12/16/2024

E-Commerce Security
&
E-Payment System
Chapter # 5

E-Commerce Security & E-Payment System

1. The E-commerce Security Environment

2. Security Threats in the E-commerce Environment
3. Technology Solutions
4. E-Commerce Payment System

1
 12/16/2024

1. The E-commerce Security Environmen

✓ The Value of Stolen Information

✓ Dimensions of E-commerce Security

The Value of Stolen Information

▪ Financial gain: Stolen data can be sold on black markets or used for financial
fraud, benefiting to criminals.
▪ Identity theft: Personal information such as names, addresses, and Social
Security numbers can be used to impersonate individuals and commit further
fraud.
▪ Corporate espionage: Stolen trade secrets or intellectual property can hurt
businesses and provide competitors with a strategic advantage.
▪ Ransom: Cybercriminals may encrypt data and demand payment (ransom) to
unlock or return stolen information.
▪ Reputation damage: For businesses, a data breach can result in loss of
customer trust and significant reputational harm.
▪ Legal consequences: Companies may face fines and legal challenges for failing
to protect sensitive data adequately.

2
 12/16/2024

Dimensions of E-commerce Security

▪ Confidentiality: Ensures that sensitive information (e.g., customer details, credit card data) is
kept private and not accessed by unauthorized parties. e.g cash to pay bank online 4 shopping
▪ Integrity: Guarantees that data is not altered or tampered, during transactions.
▪ Authentication: Verifies the identity of users, ensuring that only legitimate customers and
merchants can access the system.
▪ Non-repudiation: Ensures that both the buyer and the seller cannot refuse the transaction
occurred, providing legal proof of the exchange.
▪ Availability: Ensures that the e-commerce platform and its services are available and
operational for users whenever needed.
▪ Access Control: Manages who can view or use the platform and restricts unauthorized access.
▪ Encryption: Protects data during transmission between the customer and the platform using
encryption methods.
▪ Fraud Prevention: Utilizes tools like payment gateways, secure servers, and monitoring
systems to detect and prevent fraudulent activities.
▪ Compliance: Adheres to relevant laws

2. Security Threats In The E-commerce

Environment

✓ Malicious Code ✓ Spoofing, Sniffing, Pharming, Sniffing and

✓ Potentially Unwanted Programs (PUPs) Man-in-the-Middle Attacks
✓ Phishing ✓ Denial of Service (DoS) ,
✓ Hacking, Cyber Vandalism, and ✓ Distributed Denial of Service (DDoS) Attacks
Hacktivism ✓ Insider Attacks
✓ Data Breaches ✓ Poorly Designed Software
✓ Credit Card Fraud/Theft ✓ Social Network Security Issues
✓ The Marriott Data Breach ✓ Mobile Platform Security Issues

3
 12/16/2024

Malicious Code (Viruses)

Malicious Code (Malware) Virus:
▪ A malicious software program that replicate itself to legitimate files or programs,
spreading when executed.
▪ It can corrupt files, steal data, or take control of a computer’s functions.
includes a variety of malware such as Exploit Kit, Malvertising, Drive-by Download, viruses,
worms, Trojan horses, bot and botnet.

▪ Exploit Kit:
▪ A toolkit used by attackers to exploit vulnerabilities in software or browsers to gain
unauthorized access to a system. It automatically runs attacks without user intervention.
(used in Hacking)
▪ Malvertising:
▪ The use of online advertisements to spread virus, when user click n it.
▪ Malicious code is hidden within legitimate ads, redirecting users to infected sites or
triggering downloads of harmful software.
▪ Drive-by Download:
▪ A virus is automatically downloaded to a user's device without their knowledge when
they visit a compromised website. User do not download it personally.

Malicious Code
▪ Worm:
▪ It replicates itself and spreads to other computers over a network.
▪ Ransomware:
▪ It encrypts a user’s data, rendering it inaccessible. Attackers demand
payment (ransom) in exchange for decrypting the data and restoring
access.
▪ Trojan Horse:
▪ Malicious software disguised as a legitimate program or file to trick users
into installing it. Once installed, it can give attackers access to the system
or enable other malicious activities.
▪ Bot:
▪ It allows to controll remotely by an attacker. Bots are often used to carry
out automated tasks, like launching attacks or sending spam.
▪ Botnet:
▪ A network of infected computers (bots) controlled by a central attacker.

