering the lost data, system repairments, damaged
systems recovery, and also disruptions made to the business
operations. Organizations may suffer lost revenue due to cyber-
attacks. Financial losses from cyber vandalism also have an impact
on an organization’s financial health and stability.
• Loss of Data: The main factor of Cyber Vandalism is the Loss of
data. It leads to data breaches which can contain sensitive
information, personal information, financial accounts, and
intellectual property. This can have a serious impact on
organizations’ and individuals’ security and privacy. It can damage
the competitiveness and market value of the company.
• Disruptions of services: Cyber Vandalism often aims to damage and
disrupt the operations and critical services causing challenges to
customers and users. This can include DOS attacks, malware
attacks, or website defacement. Damaging the functional
operations of systems and network servers. It can also impact
online operations such as delivery operations and service logistics.
 How to Prevent Cyber Vandalism?
• The best way to shield the website from cyber vandalism is to implement an
effective security system. This entails having intrusion detection systems and
encryption protocols on the web servers to keep out any unwelcome visitors
who may try to disrupt the website.
1. Implement Strong Security Policies
• Establishing security policies is the first step in protecting an organization from
cyber vandalism. These policies should include password management, multi-
factor authentication, access controls, incident response plans, and guidelines
for using company devices and networks.
2. Regularly Update Software and Systems
• Updating the software and systems with the latest patches is essential for
closing vulnerabilities. Ensure that regularly update all software and systems,
including operating systems, applications, and firmware. Creating regular
backups of the data can prevent data from cyber attacks. This data can be
stored safely offline to overcome the impact of ransomware attack and also
from data breaches.
3. Employee Training and Awareness
• Providing regular training and awareness programs help employees recognize
potential cyber vandalism attempts, and understand the importance of
security policies, and able to know what to do in case of a security breach.
4. Deploy the Latest Security Technologies
• Using advanced security technologies such as firewalls, intrusion detection
systems, and endpoint protection solutions for detecting and preventing cyber
vandalism attempts.
5. Monitor and Audit for Potential Threats
• Continuously monitoring and auditing networks, computer systems and traffic
for the evidence of suspicious activity or unauthorized access.
Real-World Examples of Cyber Vandalism
• Some real-world examples of cyber vandalism are listed below:
• Sony Pictures Entertainment Hack – 2014
• WannaCry Ransomware Attack – 2017
• NotPetya Cyberattack – 2017
• Twitter Bitcoin Scam – 2020
• Solar Wind Supply Chain Attack – 2020
 What are common forms of Cyber Vandalism?
• Common forms of Cyber Vandalism are i)DOS Attack ii)Defacing the
websites iii)Social Media disruption iv)Data Breach v)Malware Attacks.
What is cyber vandalism?
• Cyber vandalism is the deliberate, malicious destruction of digital
property. It usually targets websites and other tech products, but it can
also be used to threaten individuals or institutions. Cyber vandals use all
sorts of tools to deface websites, delete files, take over user accounts, or
send spam and viruses.
How to protect your website from cyber vandalism?
• The best way to shield your website from cyber vandalism is to implement
an effective security system. This entails having intrusion detection
systems and encryption protocols on the web servers to keep out any
unwelcome visitors who may try to disrupt the website.
How does cyber vandalism affect a business?
• Businesses may also face a variety of expenses from cyber vandalism.
Legal services may be required, earnings can be lost while systems recover,
and regulatory penalties may apply. Businesses can also face significant
expenses to restore their digital systems and repair their reputation.
6. Hacktivism :- combines hacking with activism. Hacktivists use hacking
techniques to promote political or social agendas, often targeting
organizations they perceive as unethical or corrupt. Similar to cyber
vandalism but with a political or social message [exposing scams]
How Hacktivism Works?
Hacktivism typically seeks to accomplish one or more of the following objectives:
• Stop or interrupt the financing of terrorism
• Go around censorship laws put in place by the government
• Speak out against war
• Use social media to help censored people or those whose rights are being
violated
• Speak out against capitalism
• Attack government websites that try to quash political upheavals
• Promote democracy and freedom of speech
• Help immigrants get across country boundaries
• Help local uprisings
• Undermine the power of a corporation
• Discredit or attack a government’s authority
7. Data Breaches:-
 A data breach is any security incident that results in unauthorized
access to confidential information.
 A data breach occurs when unauthorized individuals gain access to
data they should not have access to, often leading to the exposure,
theft, or misuse of sensitive information.
