Study Of Attacks On E Commerce Systems Computer Science Essay

Study Of Attacks On E Commerce Systems Computer scholarship Essayelectronic trade (e-commerce) goods nowadays make water snuff it a core element and more popular on net and Web environment. Electronic commerce, net income and Web environment have enabled businesses to subjugate follows and convolution m whatever benefits both to the consumer and to the business. According to Forrester Research the online retail sales in the United stated for 2003 exceeded $100 meg. As the development Technology and the victimization of internet atomic number 18 increasing e really day, the exact for skillful training and electronic services is growing. all(prenominal) online effect in the internet quarter be monitored and stored in many contrastive locations, since the Internet is a public interlock it makes very authorised for businesses to understand accomplishable guarantor threats and vulnerabilities to their business. The key factor that affects the success of e-commerc e is to exchange credentials on network. In this paper we result cite around of the earnest threats and vulnerabilities concerning the e-commerce credential.Keywords e-Commerce security, threats, vulnerability, blows1. inceptionThe improvements that Internet has made during the past few years have changed the private manner people see and use the Internet itself. The more their use grows, the more attacks aim these ashess and the amount of security risks increases. bail has become unrivalled of around most-valuable issues and signifi flowerpott concern for e-commerce that must be re realised 1. Every private and public organization is taking computer and e-commerce security soberly more than before because any possible attack immediately has an found in E-commerce business 5. The Internet and Web environment can append as many security threats and vulnerabilities as opportunities for a caller-up.The low cost and high availability of the world commodious-eyed In ternet for businesses and customers has made a revolution in e-commerce 1. This revolution in e-commerce in turn increases the compulsion for security, as well as the number of on-line cheats and fraud as it is shown in the Figure 1. Although there has been investments and spent a very larger-than-life amount of m and m angiotensin converting enzymey to provide secures networks, still there is evermore the speculation of a breach of security 5. According to IC3 2007 annual report, the resume dollar loss from all referred complaints of fraud was $239.09 million 3. The majority of these frauds and cheats were pull over the Internet or similar online services. Security is still a significant concern for e-commerce and a challenge for every company. Mitigate security threats and vulnerability is still a battle for every company 5. intimately security infrastructure means good productivity for the company.Figure 1 Incidents of Internet fraud 15In this paper in the first role we entrust give a brief describe of e-commerce and the qualitys of e-commerce, and then in second section we bequeath describe the security issues and some of the threats and vulnerabilities- attacks in e-commerce. Last section discuss various defence chemical mechanism uses to cling to e-commerce security which is still high concerns of business.2. E-commerce BackgroundInformation and communication engineering science has become more and more essential and integral give way of businesses. This passing uses of schooling technology have changed the traditional opinion of doing business. This bran- newly way of doing business is cognize as Electronic Commerce (E-Commerce) or Electronic cargon (E-Business) 12. Electronic commerce or e-commerce means vitiateing and change of products or services over the part of internet called field all-embracing Web. According to Verisign 2004 electronic commerce is a strategic imperative for to the highest degree competitive organi sations today as it is a key to queue uping new cums of revenue, expanding into new markets, reducing costs, and creating breakaway business strategies. E-commerce includes electronic trading, trading of stocks, banking, hotel booking, purchases of air duct tickets and so forth2. There ar different types of e-commerce, but we will encompass the e-commerce on there types of business transactionB2B ( business to business)B2C ( business to consumer)C2C (consumer to consumer) 4.Business to Business (B2B) e-commerce- is simply defined as commerce transactions among and mingled with businesses, such as interaction in the midst of two companies, between e shaper and wholesaler, between a wholesaler and a retailer 16. There atomic number 18 four basic roles in B2B e-commerce suppliers, buyers, market-makers and weave service providers. Every company or business plays at least one of them, and many companies or businesses play multiple roles 9. According to the Queensland governm ents department of state development and construct 2001 B2B ecommerce made up 94% of all e-commerce transactions 8. The good examples and models of B2B argon the companies such IBM, Hewlett Packard (HP), Cisco and Dell.Business-to-Consumer (B2C) e-commerce- is the commerce between companies and consumer, businesses sell directly to consumers somatogenetic goods (i.e., such as books, DVDs or consumer products), or culture goods (goods of electronic significant digitized content, such as software, music, movies or e-books) 10. In