E-Commerce Chapter 9 – Part 1

E-Commerce Security and Fraud

Protection

Information security CSI Computer Crime and SecuritySurvey

Protecting information and information systems Annual security survey of U.S. corporations,
from unauthorized access, use, disclosure, government agencies, financial and medical
disruption, modification, perusal, inspection, institutions, and universities conducted by the
recording or destruction Computer Security Institute

The Information Security Problem:

⚫ Personal Security
⚫ National Security
⚫ Security Risks for 2011–2012
⚫ Cyberwars, Cyberespionage (‫)عمليات االبتزاز المالي‬, and Cybercrimes
AcrossBorders
⚫ THE DRIVERS OF EC SECURITY PROBLEMS:

⚫ The Internet’s Vulnerable Design (‫)التصميم مش حلو‬:

⚫ Domain Name System (DNS))‫(في وسيط في المنتصف‬: Translates
(converts)domain names to their numeric IP addresses.
⚫ IP address:- An address that uniquely identifies each computer
connected to a network or the Internet
⚫ The Shift to Profit-Induced Crimes.
⚫ Internet underground economy: E-markets for stolen information made
up of thousands of websites that sellcredit card numbers, social security numbers,
other.
 ⎯ WHY IS AN E-COMMERCE SECURITY STRATEGY NEEDED?
• The Computer Security Strategy Dilemma.
BASIC SECURITY TERMINOLOGY:

business continuity plan A plan that keeps the business running after a disaster occurs; each
function in the business should have a valid recovery capability plan

cybercrime Intentional crimes carried outon the Internet

Cybercriminal A person who intentionally carries out crimes over theInternet

Exposure The estimated cost, loss, ordamage that can result if a threat exploits a
vulnerability.
)‫(يعنى لو هاكر دخل ولعب او خرب في السيستم ايه تكلفة الداتا اللي ممكن يبوظها‬

Fraud Any business activity that uses deceitful practices or devices to deprive
another ofproperty or other rights

malware (malicious software) A generic term for malicioussoftware

Phishing A crimeware technique to stealthe identity of a target company to get the

identities of its customers
 Risk The probability that a vulnerability will be knownand used

social engineering A type of nontechnical attackthat uses some ruse to trick users into
revealing information or performing an action that compromises a
computer or network

Spam The electronic equivalent ofjunk mail

Vulnerability Weakness in software or other mechanism that threatens the

confidentiality, integrity, oravailability of an asset (recall the CIA model);
it canbe directly used by a hacker to gain access to a system or network.

C: Confidentiality (Must be Authorized to see all data)

I: Integrity (Must be Authorized to edit it)
A: Accessibility (No on stopped you to see your data)

Zombies Computers infected with malware that are under the control of a
spammer, hacker,or other criminal

Note:

• What is the difference between hacker and cracker?

White hacker – black hacker (cracker) – gray hacker

Crack: trying to break the operation of any system.

We must calculate the risk:

Weighted risk = probability of risk * risk.

 THE THREATS, ATTACKS, AND ATTACKERS:
⚫ Unintentional Threats
⚫ Intentional Attacks and Crimes
⚫ The Criminals and Methods
⚫ hacker:- Someone who gains unauthorized access toa computer system
⚫ cracker:- A malicious hacker, such as Maxwell, inthe opening case, who
may represent a serious problem for a corporation.

EC Security Requirements:-

1.authentication 2.authori 3.Aud 4.Availa 5.nonrepudiation

Process to verify zation iti bility Assurance that online
(assure) thereal Process of ng customers ortrading
identity of determining what partners
the authenticate
d entity is
 an individual, allowed to cannot falsely
computer, access and deny(repudiate)
computer what their purchase or
program, orEC operationsit is transaction
website allowed to
perform

⚫ THE DEFENSE: DEFENDERS, STRATEGY, AND METHODS:-

EC security strategy A strategy that views EC security as the process of

preventing and detecting unauthorized use of the
organization’s brand, identity, website, e-mail,
information, or other asset and attempts to defraud
the organization, its customers,and employees

deterring measures Actions that will make criminals abandon their idea
of attacking a specific system(e.g., the possibility of
losing a job for insiders).
prevention measures Ways to help stop unauthorizedusers (also known as
“intruders”) from accessing any part of the EC system

detection measures Ways to determine whether intruders attempted to

break into the EC system; whether they were
successful; and whatthey may have done

information assurance (IA) The protection of informationsystems against

unauthorized access to or modification of information
whether in storage, processing, or
transit, and against the
 denial of service to authorized users,
including those measures necessary to detect,
document, and countersuch threats

