Privacy And Security Issues In Ecommerce

Published Date: 02 Nov 2017

Since the invention of the World Wide Web (WWW) in 1989, Internet-based electronic commerce has been transformed from a mere idea into reality. Consumers browse through catalogues, searching for best offers, order goods, and pay them electronically. Information services can be subscribed online, and many newspapers and scientific journals are even readable via the Internet. Most financial institutions have some sort of online presence, allowing their customers to access and manage their accounts, make financial transactions, trade stocks, and so forth.

Thus, doing some electronic business on the Internet is already an easy task as well as cheating and snooping is also easy. There are several reasons that contribute to this insecurity such as, The Internet does not offer much security. Eavesdropping and acting under false identity is simple. Stealing data is undetectable in most cases. Popular PC operating systems offer little or no security against virus or other malicious software, which means that users cannot even trust the information displayed on their own screens. At the same time, user awareness for security risks is threateningly low.

E-Commerce has led to a new generation of associated security threats,

Threats for e commerce

There are several threats that badly effect on e-commerce. Due to these reasons business through the internet becomes difficult. But

Access and Connectivity

With the tremendous growth of Internet and e-commerce activities, there is urgent need for access, connectivity and local hosting. In many countries, operational speed and pace of downloads are regarded as slow.

Authentication and Standardization

E-commerce growth in the B2B and B2C segments will be strongly dependent on wide availability of the appropriate security authentication infrastructure, as well as on standards for goods sold over the Net. These would help remove security concerns and boost confidence in e-commerce transactions.

Cyber Laws

The streamlining of cyber laws related to taxation, protection of intellectual property rights and cyber crimes would help cross-border e-commerce. Fraud and morality issues still dominate most people’s fears about the Internet and ecommerce.

Technology

E-commerce growth will be centered on new technologies. The use of mobile phones in e-commerce, for example, would extensively depend on WAP authentication protocols. The introduction of WAP mobile phones will widen access to the Internet.

Limitations and Asymmetries of Infrastructure

Although we should be wary of a technology-centered, "field-of-dreams" view of success factors, an appropriate technological infrastructure is necessary for the development of E-commerce. The infrastructure of the Internet, which acts as the current global information infrastructure, has acknowledged problems. The issues turn on the provision of sufficient band width for the surging use that is also moving to multimedia transmissions, and on the problems fostered by the decentralized nature of the Internet.

Technical Attacks

Technical attacks are one of the most challenging types of security compromise an e-commerce provider must face. Perpetrators of technical attacks, and in particular Denial-of-Service attacks, typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, large online retailers and popular social networking sites.

Denial of Service Attacks

Denial of Service (DoS) attacks consist of overwhelming a server, a network or a website in order to paralyze its normal activity. Defending against DoS attacks is one of the most challenging security problems on the Internet today. A major difficulty in preventing these attacks is to trace the source of the attack, as they often use incorrect or spoofed IP source addresses to disguise the true origin of the attack.

Symptoms of denial-of-service attacks to include:

Unusually slow network performance

Unavailability of a particular web site

Inability to access any web site

Dramatic increase in the number of spam emails received

DoS attacks can be executed in a number of different ways including:

ICMP Flood (Smurf Attack)

Teardrop Attack

Phlashing

Distributed Denial-of-Service Attacks

Distributed Denial of Service (DDoS) attacks are one of the greatest security fear for IT managers. In a matter of minutes, thousands of vulnerable computers can flood the victim website by choking legitimate traffic. A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually one or more web servers. The most famous DDoS attacks occurred in February 2000 where websites including Yahoo, Buy.com, eBay, Amazon and CNN were attacked and left unreachable for several hours each.

Brute Force Attacks

A brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities; for example, a large number of the possible keys in a key space in order to decrypt a message. Brute Force Attacks, although perceived to be low-tech in nature are not a thing of the past. In May 2007 the internet infrastructure in Estonia was crippled by multiple sustained brute force attacks against government and commercial institutions in the country.

Non-Technical Attacks

Phishing Attacks

Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by pretending as a trustworthy entity in an electronic communication. Phishing scams generally are carried out by emailing the victim with a ‘fraudulent’ email from what purports to be a legitimate organization requesting sensitive information. When the victim follows the link embedded within the email they are brought to an elaborate and sophisticated duplicate of the legitimate organizations website. Phishing attacks generally target bank customers, online auction sites (such as eBay), online retailers (such as amazon) and services providers (such as PayPal). According to community banker, in more recent times cybercriminals have got more sophisticated in the timing of their attacks with them posing as charities in times of natural disaster.