 Happens Due to malware, no strong passwords , Application issues
8. Credit Card Fraud:-
It happens when a cybercriminal uses stolen credit card data to buy
products on your e-commerce store. Usually, in such cases, the
shipping and billing addresses vary. You can detect and curb such
activities on your store by installing an AVS – Address Verification
System. Another form of credit card fraud is when the fraudster steals
your personal details and identity to enable them to get a new credit
card.
8. Identity Fraud:-
 Identity fraud :- in e-commerce involves the unauthorized use of
someone's personal information to commit fraud or other illegal
activities.
 Account Takeover:- Fraudsters gain unauthorized access to a user's
online account, such as an e-commerce account, and make
transactions or changes.
 Synthetic Identity Fraud:- Creating a new identity using a mix of real
and fake information to apply for credit or make purchases.

9. Spoofing:-
 Spoofing is a type of cybercriminal activity where someone or
something forges the sender's information and pretends to be a
legitimate source, business, colleague, or other trusted contact for
the purpose of gaining access to personal information, acquiring
money, spreading malware, or stealing data.
 Types of spoofing
a. Email Spoofing: Manipulating email headers to make a message appear
as if it’s coming from a legitimate source when it’s actually from a
malicious actor. Example: Phishing emails that appear to be from a
trusted company, asking recipients to provide sensitive information.
b. Website Spoofing: Creating a fake website that mimics the appearance of a
legitimate site to deceive users into entering personal information or making
fraudulent transactions. Example: A fake e-commerce site that looks
identical to a well-known retailer’s site to trick users into entering credit card
details.
c. IP Spoofing: Altering the source IP address in network packets to make it
appear as if they are coming from a trusted source.
d. Domain Spoofing: Registering a domain name that is similar to a legitimate
domain to deceive users into visiting a fraudulent site. Example: A domain
like “amaz0n.com” (with a zero) instead of “amazon.com” to trick users into
thinking they’re on the legitimate Amazon site
10. Pharming :-
• Pharming in e-commerce is a more sophisticated type of cyber attack
that redirects users from legitimate websites to fraudulent ones by
changing host file or DNS without their knowledge.
• Target multiple people at a time
• Malicious code installed to the computer that redirects to the fake
website
Types :-
a) DNS Spoofing: Attackers manipulate the DNS settings to redirect users
from the intended website to a fake site designed to steal sensitive
information like login credentials or payment details.
b) Malicious Software: Users might unknowingly install malware that alters
their browser settings or hosts file, leading them to counterfeit sites.
Protection Against Pharming
 Choose reliable internet service provider (ISP)
 Always check site links for misspellings
 Choose hypertext transfer protocol secure (HTTPS)
 Scrutinize (examine /inspect )downloads and clicks.
11. Spam:-
• Spam is a term for unsolicited messages—mainly in the form of emails—
distributed to a large number of recipients. The number of unwanted
communications can flood mail servers, drowning out the important
messages that are relevant to users.
• Spammer Collect email address, mobile number from chat box, websites,
customer lists etc and use them. They even sells these information to
other Spammers.
• They uses gained information:-
– For advertisement (sells promotion and marketing).
– to copy the sensitive information
– To spread virus, malware etc
• Types:-
– Email spamming
– Social N/W spamming
– Mobile phone spamming
• SPAMDEXING (Spamdexing, also known as webspam and black-hat SEO, is a set of
practices aimed at manipulating search engine results )
12. Sniffing :-
• Sniffing means read or capture
• A sniffing attack is when a hacker uses a packet sniffer to
capture and access confidential, unencrypted data packets
for malicious purposes.
• A sniffing attack in system hacking is a form of denial-of-
service attack which is carried out by sniffing or capturing
packets on the network, and then either sending them
repeatedly to a victim machine or replaying them back to the
sender with modifications. Sniffers are often used in system
hacking as a tool for analyzing traffic patterns in a scenario
where performing more intrusive and damaging attacks
would not be desirable.
 Ethical uses of sniffing
• Packet capturing
• Network traffic usages and analysis
• Packet conversion for data analysis
• Network troubleshooting

Unethical usages
• User identity and password stealing
• Email and instant message data stealing
• Packet spoofing and data theft
• Monetary or reputational damage
 How it works??
• A sniffer can continuously monitor all the traffic to a computer through
the NIC by decoding the information encapsulated in the data packets.
 How it works??