B2C the web is usually apply as a medium to order physical goods or training goods 8. An example of B2C transaction would be when a person will buy a book from Amazon.com. According to eMarketer the revenue of B2C e-commerce form US$59.7 billion in 2000 will increase to US$428.1 billion by 2004 10.Consumer to Consumer (C2C) e-commerce- this is the type of e-commerce which involves business transactions among private individuals or consumers apply the Internet and World Wide Web. Using C2C, costumers can advertise goods or products and selling them directly to separate consumers. A good example of C2C is eBay.com, which is an online auction where costumers by using this web situate are able to sell a wide variety of goods and products to each other 6. There is less information on the size of global C2C e-commerce 10. Figure 2 illustrates some of the e-commerce business describe above.Figure 2 Common e-Commerce business model 143. Security threats to e-commerceSecurity has three basic concepts confidentiality, integrity, and availability. Confidentiality ensures that only the authorized persons have doorway to the information, non access for the unauthorized persons, Integrity ensures the entropy stored on any devices or during a communication process are non altered by any malicious user, Availability ensures that the information must be lendable when it is needed 16. Security plays an historic role in e-commerce. The num ber of online transaction last years has a tremendous increase this has been accompanied by an equal rise in the number of threats and type of attacks against e-commerce security 13. A threat can be defined as the potential to rap a weakness that may result in unauthorised access or use, disclosure of information or consumption, theft or final stage of a resource, disruption or adjustment 8. E-commerce environment has different members convolute E-commerce networkShoppers who order and buy products or servicesMerchant who offer products or services to the cheat onpersThe Software (Web Site) installed on the merchants boniface and the serverThe aggressors who are the dangerous part of E-commerce networkLooking on the above parties come to in the e-commerce network, it is easy tosee that malicious hackers threaten the whole network and are the most dangerous part of network. These threats on e-commerce can abuse, aggrieve and cause high financial loss to business. Figure 3 so on displays the methods the hackers use in an E-commerce network 11.Figure 3 Target supermans of the assaulter 11The assets that must be protected to ensure secure electronic commerce in an E-commerce network include guest (shopper) computers or leaf node-side, transaction that operate on the communication channel, the Web site on the server and the merchants server- including any hardware attached to the server or server-side. Communication channel is one of the major assets that need to protect, but it is not the only concern in e-commerce security. Client- side security form the users point of view is the major security server-side security is a major concern form the service providers point of view. For example, if the communication channel were made secure but no security measure for either client-side or server-side, then no secure infection of information would exist at all 1, 2. According to Figure 3 above there are some different security attack methods that an aggr essor or hacker can use to attack an E-commerce network. In the adjacent section we will describes potential security attack methods.4. practicable AttacksThis section overviews and describes various attacks that can elapse in the sense of an e-commerce application. Moreover, respectable aspects are taken into consideration. From an assaulters point of view, there are multiple actions that the attacker can perform, whereas the shopper does not have any clue what is going on. The attackers object is to gain access to each and every information in the network electric current from the when the buyer has pressed the buy button until the web site server has responded back. Furthermore, the attacker tries to attach the application system in a most discrete and ethical way. An onview of various attacks on ecommerce are giveTricking the Shopper One very profitable and simple way of capturing the shoppers behaviour and information to use against the attacker is by tricking the shopp er, which in other words is known as the social engineering technique. This can be done in various ways. Some of them areAn attacker can call the shopper, representing to be an employee from a shopping site to extract information ab out(p) the shopper. Thereafter, the attacker can call the shopping site and then pretend to be the shopper and ask them for the user information, and upgrade ask for a password to define the user account. This is a very usual scenario. other example would be to reset the password by giving information about a shoppers ain information, such as the date of birth, mothers maiden name, favourite movie, etc. If it is the case the shopping websites gives away these information out, then retrieving the password is not a big challenge anymore.A last way of retrieving personal information, which by the way is utilize a chain reactor during the world wide web today, is by using the phishing schemes. It is very unvoiced to distinguish for example, www.microso ft.com/shop with www.micorsoft.com/shop . The difference between these two is a switching