Chapter 3rd

E-commerce Security
Syllabus
3.1 E-commerce security environment
3.2 Security threats in E-com
environment
3.3 Malicious code and unwanted
programs
3.4 Hacking and cyber vandalism
3.5 Credit card fraud/Theft

3.1 E-commerce Security Environment

• Definition: The set of measures and protocols used to protect online business
transactions.
• Key Aspects:
o Confidentiality: Ensuring data privacy.
o Integrity: Ensuring data is not altered.
o Availability: Ensuring access to services.
o Authenticity & Non-repudiation: Confirming user identity and action
accountability.
• Technologies used: SSL/TLS, firewalls, encryption, two-factor authentication (2FA).

3.2 Security Threats in E-commerce Environment

E-commerce platforms face a wide range of security threats due to the online handling of sensitive
data like personal information, credit card numbers, and transaction records. These threats can
compromise confidentiality, integrity, and availability of data and services, leading to financial loss
and damage to reputation.

Here are the main types of security threats in the e-commerce environment:

1. Phishing Attacks

• Description: Fraudulent emails or websites that mimic legitimate businesses to steal login
credentials or financial data.
• Example: Fake order confirmation emails trick users into clicking malicious links.

2. Malware Infections

• Description: Malicious software such as viruses, trojans, spyware, or ransomware that

infiltrates systems.
• Impact: Can steal data, spy on user activity, or lock systems for ransom.
3. Data Breaches

• Description: Unauthorized access to sensitive customer data such as names, addresses, and
payment information.
• Consequence: Identity theft, legal liabilities, and loss of consumer trust.

4. SQL Injection

• Description: Attackers insert malicious SQL queries into input fields to access or manipulate
the database.
• Effect: Allows unauthorized viewing or deletion of data.

5. Cross-site Scripting (XSS)

• Description: Injecting malicious scripts into web pages viewed by other users.
• Goal: Steal cookies, session tokens, or redirect users to malicious sites.

6. Man-in-the-Middle (MitM) Attacks

• Description: Interception of data exchanged between a user and an e-commerce site.

• Effect: Data like login credentials or payment info can be captured and misused.

7. Insider Threats

• Description: Employees or partners with access to internal systems misusing their privileges.
• Risk: Deliberate data leaks, fraud, or sabotage.

8. Denial of Service (DoS) Attacks

• Description: Flooding the website with traffic to crash or slow it down, preventing users from
accessing it.

9. Fake Websites & Spoofing

• Description: Creation of fake e-commerce sites that look real to trick users into entering
sensitive data.
• Result: Theft of credit card info or login credentials.

10. Payment Fraud

• Description: Use of stolen or fake credit cards to make purchases.

• Tools Used: Bots or scripts to test stolen card numbers.
3.3 Malicious Code and Unwanted Programs in E-commerce

Malicious code and unwanted programs are types of software designed to harm, exploit, or
otherwise compromise the integrity and security of an e-commerce environment. They can enter
systems through emails, downloads, fake ads, or insecure websites, often without the user's
knowledge.

🔐 1. Malicious Code (Malware)

Malicious code refers to any code that is intentionally harmful to a computer system. It is typically
used to steal data, disrupt operations, or gain unauthorized access.

Types of Malicious Code:

Type Description

Viruses Attach to files and spread when files are shared or opened; can corrupt or delete data.

Worms Self-replicating programs that spread across networks without needing a host file.

Disguised as legitimate software; once installed, they can steal information or open
Trojans
backdoors.

Ransomware Locks or encrypts data and demands payment to unlock it.

Spyware Secretly monitors user activity and sends information to attackers.

Adware Unwanted software that displays pop-up ads or redirects browser searches.

🛑 2. Unwanted Programs (Potentially Unwanted Programs – PUPs)

These programs are not always malicious, but they negatively affect system performance or invade
user privacy.

Examples of Unwanted Programs:

• Toolbars and browser hijackers: Modify browser settings without consent.

• Fake antivirus software: Tricks users into buying unnecessary or harmful software.
• Bloatware: Unnecessary pre-installed software that slows down systems.

Impacts on E-commerce Systems

• Data theft: Sensitive customer and payment information can be stolen.

