1 / 28

Security of E-commerce

Security of E-commerce. What is computer security??. Computer security in general refers to the protection of data, networks, computer programs, computer power, and other elements of computerized information systems. What is EC Security??. EC Security involves:

ethels
Download Presentation

Security of E-commerce

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of E-commerce

  2. What is computer security?? • Computer security in general refers to the protectionof data, networks, computer programs, computerpower, and other elements of computerized information systems.

  3. What is EC Security?? EC Security involves: -prevention, or at least minimization of the web attacks -encryption of information -protection of users (customers, visitors, byers)

  4. Security risks 2014 and 2015 (IBM, 2014) • Cyberespionage and cyberwarsare growingthreats. • Attacks are now also against mobile assets, including on smartphones, tablets, and other mobile devices. Enterprise mobile devices are a particulartarget. • Attacks on social networks and social software tools. User-generatedcontent is a major source of malware. • Attacks on BYOD (“Bring Your Own Device”). • Identity theft is exploding, increasing the criminal use of the stolen identities. • Profit motive – as long as cybercriminals can make money, security threats and phishing attacks, will continue to grow. • Social engineering tools such as phishing via e-mail are growing rapidly. • Cybergangconsolidation – underground groups are multiplying and getting bigger, especially in Internet fraud and cyberwars. • Business-orientedspam (includingimagebasedspam). • Attacks using spyware (e.g., using Denial-of- Servicemethod). • Attacks on new technologies such as cloudcomputing and virtualization. • Attacks on Web and mobile applications (apps).

  5. TYPES OF ATTACKS Cyber attacks can be classified into two major interrelatedcategories: • Corporate espionage. Many attacks target energy-related companies because their inside information is valuable (McAfee 2011 ) • Politicalespionage and warfare. Political espionage and cyberwars are increasing in magnitude.

  6. EC Security Requirements • Authentication is a process used to verify (assure) the real identity of an EC entity, which could be an individual, software agent, computer program, or EC website. • Authorizationis the provision of permission to an authenticated person to access systems and perform certain operations in those specific systems. • Auditing. When a person or program accesses a website or queries a database, various pieces of information are recorded or logged into a file. The process of maintaining or revisiting the sequence of events during the transaction, when,and by whom, is known as auditing.

  7. Availability. Assuring that systems and information are available to the user whenneeded • Nonrepudiation. Closelyassociatedwithauthenticationisnonrepudiation, which is the assurance that online customers or trading partners will not be able to falsely deny (repudiate) their purchase, transaction, sale,

  8. Factors that convert consumers who browse online into consumers who buy online: • security • price • comparative information • searchability • ease of ordering • delivery time • product presentation

  9. Possible threats • hacking • viruses • denial of service

  10. Security is complex problem Communication HW SW Security Procceses Personal (internal and external employees, hackers) Physical (fire, water…)

  11. Software and hardware security

  12. Technical security attack methods • Malware • Unauthorized access • Denial of Service • Spam and spyware • Hijacking servers • Botnets (malicious SW to hijack number of different computers) • Maladvertising

  13. Non-technical threats • Phishing is a fraudulent process of acquiring confi dential information, such as credit card or banking details, from unsuspecting computer users. • Pharming. Similarly to phishing, pharming is a scam where malicious code is installed on a computer and used to redirect victims to a bogus websites without their knowledge or consent

  14. security and privacy elements • Authenticity • Integrity • Non-repudiation • Auditing • Confidentiality • Availability

  15. The methods by which a human can authenticate • Something the user is (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition or other biometric identifier) • Something the user has (e.g., ID card, security token, software token or cell phone) (e.g. Digipass from VASCO, or RSA) • Something the user knows (e.g., a password, a pass phrase or a personal identification number (PIN))

  16. Example of security card and key

  17. Methods • Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.

  18. EncryptionDecryption obtained message transfered message plain message encrypted message nosy parker decryption encryption

  19. The Ancient Greek scytale may have been one of the earliest devices used to implement a cipher.

  20. The Enigma machine, used by Germany in World War II, implemented a complex cipher to protect sensitive communications.

  21. Modern cryptography • Symmetric-key cryptography • Public-key cryptography

  22. Symmetric-key cryptography Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption

  23. SYMMETRIC KEY ENCRYPTION

  24. Public-key cryptography Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key. This is done by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically

  25. digital signatures secret key Original text hash function signed document

  26. Creating and veryfing a digital signature: encrypt digital signature + plain message using recipients public key Plain message Create digest (hash) from message Transmit through internet Digest Encrypt digets using senders private key Decrypt encrypted digital signature and encrypted message using recipients private key Digital signature Plain message Digital signature Dencrypt digital siganature using senders public key Create digest (hash) from message Digest Digest

  27. In cryptography, a certificate authority or certification authority (CA) is an entity which issues digital certificates for use by other parties. It is an example of a trusted third party. CA's are characteristic of many public key infrastructure (PKI) schemes

More Related