• A sniffer normally turns the Network Interface Card (NIC) of the system to
the promiscuous mode so that it listens to all the data transmitted on its
segment.
• Promiscuous mode refers to the unique way of Ethernet hardware, in
particular, network interface cards (NICs), that allows an NIC to receive all
traffic on the network, even if it is not addressed to this NIC. By default, a
NIC ignores all traffic that is not addressed to it, which is done by
comparing the destination address of the Ethernet packet with the
hardware address (a.k.a. MAC) of the device. While this makes perfect
sense for networking, non-promiscuous mode makes it difficult to use
network monitoring and analysis software for diagnosing connectivity
issues or traffic accounting.
Sniffing types
Active Sniffing attacks
• Active sniffing attacks majorly refer to attacks triggered by injecting
Address Resolution Protocols (ARPs) into a network to flood the Switch
Content address memory (CAM) table. The redirected legitimate traffic
finally allows the attacker to perform the sniffing of the traffic from the
switch.

Passive Sniffing attacks

• This kind of sniffing usually occurs at the hub. Contrary to active sniffing,
here the hub can be directly injected with a sniffing device to easily
extract the data packets. However, hubs hardly are used these days and
hence passive sniffing attacks are barely reported.
13. Man-in-The-Middle Attacks
 Man-in-The-Middle Attacks
• a man-in-the-middle attack, or on-path attack, is a cyber
attack where the attacker secretly relays and possibly alters
the communications between two parties who believe that
they are directly communicating with each other, as the
attacker has inserted themselves between the two user
parties.
• After stealthily placing themselves in the middle of two-party
communications, MITM attackers intercept sensitive data
such as credit card numbers, account information and login
credentials. Hackers then use that information to commit
other cybercrimes such as making unauthorized purchases,
hijacking financial accounts and identity theft.
 Man-in-The-Middle Attacks
• In addition to exchanges between a user and an application,
an MITM attacker might also eavesdrop on private
communications between two people. In this scenario, the
attacker diverts and relays messages between the two
people, sometimes altering or replacing messages to control
the conversation.
• Alternative terms for this type of cyberattack include
machine-in-the-middle, on-path attack, adversary-in-the-
middle (AITM) and manipulator-in-the-middle.
 Stages of a man-in-the-middle attack
• Man-in-the-middle attacks require cybercriminals to:
1) intercept the data that is passing between their two targets and
2) decrypt that information.
• Interception
In order to get in the middle of two communicating targets, such as
a user and a web application, an attacker must intercept the data
traveling between the two. The attacker then relays that diverted
information between the targets as if normal communications are
underway so that victims don’t suspect a thing.
• Decryption
Most internet communications today are encrypted, so any data a
MITM attacker intercepts will most likely need to be decrypted
before the attacker can use it. Attackers can decrypt data by
stealing encryption keys, running brute-force attacks or using
specialized MITM attack techniques (see next section).
•
.
 Common man-in-the-middle attack types
Email hijacking:-
• In these types of attacks, cybercriminals take control of the email accounts of a
business or organization. MITM attackers often target financial institutions such
as banks or credit card companies for this type of attack.
• The hackers monitor communications, collect personal data and gather
intelligence on transactions. In some cases, they spoof a company email address to
convince customers or partners to make deposits or transfer funds into a
fraudulent account.
Session hijacking:-
• When a user’s web browser communicates with a website, it temporarily stores
information on a session cookie. MITM attackers gain access to these cookies and
use them to impersonate a user or steal the information that they contain, which
can include passwords, credit card numbers and other account information.
• Because the cookie expires when the session does, hackers must act quickly before
the information goes away.
Wifi eavesdropping:-
• MITM attackers sometimes create public wifi networks and hot spots in popular
public places such as airports, restaurants and city centers. The names of these
fraudulent networks are often similar to nearby businesses or other trusted public
wifi connections. Hackers can also compromise legitimate public wifi hot spots
used by the public.
• In either case, when unsuspecting users log on, the attackers collect sensitive
data such as credit card numbers, usernames and passwords.
14. DOS and DDOS Attacks
ASSIGNMENT
• Types of hackvitism ?
• Difference between cyber vandalism and hackvitism?
• Difference between pharming and phising?
• Difference between spamming and phising?
• Difference between spoofing and sniffing?
• How do you preventing man-in-the-middle attacks ?
• Social Network Security Issues
• Mobile Platform Security Issues
• Cloud Security Issues
• IOT Security Issues