• System slowdown: Performance degradation affects the shopping experience.
• Downtime: Ransomware or worms can take down entire e-commerce operations.
• Reputation damage: Customers may lose trust in a platform affected by malware.
 Prevention and Protection

• Use updated antivirus and anti-malware software.

• Regularly patch and update systems.
• Educate users about safe browsing and phishing emails.
• Implement network firewalls and intrusion detection systems.
• Use code scanning tools during software development.

3.4 Hacking and Cyber Vandalism in E-commerce

Both hacking and cyber vandalism are serious threats in the e-commerce environment, targeting
systems, data, and digital assets. While they share similarities, they differ in their purpose and
methods.

🔓 1. Hacking

Definition:

Hacking refers to the unauthorized access to or control over computer systems, networks, or data,
usually with malicious intent.

Motives:

• Stealing customer or financial data

• Disrupting services
• Gaining competitive advantage
• Spreading malware or ransomware
• Conducting fraud or identity theft

Types of Hackers:

• Black Hat: Malicious hackers

• White Hat: Ethical hackers (for security testing)
• Grey Hat: May break rules, but not with bad intent

Common Hacking Techniques:

• SQL Injection: Inserting malicious SQL code to access databases.

• Phishing: Trick users into revealing credentials.
• Brute Force Attacks: Trying many passwords until the correct one is found.
• Session Hijacking: Taking over a user's session to impersonate them.
• Backdoors: Hidden access paths created by hackers to return later.

🎨 2. Cyber Vandalism
Definition:

Cyber vandalism is the act of damaging or defacing digital content or systems, typically to cause
disruption, embarrassment, or spread a message.

Examples in E-commerce:

• Defacing a website’s homepage with offensive or political content.

• Posting fake or harmful messages on product pages.
• Modifying product prices or information.
• Destroying databases or deleting content.

Motives:

• Political or ideological statements (hacktivism)

• Revenge or personal grudge
• Pranks or attention-seeking behavior
• Competitor sabotage

Impacts on E-commerce

• Loss of customer trust

• Financial damage
• Legal liabilities
• Operational downtime
• Brand reputation damage

Protection Strategies

• Regular security audits and vulnerability assessments

• Implementing strong access controls and multi-factor authentication
• Using firewalls and intrusion detection systems
• Keeping software and plugins up to date
• Monitoring logs for unusual activity

3.5 Credit Card Fraud/Theft in E-commerce

Credit card fraud or theft in e-commerce refers to the unauthorized use of a credit or debit card
to make purchases or withdraw funds online. It's one of the most common and damaging types of
cybercrime in online retail.

💳 What Is Credit Card Fraud?

It occurs when someone uses another person’s card information without their permission to:

• Make purchases
• Withdraw cash
• Steal personal identity
In e-commerce, this typically happens in "card-not-present" (CNP) transactions, where the physical
card is not required.

Common Methods of Credit Card Theft

Method Description

Phishing Fraudulent emails or websites trick users into giving card details.

Data Breaches Hackers steal card info from poorly secured databases.

Card info is copied using devices attached to ATMs or card readers (less
Skimming
common in online fraud but used to collect data).

Keylogging Malware records keystrokes to capture card numbers and CVV codes.

Fake E-commerce
Imitation websites collect card details without delivering products.
Sites

Credential Using stolen login details from one site to access another (if users reuse
Stuffing passwords).

💥 Impact of Credit Card Fraud

• Consumers: Financial loss, damaged credit scores, and emotional stress.

• Businesses: Chargebacks (refunds forced by banks), loss of goods, reputational harm, legal
penalties.

Preventive Measures

For Businesses:

• Use PCI-DSS compliant payment gateways.

• Implement tokenization and encryption to secure card data.
• Require CVV verification and address verification systems (AVS).
• Monitor transactions for suspicious behavior (e.g., large orders from new customers,
mismatched billing/shipping).
• Deploy 3D Secure authentication (e.g., Verified by Visa, MasterCard SecureCode).

For Consumers:

• Shop only on secure websites (look for https://).

• Use virtual cards or digital wallets for online shopping.
• Enable transaction alerts and regularly check statements.
• Never share card details via email or phone.
🔄 What Happens After Fraud?

• Victims can report to the bank and request a chargeback.