between the letters r and o. But by entering into the wrong senseless shop to pretend to be an archetype shop with login forms with password fields, will provide the attacker all confidential information. And this is performed if the shopper mistypes this URL link. The mistyped URL world power be sent through email and pretend to be an original shop without any notice from the buyer 11, 15. intelligence Guessing Attackers are in any case aware of that is possible to guess a shoppers password. But this requires information about the shopper. The attacker baron need to know the birthday, the age, the last name, etc. of the shopper, to try of different combinations. It is very common that the personal information is utilize into the password by many users through the internet, since they are easy to be remembered. But still, it needs a lot of effort from the attackers view, to make a softwar e that guesses the shoppers password. One very famous attack susceptibility be to look up words from the dictionary and use these as passwords, this is in like manner known as the dictionary attack. Or the attacker might look at statistics over which passwords are most commonly used in the entire world 15.Workstation Attack A third go up is to toilsome to attack the workstation, where the website is find. This requires that the attacker knows the weaknesses of the workstation, since such weak points are always presented in work stations and that there exist no perfect system without any vulnerabilities. Therefore, the attacker might have a surmisal of accessing the workstations rout by via the vulnerabilities. The attacker first tries to see which ports are open to the living work station by using either own or already developed applications. And ones the attacker has gained access to the system, it will therefore be possible to scan the workstations information about shoppe rs to intend their ID and passwords or other confidential information. web Sniffing When a shopper is visiting a shopping website, and there is a transaction ongoing, then the attacker has a fourth misfortune. The possibility is called sniffing. That an attacker is sniffing means that all selective information which is exchanged between the client and server are being sniffed (traced) by using several applications. Network communication is shape upmore not like human communication as well. In a human communication, there might be a third person somewhere, listening to the conversation. In the network communication technology, the data which is sent via the two parties are first shared out in something called data packages before the actual localiseing from one part to another. The other part of the network will therefore gather these packages back into the one data which was sent to be read. Usually, the attacker seeks to be as close as possible to the either the shoppers site or near the shopper to sniff information. If the attacker places himself in the halfway between the shopper and website, the attacker might therefore retrieve every information (data packages). Given an example in this, then take for granted a Norwegian local shopper wants to buy an item from a webshop located in the United States of America. The first thing which will happen is that the personal information data which is being sent from the shopper will be divided into small pieces of data to the server located in the USA. Since the data flow over the network is not controlled by the human, the packages might be send to different locations before reaching the destination. For instance, some information might go via France, Holland and Spain before actually reaching the USA. In such a case, the sniffer/attacker was located in France, Holland or Spain, will mean that the attacker might not retrieve every and single information. And given that data, the attacker might not analyze an d retrieve enough information. This is exactly the reason why attackers are as close as possible to either the source or the destination point (client side or server side). cognize Bug Attack The known bug attack can be used on both the shoppers site and on the webpage site. By using already developed tools, the attacker can apply these tools to find out which software to the target the server is having and using. From that point, the attacker further need to find patches of the software and analyze which bugs have not been corrected by the administrators. And when sagacious the bugs which are not fixed, the attacker will thus have the possibility of exploiting the system 11.There are still many various of attacks one can do more than these draw above. More attacks that be used against ecommerce application could by doing Denial of Service (DOS) attacks where the attacker impact the servers and by using several methods, the attacker can retrieve necessary information. Another know n attack is the buffer overflow attack. If an attacker has gained access to the root, the attacker might further get personal information by fashioning his own buffer, where all overflow (information) is transferred to the attackers buffer. Some attackers also use the possibility looking into the hypertext mark-up language code. The attacker might retrieve sensitive information from that code, if the html is not well structured or optimized. Java, Javascript or ready X export are being used in html as applets, and the attacker might also distort these and set a worm into the computer to retrieve confidential