Social Engineering

Social engineering is the art of manipulating people into performing actions or divulging confidential information. Social engineering techniques include pretexting (where the fraudster creates an invented scenario to get the victim to divulge information), Interactive voice recording (IVR) or phone phishing (where the fraudster gets the victim to divulge sensitive information over the phone) and baiting with Trojans horses (where the fraudster ‘baits’ the victim to load malware unto a system). Social engineering has become a serious threat to e-commerce security since it is difficult to detect and to combat as it involves ‘human’ factors which cannot be patched akin to hardware or software, albeit staff training and education can somewhat thwart the attack.

Risk of E-commerce

There are several types of risks involving with e-commerce due to its nature and the methodologies that involve with it. Parties who are involving in e-commerce transaction are facing these risks.

Privacy

Privacy has become a major concern for consumers with the rise of identity theft and impersonation, and any concern for consumers must be treated as a major concern for e-Commerce providers. Both EU and US legislation at both the federal and state levels mandates certain organizations to inform customers about information uses and disclosures. Such disclosures are typically accomplished through privacy policies, both online and offline.

Trust in turn is linked to increased customer loyalty that can be manifested through increased purchases, openness to trying new products, and willingness to participate in programs that use additional personal information. Privacy now forms an integral part of any e-commerce strategy and investment in privacy protection has been shown to increase consumer’s spend, trustworthiness and loyalty.

Data Integrity and Repudiation

Data integrity is the assurance that data transmitted is consistent and correct, that is, it has not been tampered or altered in any way during transmission. But without proper controls, electronic transactions and documents can be easily changed, lost, duplicated and incorrectly processed. These attributes may cause the integrity of electronic transactions and documents to be questioned, causing disputes regarding the terms of a transaction and the related billing. Potential consumers involved in E-Commerce may seek assurance that the company has effective transaction integrity controls and a history of processing its transactions accurately, completely, and promptly, and of appropriately billing its consumers.

Repudiation is the idea that one party can default the transaction once an actual online transaction took place. Proof of data integrity is typically the easiest way to eliminate these problems.

Business Practices

E-Commerce often involves transactions between strangers. However, appearances can be deceiving and several questions arise: How can a consumer know

Whether a company will really carry out its orders for products and services as it claims?

Whether there are product guaranties, or whether the company will allow the return of products?

How a company will use any information submitted by him/her?

With the anonymity of E-Commerce, the unscrupulous can establish (and abandon) electronic identities with relative ease. This makes it crucial that people know that those companies, with which they are doing business, disclose and follow certain business practices. Without such information, and the assurance that the company has a history of following such practices, consumers could face an increased risk of loss, fraud, inconvenience, or unsatisfied expectations.

Payment Systems Security Issues

Credit card is one of the primary means of electronic payment on the WWW. Inspite of that a large percentage of users (20%) reported that they had their credit card stolen, there is still a lot of consumer confidence in credit card mode of payment. Again, this trust should not be betrayed and arrangements should be made to assure those who are reluctant.

Solutions for Threats and Risk of E-Commerce

Digital Signatures

One of the key developments in e-commerce security and one which has led to the widespread growth of e-commerce is the introduction of digital signatures as a means of verification of data integrity and authentication. In 1995, Utah became the first jurisdiction in the world to enact an electronic signature law. An electronic signature may be defined as "any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with the intent to authenticate writing". In order for a digital signature to attain the same legal status as an ink-on-paper signature, asymmetric key cryptology must have been employed in its production. Such a system employs double keys; one key is used to encrypt the message by the sender, and a different, key is used by the recipient to decrypt the message. This is a very good system for electronic transactions, since two stranger-parties, perhaps living far apart, can confirm each other’s identity and thereby reduce the likelihood of fraud in the transaction. Non-repudiation techniques prevent the sender of a message from subsequently denying that they sent the message. Digital Signatures using public-key cryptography and hash functions are the generally accepted means of providing non-repudiation of communications.

