Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-COMMERCE SECURITY THREATS And what you can do about it.

Published byGertrude Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "E-COMMERCE SECURITY THREATS And what you can do about it."— Presentation transcript:

1 E-COMMERCE SECURITY THREATS And what you can do about it

2 Here are some numbers In America 8 out of 10 US consumers use the internet to shop. In 2012, $42.3 billion were spent online during Nov-Dec alone $20.4 billion was lost to cyber crime in 2012

3 The Internet is a Dangerous Place 604,826 Million identities exposed per breach Targeted attacks (42% + from 2011) 50% Small-Medium business 18% small business 50% big business Bot Nets 2011: 3.1 million 2012: 3.4 million

4 Examples of Recent Security Breaches Evernote: 10 million users’ data stolen. Passwords hashed + salted. (Phishing) StratFor: 75,000 credit card numbers. 2.5 million emails. (Unsecure CMS plugin) Sony: 77 million users’ data. Usernames, passwords, and credit card numbers (security through obscurity) LivingSocial: 50 million users'. Name, email, DOB. Passwords hashed + salted. 100 major universities (Harvard, Stanford..): 120,000+ emails, username, passwords. SQL Injection

5 Means of Attack Out of your control Physical server security Trustworthy employees Server updates Usage of a firewall and intrusion detection system. Things you can control Enforcing robust password practices Avoiding security through obscurity Implementing encryption for data transfers Properly coded SQL Cross Site Scripting Social engineering

6 DDoS Attacks Becoming more and more popular amongst internet activists, a distributed denial-of-service attack is an attempt to make resources available for legitimate users.

7 Too much of a good thing? Both legitimately and illegitimately a website can be DDoSed. (the SlashDot effect, or /b/) It is done by using a large network of “zombie” PCs to request your website at the same time, using up your bandwidth and processor power They can also flood TCP requests.. But how do I prevent it? Don’t be hated on the internet Implement caching, limit amount of requests per IP, and purchase hardware

8 Password Policy How long to guess your password?password Require a complex password for you users Change default passwords (WordPress admin, Linksys..) Limiting login attempts is also advisable These tend to be reused by users PopularityPassword 1 2123456 312345678 4abc123 5qwerty 6monkey 7letmein 8dragon 9111111 10baseball

9 Cool trick This can help you make easy to remember passwords so you don’t have to keep on using the same one on every site. http://xkcd.com/936/

10 Password Storage Those password your users use, you can just save them in your database, or can you? Saving them in ‘clear text’ lets you and your employees see a person’s password which has numerous security and privacy implications. So what can you do? Hash them! Hash But this still leaves them venerable, to brute force and rainbow table attacks. Salt them! Salt Adding random characters to the end of the user’s password before hashing it, and keeping that saved in a separate database adds another step for an intruder to overcome.

11 Security Through Obscurity Security problems are usually a when they happen not if they do Hiding your password list in a secret remote text file on your server might be well hidden, but anyone can find it. You might be the only one who knows how that super awesome custom hashing algorithm you coded works, but that doesn’t mean someone can reverse engineer it and discover problems later. That IPX network protocol on your 110 baud modem? Just because it is old doesn’t mean no one else knows how to get in.

12 SSL Encryption Why would you want to encrypt data? When users log on, they have to submit their username and password over the internet, and anyone along the way can read it. Would you want your credit card number out in the open?

13 Asymmetric Encryption Authentication and Encryption They rely on the PKI(Public Key Infrastructure) Vulnerable to MIM attacks. Costly Buying a certificate Processing requests A Diffie–Hellman key exchange

14 You are not safe at Starbucks… So called “Man-in-the-Middle” attacks are carried out by eavesdropping on your connection Using packet sniffers, they can intercept the data you send out and receive For more sophisticated attacks they can also spoof an IP with the Address Resolution Protocol SSL/TSL prevents this

15 Cross Site Attacks Cross Site Scripting Client side scripts executed on webpages Cross Site Request Forgery Unencrypted form links Prevention? Whitelist and escape user input

16 SQL Injections Number one threat since 2010 According to Open Web Application Security Project (OWASP) Easy to execute Severe organization impact

17 SQL Injections, how do they work?how An innocent SQL Statement "SELECT * FROM users WHERE name = '" + userName + "';" Replace userName variable with a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't; The new command becomes SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't'; And that is how someone just deleted your user table!

18 SQL Injection Prevention Use parameters to restrict user input SQLCommand("SELECT * FROM users WHERE name = '" + userName + "';“) Searches for the username “a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' ='t;” Grant necessary permission only Authorize read on selected information Example: deny SELECT ON sys.TABLES TO webdatabaselogon; Deny or limit xp_cmdshell

19 Dear Friend, I have an exciting business opportunity for you! How do they do it? Scammers may also attempt to trick you or your employees into handing out private information They may spoof their emails or phone calls to phish for specific data Fake letters to renew your domain name by an unknown host Is there a way to avoid it? Not really, but being skeptical, and educated about new threats will let you avoid falling for these types of scams Spam filters are nice too

20 Pro Tips Things to avoid Reusing the same password Falling for email scams Using unsecure connection methods Avoid giving too much information in error messages Letting users upload files Things to do Change your default passwords Encrypt personal data Enforce user policies Examine security/event logs Validate your forms for malicious code

21 THE END Any questions?

Download ppt "E-COMMERCE SECURITY THREATS And what you can do about it."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google