Technical Attack Methods: -

Virus A piece of software code thatinserts itself

into a host, including the operating systems,
in order to propagate; it requires that its host
program be run to activate it

Worm A software program that runs independently,

consuming the resources of its host in orderto
maintain itself, that is capable of propagating a
complete working version of itself onto
another machine

macro virus (macro worm) A macro virus or macro worm isexecuted when
the application object that contains the macrois
opened or a particular procedure is executed

Trojan horse A program that appears to havea useful

function but that contains a hidden function
that presents a security risk

banking Trojan A Trojan that comes to life when computer

owners visit oneof a number of online
banking or e-commerce sites

denial-of-service (DoS) attack An attack on a website inwhich an

attacker uses
specialized software to send a
 flood of data packets to the
target computer with the aim
of overloading its resources

page hijacking Creating a rogue copy of a

popular website that shows
contents similar to the
original to a Web crawler;
once there, an unsuspecting
user is redirected to
malicious websites

Botnet A huge number (e.g., hundreds

of thousands) of hijacked
Internet computers that have
been set up to forward
traffic, including spam and
viruses, to other computers on
the Internet
Malvertising the use of online, malicious
advertisements to spread
malware and compromise systems
 SOCIAL PHISHING
⚫ Sophisticated Phishing Methods
⚫ FRAUD ON THE INTERNET
⚫ Examples of Typical Online Fraud Attacks
⚫ Identity Theft and Identify Fraud
⚫ Identity theft:- Fraud that involves stealing an identity of a person and
then the use of that identity by someone pretending to be someone elsein
order to steal money or get other benefit
Nontechnical Methods:-
⚫ CYBER BANK ROBBERIES
⚫ Other Financial Fraud
⚫ SPAM AND SPYWARE ATTACKS

e-mail spam Spyware

A subset of spam that involves nearly Software that gathers user information over an
identical messages sent to numerous Internet connectionwithout the user’s
recipients by e-mail knowledge

⚫ SOCIAL NETWORKING MAKES SOCIAL ENGINEERING EASY

⚫ How Hackers Are Attacking Social Networks
⚫ Spam in Social Networks and in the Web 2.0 Environment

search engine spam site splog data breach

spam
Pages created Page that uses Short for spamblog, A security incident
deliberately to trick techniques that a site created solely in which sensitive,
the search engine deliberately subvert for marketing protected, or
into offering a search engine’s purposes confidential data is
inappropriate, algorithms to copied,
redundant, or poor- artificially inflate transmitted,
quality search results the page’s rankings viewed, stolen, or
used by an
individual
unauthorized to do
so
True & False Questions:
1. E-commerce security only involves protecting financial transactions.
2. Cyberwars and cyberespionage are not considered security risks for businesses.
3. The domain name system (DNS) translates IP addresses to domain names.
4. Profit-induced crimes are a new type of crime that has emerged with the rise of e-
commerce.
5. E-commerce security only involves protecting against external threats.
6. Cybercrimes across borders are not a concern for businesses that only operate
domestically.
7. IP addresses are unique identifiers for each computer connected to the Internet.
8. Profit-induced crimes refer to crimes committed solely for financial gain.
9. Protecting against cyber threats is not a priority for small businesses with limited
resources.
10. Firewalls are a type of antivirus software.
11. Encryption is a process that converts plaintext into ciphertext to
protect data from unauthorized access.
12. Two-factor authentication involves using only a password to
access a system or application.
13. Biometric authentication involves using physical characteristics,
such as fingerprints or facial recognition, to verify identity.
14. A worm is a piece of software code that inserts itself into a host,
including the operating system, in order to propagate.
15. A macro virus or macro worm is executed when the application
object that contains the macro is opened or a particular procedure is
executed.
16. Denial-of-service attacks are designed to prevent authorized users
from accessing a system or network by overwhelming it with traffic.
 Answers:-