• Businesses often bear the financial cost of the fraud.
• Legal action may be taken if the fraudster is identified.

Spoofing in E-commerce

Spoofing is a type of cyberattack where a malicious party pretends to be a trusted source to

deceive users or systems. In the e-commerce environment, spoofing is used to trick users into giving
away sensitive information like passwords, credit card numbers, or to redirect them to fake websites.

🎭 What Is Spoofing?

Spoofing involves faking the identity of a website, email, phone number, or IP address to appear
legitimate. The goal is to:

• Steal personal or financial information

• Install malware
• Bypass security controls
• Conduct fraud

Types of Spoofing in E-commerce

Type Description

Email Fake emails appear to come from legitimate companies (e.g., online stores or
Spoofing payment gateways). Often used in phishing scams.

Website Fake websites that look identical to real e-commerce sites to steal login or payment
Spoofing details.

Attackers send data from a forged IP address to bypass firewalls or perform DDoS
IP Spoofing
attacks.

Caller ID Fraudsters pretend to be customer service representatives to gain customer trust over
Spoofing the phone.

Redirects users from a legitimate domain to a malicious one by corrupting DNS

DNS Spoofing
records.

🚨 Real-World Example

A user receives an email claiming to be from "Amazon" asking them to verify a recent purchase. The
email contains a link that opens a fake website mimicking Amazon’s login page. If the user enters
their credentials, attackers gain full access to their account.
 Risks of Spoofing in E-commerce

• Identity theft
• Financial fraud
• Loss of customer trust
• Reputational damage
• Legal issues and compliance failures

Prevention Measures

For Businesses:

• Implement email authentication protocols (SPF, DKIM, DMARC).

• Use SSL certificates to ensure secure connections (https://).
• Monitor for fake versions of your website (brand protection tools).
• Educate staff and customers to recognize spoofing attempts.

For Consumers:

• Never click on suspicious links in emails or texts.

• Always check the URL before entering login or payment info.
• Use multi-factor authentication (MFA) for added account security.
• Report suspicious messages to the legitimate company

Denial of Service (DoS) and Distributed Denial of Service (DDoS) in E-

commerce

Both DoS and DDoS attacks are serious threats to e-commerce platforms, targeting the availability of
services. These attacks aim to overload and crash online systems, making them inaccessible to
legitimate users—causing loss of sales, reputation damage, and customer dissatisfaction.

🛑 1. Denial of Service (DoS)

Definition:

A DoS attack is when an attacker floods a server or network with excessive traffic or requests,
consuming all resources and preventing legitimate users from accessing the service.

How It Works:
• A single machine sends repeated requests to the server.
• The server becomes overloaded and stops responding to valid requests.

Impact on E-commerce:

• Slow website performance

• Crashed servers
• Inability to process orders or payments
• Lost revenue and trust
🌐 2. Distributed Denial of Service (DDoS)

Definition:

A DDoS attack is a more powerful version of DoS, where multiple devices (often part of a botnet)
are used to simultaneously flood a target with traffic.

How It Works:
• Hackers infect thousands of computers with malware to form a botnet.
• All infected devices send traffic to the e-commerce site at the same time.
• The site becomes overwhelmed and goes offline.

Why It’s More Dangerous:

• Harder to block: traffic comes from many different IP addresses.
• More scalable and sophisticated.
• Often used for ransom (pay to stop the attack) or as a distraction for other breaches.

📉 Consequences of DoS/DDoS in E-commerce

• Downtime: Website goes offline during peak traffic.

• Revenue loss: Inability to complete transactions.
• Customer frustration: Shoppers leave the site.
• Damage to reputation: Perception of being insecure or unreliable.
• Higher operational costs: Response and mitigation efforts.

🛡️ Prevention and Mitigation

Method Description

Firewalls & Intrusion Detection Blocks known attack patterns.

Rate Limiting Limits the number of requests per user.

CDNs (e.g., Cloudflare, Akamai) Absorb and spread traffic loads to prevent overload.

DDoS Protection Services Specialized tools to detect and filter malicious traffic.

Redundant Infrastructure Backup servers and distributed resources help reduce the impact.

Key Difference:

DoS DDoS

One source Multiple sources (botnet)

Easier to trace Harder to detect and stop

Less intense More severe and disruptive