4
 12/16/2024

Potentially Unwanted Programs (PUPs)

Potentially Unwanted Program (PUP)
▪ Software that may not be malicious but is often installed without the user's consent.
▪ It can slow down the system.
▪ Adware:
▪ It automatically displays or downloads ads, often as pop-ups. It can lead to reduced
system performance and track user behavior for targeted ads. e.g. Face book, YouTub.
▪ Browser Parasite:
▪ It attaches itself to the browser, changing settings like homepage or search engine
without user consent.
▪ Cryptojacking:
▪ Unauthorized use of a user’s device to mine cryptocurrency. This can degrade device
performance, increase electricity usage, and damage hardware over time.
▪ Spyware:
▪ Software that secretly monitor user activities and collects sensitive information such as
login credentials or financial data. It can lead to identity theft, fraud, or data breaches.

Phishing
▪ Phishing:
▪ An attempt to gain personal/financial information from individual, usually by posing as
legitimate website.
▪ Phishing attacks often occur through fake emails, websites, or messages that appear
trustworthy. e.g fake Banks Website looks original.
▪ Social Engineering:
▪ A tactic where attackers manipulate or deceive individuals into divulging confidential
information or performing specific actions.
▪ This can involve impersonating a colleague, customer, or authority figure to gain access
to private systems or data.
▪ BEC (Business Email Compromise):
▪ A sophisticated scam targeting businesses where attackers gain unauthorized access to
business email accounts.
▪ Attackers impersonate senior executives or vendors, instructing employees to transfer
funds or share sensitive information, leading to significant financial and data loss.

5
 12/16/2024

Hacking, Cyber Vandalism, and Hacktivism

▪ Hacker: Someone who gains unauthorized access to computer systems or
networks. Hackers can have various motives, from exploring systems for fun or
learning to finding security vulnerabilities.

▪ Cracker: A type of hacker with malicious intent. Crackers break into systems to
steal, alter, or destroy data or to disrupt operations.

▪ Cyber Vandalism: The act of deliberately damaging or defacing websites or

digital property. This can include defacing web pages, spreading malware, or
deleting important data.

▪ Hacktivism: A form of activism where hackers use their skills to promote

political or social causes. Hacktivists often target governments organisations to
expose information or disrupt services.

Data Breaches
▪ Data Breaches: A data breach occurs when unauthorized individuals gain
access to sensitive or confidential information. This can happen through
hacking, phishing, or other methods. The exposed data could include
personal details, financial information, or login credentials.

▪ Credential Stuffing: This is a type of cyberattack where attackers use stolen

or leaked usernames and passwords to gain unauthorized access to
accounts on various websites. They often use automated tools to try these
combinations at scale, exploiting the fact that many people reuse passwords
across different sites.

6
 12/16/2024

Credit card fraud/theft

▪ Unauthorized Transactions: Fraudsters use stolen credit card information to
make purchases without the cardholder's consent.
▪ Card Skimming: Devices are installed on card readers to capture card
information when a user swipes or inserts their card.
▪ Data Breaches: Cybercriminals access and steal credit card data from
compromised online stores or payment processors.
▪ Account Takeover: Attackers gain access to a user’s e-commerce account
using stolen credit card information, then use it to make purchases.
▪ Fake Payment Sites: Fraudulent websites are created to collect credit card
details under the guise of legitimate payment processing.

Identity The Methods/Ways to Make Fraud

▪ Pharming: A malicious attack that redirects users from legitimate websites to fraudulent
website without their knowledge.
▪ Sniffer: A way to monitor and capture network traffic. It can help analyze data packets that
travel over a network, potentially revealing sensitive information if not encrypted.
▪ Spoofing: A technique where an attacker hacks data after sniffering technique.
▪ Man-in-the-Middle (MitM) Attack: An attacker intercepts and potentially alters
communication between two parties without their knowledge. This can be used to inject
malicious content.
▪ Denial of Service (DoS) Attack: Attacker sends large number of connection or information
requests to a target. Target system cannot handle large requests & client can not reach at
that website. May result in system crash or inability to perform ordinary functions.
▪ Distributed Denial of Service (DDoS) Attack: A type of DoS attack where multiple systems
(often compromised devices) are used to flood a target with requests, making it even harder
to mitigate and recover from.