1- F (involves 2- F (major 3- F (The 4- F(have been 5- F (external

protecting all security domain name around for a and internal)
types of risks) system (DNS) long time)
information translates
and domain names
information to their numeric
systems) IP addresses.)
6- F (affect any 7- T 8- T 9- F (should be 10- F (Firewalls
business that a priority for all and antivirus
operates online businesses, software are
regardless of two different
or has an online
size or types of security
presence.) resources) technology.)
11-T 12-F (Two- 13- T 14. F (A worm 15- T
factor is a software
authentication program that
requires the use runs
of two different independently
types of and is capable of
credentials, such propagating a
as a password complete
and a fingerprint working version
scan) of itself onto
another
machine.)
16- T
Multiple Choice
1. Which of the following is a type of cybercrime?
a) Insider trading
b) Embezzlement
c) Corporate espionage
d) All of the above

2. What is a worm?
a) A type of virus that requires its host program to be run to activate it
b) A software program that runs independently and consumes the resources of its host in order to maintain
itself
c) A piece of software code that inserts itself into a host, including the operating system,
in order to propagate
d) None of the above

3. What is two-factor authentication?

a) The use of two different types of credentials to verify identity
b) The use of two different passwords to access a system or application
c) The use of biometric authentication and encryption together
d) None of the above

4. What is phishing?
a) Pages created deliberately to trick search engines into offering inappropriate search results
b) Pages that use techniques that deliberately subvert a search engine's algorithms to
artificially inflate their rankings
c) A type of social engineering attack that involves tricking users into divulging
sensitive information by posing as a trustworthy entity
d) None of the above

5. What is encryption?
a) The process by which plaintext is converted into ciphertext to protect data from
unauthorized access
b) The process by which ciphertext is converted back into plaintext for human-readable output
c) The process by which data is compressed to reduce its size for storage or transmission
d) None of the above

6. What is a Trojan horse?

a) A type of virus that requires its host program to be run to activate it
b) A software program that runs independently and consumes the resources of its host in
order to maintain itself
c) A type of malware that disguises itself as legitimate software in order to trick
 users into installing it on their systems
d) None of the above

7. What is a spam site?

a) A website that sends unsolicited email messages to numerous recipients
b) A website that contains links to other websites for the purpose of artificially
inflating their rankings
c) A website that contains low-quality or irrelevant content for the purpose of
generating ad revenue
d) None of the above

8. What is social engineering?

a) The use of social media platforms for marketing purposes
b) The use of psychological manipulation to trick people into divulging sensitive
information or performing actions they wouldn't normally do
c) The use of encryption and other security technologies to protect data from unauthorized access
d) None of the above

9. What is a data breach?

a) An attack on a system or network designed to prevent authorized users from
accessing it by overwhelming it with traffic
b) The unauthorized access, disclosure, or theft of sensitive information from a system or network
c) The process by which plaintext is converted into ciphertext to protect data from
unauthorized access
d) None of the above
10. What is a virtual private network (VPN)?
a) A type of malware that disguises itself as legitimate software in order to trick
users into installing it on their systems
b) A type of social engineering attack that involves tricking users into divulging
sensitive information by posing as a trustworthy entity
c) A secure, encrypted connection between two devices used to protect data transmitted
over public networks
d) None of the above
11. What is a vulnerability?
a) A weakness in software or other mechanism that threatens the confidentiality,
integrity, or availability of an asset
b) A type of social engineering attack that involves tricking users into divulging
sensitive information by posing as a trustworthy entity
c) A type of malware that disguises itself as legitimate software in order to trick
users into installing it on their systems
d) None of the above
12. What is a zombie computer?
 a) A computer infected with malware that is under the control of a spammer, hacker, or
other criminal
b) A type of virus that requires its host program to be run to activate it
c) The process by which plaintext is converted into ciphertext to protect data from
unauthorized access
d) None of the above
13. What is denial-of-service (DoS)?
a) An attack on a system or network designed to prevent authorized users from
accessing it by overwhelming it with traffic
b) The unauthorized access, disclosure, or theft of sensitive information from a system or network
c) The use of two different types of credentials to verify identity
d) None of the above
14. What is spam?
a) A type of malware that disguises itself as legitimate software in order to trick
users into installing it on their systems
b) The electronic equivalent of junk mail
c) A type of social engineering attack that involves tricking users into divulging
sensitive information by posing as a trustworthy entity

15. What is a virus?

a) A type of malware that disguises itself as legitimate software in order to trick
users into installing it on their systems
b) A piece of software code that inserts itself into a host, including the operating system,
in order to propagate
c) An attack on a system or network designed to prevent authorized users from
accessing it by overwhelming it with traffic
d) None of the

Answers:

1- C 2-B 3- A 4- C
5- A 6- C 7- C 8- B
9-B 10-C 11-A 12- A
13-A 14-B 15-B