information.5. DefenceFor each new attack presented in the real world, a new defence mechanism needs further to be presented as well to protect the clubhouse from unsuspicious issues. This section introduce some defence issues how to protect the attacks described in the section before. However, the main resolve from an sellers point of view in an ecommerce application is to protect all information. Protecting a system can be performed in several ways.Education In order to ebb the tricking attacks, one might educate all shoppers. This issue requires a lot of effort in time and not simple, since many customers still will be tricked by common social engineering work. Merchants therefore have to keep and remind customers to use a secure password since this person is used as the identity. Therefore it is important to have different passwords for different websites as well and probably save these passwords in a secure way. Furthermore, it is very important not to give out information via a telephone conversation, email or online programmes.Setting a safe Password It is very important that customers do not use passwords which are link to themselves, such as their birthdays, childrens name, etc. Therefore it is important to use a unbendable password. A satisfying password has many definitions. For example, the length of passwords is an important factor w ith various special characters. If a shopper cannot find a strong password, then there are many net sites proving such strong passwords.Managing Cookies When a shopper registers into a website with personal information, a cookie is being stored into the computer, so no information is needed to be entered again at next logon. This information is very useful for an attacker, therefore it is recommended to stop using cookies, which is an very easy step to do in the browser 11.Personal Firewall An approach of protecting the shoppers computer is by using a personal firewall. The purpose of the firewall is to control all incoming traffic to the computer from the outside. And further it will also control all out coming traffic. In addition, a firewall has also an intrusion detection system installed, which ensures that unwanted attempts at accessing, modification of disabling of the computer will not be possible. Therefore, it is recommended that a firewall is installed into the pc of a sh opper. And since bugs can occur in a firewall, it is therefore further important to update the firewall 11.Encryption and decryption All traffic between two parties can be encrypted from it is being send from the client and decrypted when it has been certain until the server, vice versa. Encrypting information will make it much more difficult for an attacker to retrieve confidential information. This can be performed by either using symmetric-key algorithms or asymmetric key algorithms 11.digital Signatures Like the hap signatures which are performed by the human hand, there is also something known as the digital signature. This signature verifies two important things. First, it checks whether the data comes from the original client and secondly, it verifies if the message has been modified from it has been sent until it was received. This is a great advantage for ecommerce systems 11.Digital Certificates Digital signature cannot handle the problem of attackers spoofing shoppers w ith a false web site (man-in-the-middle-attack) to information about the shopper. Therefore, using digital certificates will solve this problem. The shopper can with very high probability accept that the website is legal, since it is trusted by a third party and more legal party. In addition, a digital certificate is not a permanent unlimited time trusted. Therefore one is responsible to see if the certificate is still valid or not 11.Server Firewall Unlike personal firewall, there is also something known as the server firewall. The server firewall is an more advanced program which is setup by using a demilitarized zone technique (DMZ) 11. In addition, it is also possible to use a honey pot server 11.These preventions were some out of many in the real world. It is very important to make users aware and administrators update patches to all used application to further protect their systems against attacks. One could also analyze and monitor security logs which are one big defence stra tegy, to see which traffic has occurred. Therefore it is important that administrators read their logs frequently and understand which parts have been hit, so administrators can update their system.6. ConclusionIn this paper firstly we gave a brief overview of e-commerce and its application, but our main attention and the aim of this paper was to present e-commerce security issues and various attacks that can occur in e-commerce, also we describe some of the defence mechanism to protect e-commerce against these attacks. E-commerce has proven its great benefit for the shopper and merchants by reducing the costs, but e-commerce security is still a challenge and a significant concern for everyone who is involved in e-commerce. E-commerce security dose not belong only technical administrators, but everyone who participate in e-commerce- merchants, shopper, service provider etc. Even there are various technologies and mechanisms to protect the E-commerce such as user IDs and passwords, f irewall, SSL, Digital certificates etc, still we need to be aware and prepared for any possible attack that can occur in e-commerce.