Server Logs

Most WWW servers log every access to them. The log usually includes the IP/DNS address, the time of the download, the user's name (if known by user authentication or obtained by the indented protocol), the URL requested, the status of the request, and the size of the data transmitted. Some browsers also provide the client used by the reader, the URL that the client came from, and the user's e-mail address. Revealing any of these data could be potentially damaging to a user. Therefore we can prevent this privacy issue by logging only the type of information about users that the users recommend being logged, the page and the time of its request, and the browser being used. Many users seem to be comfortable with providing demographic information if its intent and application was made clear to them.

Transaction Security

Client/Server and Network Issues In many ways the transaction security of a WWW site can be compromised. There are numerous means for an unsavory individual to snoop into what you are sending or receiving from the other end, including, but not limited to, the following:

Spoofing. The client can trick your server into believing that the request or post that it's sending is from some other site. This is known as IP and/or DNS spoofing. Your server may respond believing that the client is "trusted", when it isn't.

Sniffing. In some cases, it is possible for an unsavory individual to snatch packets as they are being communicated over the network, especially with the newer cellular modems, unsecured phone lines, and so on.

Traffic Analysis. Using sampling techniques on the packets or, more commonly, the server log files, an individual can learn about the nature of the transactions that your site processes. This may be used, for instance, in analyzing the competitive level of your site by a site that provides the same services or products.

In each of these cases, the risk can be alleviated (or greatly reduced). In the cases of spoofing and sniffing, the preferred technique is to use data encryption, or signed data for the transaction. When the receiving end gets what your server sends them, they must have the appropriate key to decrypt and make use of it. In the case of traffic analysis of the data files, assigning the file permissions on the directory, logs, and the files themselves is the preferred technique. The logs themselves can be encrypted for permanent archival. Nowadays, most commercially available servers and their respective clients implement encrypted transactions via some, usually proprietary, means.

In order to gain consumer confidence, nowadays many companies have joined programs to make their privacy administered by third parties and their business practices explicit. Two particularly notable initiatives in that direction are, the WebTrust E-Commerce seal of assurance from the public accounting profession and the TRUSTe "trustmark" program that takes users directly to the privacy statement of a company that has joined a program..

WebTrust

In response to the concerns related to E-Commerce and to increase consumer confidence, the public accounting profession has developed and is promoting this set of principles and criteria for business-to-consumer E-Commerce, referred to as the WebTrustTM Principles and Criteria, and the related WebTrust seal of assurance. Independent and objective certified public accountant (CPA) or chartered accountant (CA), who are specifically licensed by the American Institute of Certified Public Accountants (AICPA) or Canadian Institute of Chartered Accountants (CICA), can provide assurance services to evaluate and test whether a particular WWW site meets these principles and criteria.

The WebTrust seal of assurance is a symbolic representation of a practitioner's objective report. It also indicates to consumers that they need to click to see practitioner's report. This seal can be displayed on the company's WWW site together with links to the practitioner's report and other relevant information. This seal was developed by AICPA, CICA and VeriSign. VeriSign encryption and authentication technology and practices help assure the consumer that the seal on a WWW site is authentic and the site is entitled to display it:

http://atlas.kennesaw.edu/~tnguyen4/webtrust.gif

TRUSTe

TRUSTe offers a program that addresses the privacy concerns of consumers and WWW sites. The TRUSTe program enables companies to develop privacy statements that reflect the information gathering and dissemination practices of their site. Its goal is to provide:

Online consumers with control over their personal information.

WWW publishers with a standardized, cost-effective solution for both satisfying the business model of their site and addressing consumers' anxiety over sharing personal information online.

U.S. Government regulators with demonstrable evidence that the industry can successfully self-regulate.

A cornerstone of the program is the TRUSTe "trustmark," an online branded seal that takes users directly to a company's privacy statement:http://atlas.kennesaw.edu/~tnguyen4/truste.gif

The trustmark is awarded only to sites that adhere to TRUSTe's established privacy principles and agree to comply with ongoing TRUSTe oversight and resolution process. The privacy principles embody fair information practices approved by the U.S. Department of Commerce, Federal Trade Commission, and prominent industry-represented organizations and associations.

P3P

W3C's Platform for Privacy Preferences Project (P3P) provides a framework for informed Internet interactions. The goal of P3P is to enable WWW sites to express their privacy practices and users to exercise preferences over those practices. P3P is designed to help users reach agreements with services, such as WWW sites that declare privacy practices and make data requests.