7
 12/16/2024

Cryptography
▪ Cryptography: The field of study related to encoded information
▪ Encryption: The process of converting plaintext into cipher-text
▪ Decryption: The process of converting cipher-text into plaintext

▪ Public Key: Use for the encryption of the message by sender side
▪ Private Key: Use for the encryption/decode of the message by receiver side
Decryption

Cryptography
▪ Encryption: A process that converts readable data (plaintext) into an unreadable
format (ciphertext) to protect it from unauthorized access.
e.g. Converting the message "HELLO" into an unreadable format like “FLOOR" using a
specific encryption method.
▪ Cipher Text: The encrypted output from an encryption process, which is intended
to be unreadable without the decryption key.
e.g After applying a substitution cipher to the plaintext "HELLO", the ciphertext
might be “FLOOR".
▪ Substitution Cipher: A type of encryption where each letter or symbol in the
plaintext is replaced with alternative letter or symbol.
e.g. "HELLO" becomes "FLOOR".
▪ Transposition Cipher: An encryption method where the positions of letters or
symbols in the plaintext are rearranged according to a specific system.
e.g. For the plaintext “FIND " and a transposition key that rearranges letters in a grid,
the message might be rearranged to “DFNI".

10
 12/16/2024

Encryption Keys
▪ Public Key: Use for the encryption of the message by sender side.
▪ Private Key: Use for the encryption/decode of the message by receiver
side.
▪ Symmetric key cryptography both the sender and the receiver use the
same key to encrypt and decrypt the message.
▪ A Symmetric key cryptography both the sender and the receiver use the
Different keys to encrypt and decrypt the message.
▪ Data Encryption Standard (DES) developed by the National Security
Agency (NSA) and IBM. Uses a 56-bit encryption
▪ key Advanced Encryption Standard (AES) the most widely used
symmetric key algorithm, offering 128-, 192-, and 256-bit keys

Hash Function
▪ Definition: A cryptographic hash function is a mathematical function used in
cryptography. Typical hash functions take inputs of variable lengths in any
data form and return outputs of a fixed length in hexadecimal form. It’s a
one-way process, meaning you can’t reverse it to get the original input.
▪ Purpose: Used to ensure data integrity. If even a tiny change is made to the
original data, the hash value changes drastically but length will remain same.

Look this example, both are similar in length

11
 12/16/2024

Anti-virus software
▪ Anti-Virus Software: A program designed to detect, prevent, and remove
malware.
▪ Function: Scans files and programs for known viruses and other malware
(e.g., worms, trojans).
▪ Real-time protection: Continuously monitors system activities to block
threats immediately.
▪ Heuristic analysis: Detects new, unknown viruses by analyzing suspicious
behavior.
▪ Regular updates: Requires frequent updates to maintain an up-to-date
database of virus signatures.
▪ Full & quick scans: Can run comprehensive or targeted scans based on
system needs

4. E-Commerce Payment System

Electronic Funds Transfer (EFT)

16
 12/16/2024

What are ecommerce payment methods?

▪ There are multiple ways customers can pay for goods and services when
shopping online.
• Credit Card
• Debit cards,
• Digital wallets;
• Mobile payments;
• buy now, pay later (BNPL) options; and
• Cryptocurrency.

▪ E-Commerce offers a variety of payment options to accommodate your

customers’ needs and preferences is necessary to create a competitive and
conversion-optimized ecommerce presence. With a growing number of
payment providers and platforms available, businesses must carefully
consider their options when choosing a suitable ecommerce payment
method.

Types of payment methods in e-commerce

17
 12/16/2024

Ecommerce payment processing: step-by-step

▪ Customer places order
The customer search out online store, selects the products, purchase it, and proceeds to
check out.
▪ Customer enters payment information
At checkout, the customer enters their payment information, such as credit or debit card
details, into the payment gateway provided by the online store.
▪ Payment authorization
The payment gateway sends the payment information to the payment processor, which
verifies the information with the customer’s bank or credit card issuer for authorization.
▪ Payment approval
If the payment information is verified and authorized, the payment processor sends an
approval message to the payment gateway, which then notifies the online store.
▪ Order confirmation
Once the payment has been approved, the online store confirms the customer’s order and
sends a confirmation message to the customer.
▪ Settlement
The payment processor settle the payment with the merchant’s bank account.
▪ Payment reconciliation
The online store reconciles the payment with the order and ensures that the payment matches
the order amount.

18