E-Commerce & Bank Security By: Mark Reed COSC 480

Outline Introduction Introduction Definition Definition Security Challenges Security Challenges Security Terms Security Terms Common Threats Common Threats Security Practices Security Practices Protecting Yourself Protecting Yourself

Introduction “Total eCommerce sales for 2006 were estimated at $108.7 billion. This represents an increase of 23.5% over 2005,” according to the U.S. Census Bureau’s E-Commerce Survey. “Total eCommerce sales for 2006 were estimated at $108.7 billion. This represents an increase of 23.5% over 2005,” according to the U.S. Census Bureau’s E-Commerce Survey.

What is Security? Dictionary Definition: Protection or defense against attack, interference, espionage, etc. Dictionary Definition: Protection or defense against attack, interference, espionage, etc. Computer Science Classification: Computer Science Classification: Confidentiality – protecting against unauthorized data disclosure Confidentiality – protecting against unauthorized data disclosure Integrity – preventing unauthorized modification Integrity – preventing unauthorized modification Availability – preventing data delays or denials Availability – preventing data delays or denials

Security Challenges

Security Terms Authentication – originator can be verified Authentication – originator can be verified Integrity – information has not been altered by an unauthorized person or process Integrity – information has not been altered by an unauthorized person or process Non-repudiation – proof of participation by the sender and/or receiver of a transmission Non-repudiation – proof of participation by the sender and/or receiver of a transmission Privacy – individual rights to nondisclosure Privacy – individual rights to nondisclosure

Threats Social Engineering – mislead the end user Social Engineering – mislead the end user Man-in-the-middle – listen between client/sever Man-in-the-middle – listen between client/sever Man-in-the-browser – redirect end-user to counterfeit sites to steal credentials Man-in-the-browser – redirect end-user to counterfeit sites to steal credentials

Threats Cont. Malware – poison hosts file and/or DNS to re- direct the user to counterfeit sites Malware – poison hosts file and/or DNS to re- direct the user to counterfeit sites Trojan Proxy – http redirector that re-directs all traffic to a Proxy and sends to the attacker Trojan Proxy – http redirector that re-directs all traffic to a Proxy and sends to the attacker

Malware/Phishing Attack Poisoning the hosts file to re-direct entries Poisoning the hosts file to re-direct entries

Spam “Spam accounts for 9 out of every 10 s in the United States.” “Spam accounts for 9 out of every 10 s in the United States.” MessageLabs, Inc. MessageLabs, Inc. Main source of phishing attacks Main source of phishing attacks Not a secure transmission method Not a secure transmission method

Ecommerce Architecture Support for peak access times Support for peak access times Replication and mirroring to avoid denial of service attacks Replication and mirroring to avoid denial of service attacks Security of web pages through certificates and network architecture to avoid spoofing attacks Security of web pages through certificates and network architecture to avoid spoofing attacks

Security Challenges Client side security Client side security Prevent unauthorized access to stored information Prevent unauthorized access to stored information Sever-side security Sever-side security Prevent unauthorized access while allowing authorized user to connect Prevent unauthorized access while allowing authorized user to connect Application and Database server security Application and Database server security Use security layers between the servers Use security layers between the servers

Client Side Security Protect information stored on the client system Protect information stored on the client system Use of digital signatures and encryption can reduce non-repudiation security attacks Use of digital signatures and encryption can reduce non-repudiation security attacks Communication security such as secure HTTP Communication security such as secure HTTP

Server-side Security Place application and database server behind a firewall in a demilitarized zone (DMZ) Place application and database server behind a firewall in a demilitarized zone (DMZ) Do not store sensitive information such as credit card numbers and SSN on web servers Do not store sensitive information such as credit card numbers and SSN on web servers Turn off all unnecessary services and block any unused ports Turn off all unnecessary services and block any unused ports

Application & Database Security Application server should shield that database server from direct contact with web servers Application server should shield that database server from direct contact with web servers Database servers should be completely isolated from the internet and any other unsecure server Database servers should be completely isolated from the internet and any other unsecure server User passwords when retrieving sensitive information from the database server User passwords when retrieving sensitive information from the database server

Company Security Precautions Defense-in-depth strategies that use multiple, overlapping and mutually supportive systems Defense-in-depth strategies that use multiple, overlapping and mutually supportive systems Antivirus, firewall, and intrusion detection/prevention Antivirus, firewall, and intrusion detection/prevention Update software patches on public systems Update software patches on public systems Block possible harmful attachment exts. Block possible harmful attachment exts.

Security Strengthening Multi-layer protection approaches Multi-layer protection approaches Secret image authentication Secret image authentication Using hardware authentication (serial number) Using hardware authentication (serial number)

Amazon PayPhrase

Avoid Security Threats Do not provide passwords, account numbers, or other personal information through Do not provide passwords, account numbers, or other personal information through Do not trust links in s or on websites Do not trust links in s or on websites Check for the lock icon in the address bar of your browser Check for the lock icon in the address bar of your browser

Secure Your PC Maintain up-to-date antivirus, spyware and firewall protection Maintain up-to-date antivirus, spyware and firewall protection Keep your operating system and applications up-to-date with security patches Keep your operating system and applications up-to-date with security patches Avoid transaction at wireless hotspots Avoid transaction at wireless hotspots

Conclusion Introduction Introduction Definition Definition Security Challenges Security Challenges Security Issues Security Issues Security Practices Security Practices Common Threats Common Threats Protecting Yourself Protecting Yourself

Sources Al-Slamy, Nada. "E-Commerce security." IJCSNS International Journal of Computer Science and Network Security 8.5 (2008): 5. Print. Al-Slamy, Nada. "E-Commerce security." IJCSNS International Journal of Computer Science and Network Security 8.5 (2008): 5. Print. Browning, Bob. "Electronic Commerce Tutorial Part 1 - Web Developer's Journal." Web Developer's Journal - Tips on Web Page Design, HTML, Graphics and Development Tools. N.p., n.d. Web. 26 Feb Browning, Bob. "Electronic Commerce Tutorial Part 1 - Web Developer's Journal." Web Developer's Journal - Tips on Web Page Design, HTML, Graphics and Development Tools. N.p., n.d. Web. 26 Feb Ghosh, Anup K.. "Journal of Internet Banking and Commerce." ARRAY Development. N.p., n.d. Web. 26 Feb Ghosh, Anup K.. "Journal of Internet Banking and Commerce." ARRAY Development. N.p., n.d. Web. 26 Feb "Computer Laboratory Security Group: Banking security." The Computer Laboratory. N.p., n.d. Web. 25 Feb